Jump to content

Help decypher malicious PHP code


Cornelius

Recommended Posts

My Wordpress website got infected. The code was heavily obfuscated, so this may not be the exact representation.

The first code was inserted at the beginning of many important PHP files (index, config, settings) and it actually includes a ~10KB *.ICO files that got deleted, and is probably some malicious executable file.

There are also two other codes (in numerous versions in many folders), which I'm pasting down. If someone recognizes these, or can see what should these do, it would be interesting to know what these actually do.


[removed]


And the second code is:
   

[removed]

Edited by requinix
removing code
Link to comment
Share on other sites

Please don't post malicious code in a public forum.

You cannot simply "undo" the attack. There's no way to know the full extent of the damage. Assume that everything has been compromised.

Take your website offline. Restore all the files from a recent backup (which you hopefully have), restore the database from a recent backup (ditto), then make sure you are up to date with WordPress and your plugins and everything else. Then bring your site back up and keep a very close eye on it for the next few weeks.
Ideally, you can identify the attack vector: an outdated plugin, insecure permissions, something like that. Then make sure that is closed off.

If your site has user registration or people's personal information, such as an email address or password, then you need to deal with that too. Which needs to include informing users of the breach.

Link to comment
Share on other sites

5 hours ago, Cornelius said:

If it's out of forum rules, please delete the thread.

It's not so much against forum rules as it is just Not A Nice Thing To Do.

The key things to note with it are:
1. The fact that it gets information from $_POST and $_COOKIE. Malicious scripts don't do one single thing anymore - they take instructions sent to them from a person or another machine.
2. That it can output phpversion() data. So someone can see your server configuration.
3. The is_writable() checks and file_put_contents() function calls with ".php" file extensions. It's designed to write arbitrary code to whatever files on your server.

Link to comment
Share on other sites

On 9/6/2020 at 12:33 AM, requinix said:

3. The is_writable() checks and file_put_contents() function calls with ".php" file extensions. It's designed to write arbitrary code to whatever files on your server.

Yep that's exactly what happened -  lines of code injected into numerous *.php files.

Hmm, I'm thinking now to investigate setting 555 permissions on all files :D

Link to comment
Share on other sites

555 for files means readable (which is good) and executable (which is not).
555 for directories means readable (which is good) and browseable (which is also good).

In general, files should be 0644 (writable by your account, readable by anyone else) and directories should be 0755 (writable by your account, readable and browseable by anyone else). In reality, it depends on the server setup.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.