i found few suspicious file (wp-credit.php) in my wordpress site which is not related to wordpress default files , by running it create another file with name ( w-credits.php) need help in analyzing it because its encrypted
1 ) wp-credit.php ( http://pastebin.com/zn3Ck0ME or http://www.pastebin.ca/3031425 )
2 ) wp-credits.php created by wp-credit.php when run it (http://www.pastebin.ca/3031424 )
3 ) wp-searches.php ( http://www.pastebin.ca/3031436 )
There's no reason to "brute force decrypt" any of these files. They're all just slight obfuscations of PHP source code. Web sites like unphp.net can get you a long way towards readable source code.
wp-credit.phpappears to be a backdoor program. It looks through values in the $_COOKIE superglobal for encrypted code, a key and maybe an authorization code. It decrypts the encrypted code and eval's it.wp-credits.phpandwp-searches.php, when de-obfuscated, give version 2.5 of "Web Shell by oRb", possibly the most popular of the PHP web shells.You should (hopefully already have) look through your WordPress installation to see where the
wp-credit.phpfile came from. There's unfortunately a myriad of possibilities here, from WordPress bugs, to themes with code injections, to having guessed your WordPress admin login and password.