Is email from my WordPress site a hack or just a normal comment?
The "Code" is "patching" your WordPress installation (wp-comments-post.php) and sending some information to several servers (probably c&c). Also, it is removing itself from the database.
In other words, it is a hack. The email that you get is not from Google Official. It is from a Gmail account.
The decoded sources are here:
- http://pastebin.com/EHgbTGcB
- http://pastebin.com/YQYgxs3Z
The exploit is based on WordPress 3.x persistent script injection: http://www.acunetix.com/vulnerabilities/web/wordpress-3-x-persistent-script-injection
This is a hacking attempt that contains a special combination of characters that hides the malicious payload code using Base64 encoding.
The hidden code relies on an older version of WordPress being used, like version 3.5 for example. In these older versions, there are tricks that have been found. These tricks fool the safeguards that try to prevent scripts from being inserted into comments. It is done using a carefully crafted combination of characters that are misinterpreted as shortcodes, HTML and text in a way that allows access to the mouseover JavaScript event.
TIP: KEEP WORDPRESS UPDATED TO THE LATEST VERSION
When the mouseover is triggered by someone logged in as an administrator, any malicious code in the comment is executed as if the administrator executed it.