Help decypher malicious PHP code

[Cornelius]

My Wordpress website got infected. The code was heavily obfuscated, so this may not be the exact representation.

The first code was inserted at the beginning of many important PHP files (index, config, settings) and it actually includes a ~10KB *.ICO files that got deleted, and is probably some malicious executable file.

There are also two other codes (in numerous versions in many folders), which I'm pasting down. If someone recognizes these, or can see what should these do, it would be interesting to know what these actually do.

[removed]

And the second code is:
   

[removed]

Edited September 5, 2020 by requinix
removing code

[requinix]

Please don't post malicious code in a public forum.

You cannot simply "undo" the attack. There's no way to know the full extent of the damage. Assume that everything has been compromised.

Take your website offline. Restore all the files from a recent backup (which you hopefully have), restore the database from a recent backup (ditto), then make sure you are up to date with WordPress and your plugins and everything else. Then bring your site back up and keep a very close eye on it for the next few weeks.
Ideally, you can identify the attack vector: an outdated plugin, insecure permissions, something like that. Then make sure that is closed off.

If your site has user registration or people's personal information, such as an email address or password, then you need to deal with that too. Which needs to include informing users of the breach.

[Cornelius]

Oh, sorry. Yes I will do that. Just was interested in code.

If it's out of forum rules, please delete the thread. 

Thanks.

[requinix]

5 hours ago, Cornelius said:

If it's out of forum rules, please delete the thread.

It's not so much against forum rules as it is just Not A Nice Thing To Do.

The key things to note with it are:
1. The fact that it gets information from $_POST and $_COOKIE. Malicious scripts don't do one single thing anymore - they take instructions sent to them from a person or another machine.
2. That it can output phpversion() data. So someone can see your server configuration.
3. The is_writable() checks and file_put_contents() function calls with ".php" file extensions. It's designed to write arbitrary code to whatever files on your server.

[Cornelius]

On 9/6/2020 at 12:33 AM, requinix said:

3. The is_writable() checks and file_put_contents() function calls with ".php" file extensions. It's designed to write arbitrary code to whatever files on your server.

Yep that's exactly what happened -  lines of code injected into numerous *.php files.

Hmm, I'm thinking now to investigate setting 555 permissions on all files

[requinix]

555 for files means readable (which is good) and executable (which is not).
555 for directories means readable (which is good) and browseable (which is also good).

In general, files should be 0644 (writable by your account, readable by anyone else) and directories should be 0755 (writable by your account, readable and browseable by anyone else). In reality, it depends on the server setup.