This is an obfuscated "Web Shell by oRb" web shell.
5.149.250.194 has no reverse lookup record in DNS.
whois says it's in AS61046:
person: Vilko Damianov
address: 4000, Bulgaria, Plovdiv, 2 Lyuben Karavelov, unit 5
phone: +35932571279
nic-hdl: VD3206-RIPE
mnt-by: HZ-HOSTING-LTD
created: 2016-11-28T15:25:07Z
last-modified: 2016-11-28T15:25:07Z
source: RIPE
Apparently, the machine in question is in London, England.
p0f3 identifies it as Windows 7 or 8.
The downloader thought that it was doing a "FilesMan" action, "uploadFile" sub-action to an instance of WSO that someone else thought they'd uploaded to my WordPress honey pot. This seems convoluted. Why not just use the WSO instance they uploaded to?
revphp 5.149.250.194WiwcZx5iWn4GRcs3Srr7ygAAAAo.0.file > f1.php; deobfuscate and pretty-print.- Examine
f1.phpfor suspicious code. Change#assert('eval($X)');toprint($X); - Execute
f1.php,php f1.php > dc1.php
The actual encoding is just chr(hexdec()) over every 2-character
substring of a long string of digits and letters in f1.php.
The ultimate PHP code is just an instance of WSO, by far the most common web shell downloaded, and it's version 2.5, the last version written by oRb itself.
The decoding/deobfuscation does have one unique feature, the
use of assert() to evaluate PHP code at run time:
$__ = hex2ascii($___);
$X = "{$__}";
$A = $A='e'.''.''.''.'' ... .'v'.'a'.'l'.'($X)';
assert($A);
That might keep a few very simple malware scanners from finding
the decoding function. The weird obfuscation of eval($X)
seems likely to only confuse a human inspecting the file. But
not "confuse" in the sense of ignoring it, but rather touch
off a closer investigation because the code is so weird.