Hi everybody.
My wordpress website has been recently hacked: links to the xxxindianxxx website were injected in several files. Unfortunately I don't have a backup to restore (I know, I have been stupid!).
I cleaned up that links and now seems to be ok. But, besides undesired links, I was looking for backdoors to be sure I am safe. After I've read this article http://ottopress.com/2009/hacked-wordpress-backdoors/
I performed some searches and I'd like to ask you whether this code is legitimate or not.
Looking for base64_decode():
/Users/admin/Sites/AikidoVV/wordpress/wp-content/plugins/jetpack/jetpack.php:
3308 }
3309
3310: $data = json_decode( base64_decode( stripslashes( $_GET['data'] ) ) );
3311 $data_filters = array(
3312 'state' => 'opaque',
/Users/admin/Sites/AikidoVV/wordpress/wp-includes/class-feed.php:
115 }
116 if ( $type & SIMPLEPIE_CONSTRUCT_BASE64 ) {
117: $data = base64_decode( $data );
118 }
119 if ( $type & ( SIMPLEPIE_CONSTRUCT_HTML | SIMPLEPIE_CONSTRUCT_XHTML ) ) {
/Users/admin/Sites/AikidoVV/wordpress/wp-includes/class-IXR.php:
301 break;
302 case 'base64':
303: $value = base64_decode($this->_currentTagContents);
304 $valueFlag = true;
305 break;
/Users/admin/Sites/AikidoVV/wordpress/wp-includes/class-wp-atom-server.php:
1344 if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
1345 list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) =
1346: explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
1347 } else if (isset($_SERVER['REDIRECT_REMOTE_USER'])) {
1348 // Workaround for setups that do not forward HTTP_AUTHORIZATION
1349 // See http://trac.wordpress.org/ticket/7361
1350 list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) =
1351: explode(':', base64_decode(substr($_SERVER['REDIRECT_REMOTE_USER'], 6)));
1352 }
1353
/Users/admin/Sites/AikidoVV/wordpress/wp-includes/SimplePie/Sanitize.php:
242 if ($type & SIMPLEPIE_CONSTRUCT_BASE64)
243 {
244: $data = base64_decode($data);
245 }
Looking for strrev():
/Users/admin/Sites/AikidoVV/wordpress/wp-admin/includes/post.php:
1017 $uri = get_page_uri($post);
1018 $uri = untrailingslashit($uri);
1019: $uri = strrev( stristr( strrev( $uri ), '/' ) );
1020 $uri = untrailingslashit($uri);
1021 $uri = apply_filters( 'editable_slug', $uri );
/Users/admin/Sites/AikidoVV/wordpress/wp-includes/SimplePie/gzdecode.php:
227 if (current(unpack('S', "\x00\x01")) === 1)
228 {
229: $mtime = strrev($mtime);
230 }
231 $this->MTIME = current(unpack('l', $mtime));
Thank you in advance.