SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Hybrid View

  1. #1
    SitePoint Member raja314's Avatar
    Join Date
    Jul 2007
    Location
    New York
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question How to decode this file

    Hi,

    recently some hacked into my WP website an uploaded 4 encrypted files (additionally one file named ntunel_mysql.php (no encryption) seems suspicious, not sure if it was by hacker ),

    also, two new admins were created in my site.

    one of 4 files encrypted is here: http://pastebin.com/ycTHyv0N

    i'm unable to decode it using the tools i found. can anyone pls help

    Pls let me know if you need additional details

  2. #2
    Barefoot on the Moon! silver trophy
    Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,516
    Mentioned
    51 Post(s)
    Tagged
    1 Thread(s)
    How is the code executed? That would give a clue.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  3. #3
    Barefoot on the Moon! silver trophy
    Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,516
    Mentioned
    51 Post(s)
    Tagged
    1 Thread(s)
    Ok, it looks like that code is self-executing. It's actually rather clever, actually.

    The second line essentially spits out this:
    Code:
    eval(gzuncompress(base64_decode(implode("",$ayZ))));die();
    Which decodes the array of gibberish into the malicious code that actually runs. However, without a closer inspection, I'm not entirely sure what it does (displays ads, maybe?). Either way, I wouldn't recommend running it, though.

    Reverting to backup before this intrusion happened would probably be the best option, since you never know what other malicious pieces of code would've been left behind.

    I would also take a closer look at what your file permissions are set at, and also locking down wordpress better.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  4. #4
    SitePoint Member raja314's Avatar
    Join Date
    Jul 2007
    Location
    New York
    Posts
    11
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi,

    i'm not sure what the code does, but the hacker was able to create admin users and change my affiliate links to his in a script i use. i have traced down several accesses to the malicious files from someone in vietnam. here is a series of accesses made to the above file (timing: bottom to top):


    /wp-content/themes/theme1/cache/external_2a6acded0ce47f4ce79a3117bf806167.php?cmd=base64_decode(aW5jbHVkZSAnL2V0Yy9wYXNzd2Qn)
    /wp-content/themes/theme1/cache/external_2a6acded0ce47f4ce79a3117bf806167.php?cmd=base64_decode("aW5jbHVkZSAnL2V0Yy9wYXNzd2Qn")
    /wp-content/themes/theme1/cache/external_2a6acded0ce47f4ce79a3117bf806167.php?cmd=include 'etc/passwd'


    there were another 50+ commands given

  5. #5
    Barefoot on the Moon! silver trophy
    Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,516
    Mentioned
    51 Post(s)
    Tagged
    1 Thread(s)
    As I said, if you have a backup, or can request a backup restoration from your host, that would be the preferred approach to go.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  6. #6
    SitePoint Wizard silver trophy Crazybanana's Avatar
    Join Date
    Mar 2003
    Location
    In tha fruit cellar
    Posts
    1,379
    Mentioned
    32 Post(s)
    Tagged
    1 Thread(s)
    a quick look at it reveals that it decodes into chinese - now I'm not so familiar with the language but it looks like (looks like gibberish nonsense) maybe forum posts... or news stuffing... hard to tell without knowing more or speaking the language...
    Who's to doom when the judge himself is dragged before the bar


    Home | Web | Facebook


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •