Reputation: 6040
PHP Wordpress site compromised, what is this obfuscated code doing?
Found this code on a friend's compromised Wordpress site, any ideas?
Pastebin since it's too long for SO
$OO_OO0_00_='1515';
$O__OO_00O0='1515';
$O0O0_0_OO_='0';
$O_00OOO0__='1';
$OOO_0O_00_='1';
$O0__O0O_O0=urldecode("see pastebin
I see references to opening a socket.
Upvotes: 0
Views: 382
Answers (3)
Reputation: 948
It really does not matter what it is. the problem is that it is there in the first place.
You have a couple of options, either erase the site and start over with the latest wordpress release, hopefully this hole is patched.
Or and you really need to determine whether its worth doind (and if not convince your friend to start over). However if there is too much important data to lose, you will need to clean up the site and its not going to be easy, you will need to inspect each and every file including hidden files, directories etc, inspect the database, is it safe to keep it, if not can you clean it of any harmful data.
However, to my mind, this server is compromised, bin it and start over. Hopefully the host has a backup prior to this breach, though i suspect that might be more wishful thinking.
Upvotes: 1
Reputation: 11318
What @Chris said. But out of personal curiosity, I've decoded enough of it to get the gist of what it does. This code does several things.
Most importantly, this code will accept arbitrary file uploads that overwrite any existing file (if the file permissions allow it) by sending a request with a supfiles, sfilename and sfilecontent parameter. There's no path checking on sfilename either, so this script could potentially write files anywhere on the filesystem the user has permission to write to (which may or may not include such useful locations as ~/.ssh/authorized_keys).
But its core activity appears to be:
- It checks the User-Agent and Referer headers to see if the visitor is a search engine crawler or someone who came from Bing or the Japanese sites of Google and Yahoo. If so, it logs the request details to a remote server (www50.bcsad.top, but I've also seen references to
www%d.bcsad.topwhich is fed intosprintf()so the exact hostname is at least somewhat dynamic) - If the request is for a
sitemap.xmlfile or a variant thereof (e.g.sitemap-video-1-20.xml), it will generate one containing links to that remote server. - If the infected site does not have a
.htaccessfile that redirects non-existing requests to the infected file, it will try to create one that does that (Wordpress does have such a file, but not in all subfolders).
There's a similar piece of code on unphp.net (cached since it seems to be down at the moment) which is not identical to yours (it appears to be missing the file upload option) but still has a lot of overlap so it'll give you a general idea of what this code does.
Upvotes: 3
Reputation: 460
Seems that it'll took hours to decode that.
Variables like $OO0O_0_O_0 transforms to function names.
$OO0O_0_O_0 = 'preg_replace_callback';
$O0__O0_OO0 = 'stream_socket_client';
$O0OO0_0__O = 'stream_get_meta_data';
$OO0O_0_0O_ = 'stream_set_blocking';
$OO_00_0O_O = 'stream_set_timeout';
$O0_00OO__O = 'ignore_user_abort';
$OO_00__OO0 = 'file_put_contents';
$O0O0_O_O0_ = 'file_get_contents';
$OOO0__00O_ = 'http_build_query';
$OOO0_00O__ = 'function_exists';
$O_00O_O_O0 = 'error_reporting';
$O_00OO_0_O = 'create_function';
$O_00O__O0O = 'set_time_limit';
$O000O_O__O = 'gethostbyname';
$O__0O_0O0O = 'base64_decode';
$OO0OO_0__0 = 'preg_replace';
$OO00O_0O__ = 'str_replace';
$OO00_O0O__ = 'file_exists';
$O0_0O_0O_O = 'curl_setopt';
$OO_OO00__0 = 'array_shift';
$O0_OO00_O_ = 'preg_match';
$OO0O0__0O_ = 'curl_error';
$OO00__O_0O = 'curl_close';
$O_0O_O00O_ = 'urlencode';
$O_O0O0__0O = 'parse_url';
$O___0OOO00 = 'gzinflate';
$O0_0O_OO_0 = 'curl_init';
$O0_O0__O0O = 'curl_exec';
$O0_0_O0O_O = 'is_array';
$OO00OO_0__ = 'strrpos';
$O__OO00O_0 = 'mt_rand';
$O_00_OO_0O = 'implode';
$O_O00__OO0 = 'gzclose';
$O_00O_0O_O = 'explode';
$O_O0__O00O = 'usleep';
$O0_O_OO00_ = 'unlink';
$O0O__0OO0_ = 'strstr';
$O_0O0O0O__ = 'strpos';
$OO_0_0O_O0 = 'strlen';
$O00___0OOO = 'hexdec';
$O_000OOO__ = 'gzopen';
$O0__0OO_0O = 'fwrite';
$O00OO0_O__ = 'fclose';
$O__0_0OOO0 = 'mkdir';
$OO0OO__0_0 = 'fread';
$OO0O_O0__0 = 'fgets';
$OO_O_O0_00 = 'count';
$O00O_0_O_O = 'chmod';
$O_O00_O0_O = 'trim';
$OO__O00O_0 = 'join';
$O0_OOO__00 = 'feof';
$OOOO___000 = 'date';
It's possible to write some scripts to decode all that junk (or do it by hands)... if you have some free time.
Upvotes: 1
Related Questions
- My website got hacked - what does this code do?
- what's this malicious code for?
- Malware research - What this code do in PHP
- Wordpress Hacked, understanding obfuscated line on wp-config.php
- My Magento web site was hacked, what does this php code do?
- What does this malicious PHP code found in a WordPress install do?
- PHP Web Application (Magento) hacked; What does this hacker code do?
- Hacked, what does this piece of code do?
- PHP Hack - What is this code doing?
- What is this malware code accomplishing?