styles.php malware

Again, we found interesting malware (styles.php), which try to add more backdoor files to the web server. This file is just copied from the original file: load-styles.php.

If you look fast this file, it’s look normal PHP file, but there is a modification of the begin (comments not finished line 6):

<?php
/**
 * Disable error reporting
 *
 * Set this to error_reporting( -1 ) for debugging
 */
error_reporting( 0 );

It self hidden malware starts line 60, where comments is closed:

if ( $compress && ! ini_get('zlib.output_compression') && 'ob_gzhandler' != ini_get('output_handler') && isset($_SERVER['HTTP_ACCEPT_ENCODING']) ) {    */      $stylesp='ba'.$ ... MALWARE CODE ... */
.
.
exit; */
?>

Our signatures detect this malware:

styles.php: {HEX}Malware.Expert.generic.assert.24.UNOFFICIAL FOUND

User-Agent: support.wordpress.com

Malware check every request User-Agent header and it is needed include support.wordpress.com string:

188.163.76.5 - - [20/Dec/2017:02:59:58 +0200] "GET /wp-includes/Text/Tiff.php?postfile HTTP/1.0" 404 28320 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.012; !en.support.wordpress.com; !support.wordpress.com; support.wordpress.com; en.support.wordpress.com) Gecko/20120121 Firefox/40.0"
46.219.210.32 - - [20/Dec/2017:07:13:29 +0200] "GET /wp-content/plugins/php-event-calendar/js/gcal.js HTTP/1.0" 404 152229 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.012; !en.support.wordpress.com; !support.wordpress.com; support.wordpress.com; en.support.wordpress.com) Gecko/20120121 Firefox/40.0"

styles.php infecting more files to server

touch("$level" . "index.php", $tm);
touch("$level" . "/wp-includes/version.php", $tm);
touch("$level" . "/wp-includes/template.php", $tm);
touch("$level" . "version.php", $tm);
touch("$level" . "wp-blog-content.php", $tm);
touch("$level" . "wp-xmlrpc.php", $tm);
touch("$level" . "wp-content/themes/hello.php", $tm);
touch("$level" . "wp-content/uploads/license.php", $tm);
touch("$level" . "hello.php", $tm);
touch("$level" . ".htaccess", $tm);
touch("$level" . "wp-blog-header.php", $tm);
touch("$level" . "wp-load.php", $tm);
touch("$level" . "wp-includes/SimplePie/gzpdecode.php", $tm);
touch("$level" . "wp-content/themes/twentyfifteen/content-pack.php", $tm);
touch("$level" . "wp-load.php", $tm);
touch("$level" . "wp-includes/version.php", $tm);
touch("$level" . "wp-includes/template.php", $tm);
touch("$level" . "wp-admin/maint/index.php", $tm);
touch("$level" . "wp-admin/includes/index.php", $tm);
touch("$level" . "wp-admin/includes/images.php", $tm);
touch("$level" . "wp-content/plugins/index.php", $tm);
touch("$level" . "wp-content/themes/index.php", $tm);
touch("$level" . "wp-content/uploads/index.php", $tm);
touch("$level" . "wp-content/index.php", $tm);
touch("$level" . "wp-content/.htaccess", $tm);
touch("$level" . "wp-includes/class.wp-date.php", $tm);
touch("$level" . "wp-includes/functions.wp-date.php", $tm);
touch("$level" . "wp-includes/pomo/index.php", $tm);
touch("$level" . "wp-includes/pomo/so.php", $tm);
touch("$level" . "wp-includes/Text/index.php", $tm);
touch("$level" . "wp-includes/Text/Tiff.php", $tm);
touch("$level" . "wp-includes/.htaccess", $tm);
touch("$level" . "wp-admin/css/colors/styles.php", $tm);
touch("$level" . "wp-admin/ms-menu.php", $tm);
touch("$level" . "wp-includes/SimplePie/Cache/SQL.php", $tm);
touch("$level" . "wp-includes/js/tinymce/wp-mce-js.php", $tm);
touch("$level" . "wp-includes/generalwtemplate.php", $tm);
touch("$level" . "wp-content/wp-object-cache.php", $tm);
touch("$level" . "blog.dir/.htaccess", $tm);
touch("$level" . "blog.dir/index.php", $tm);
touch("$level" . "blog.dir/404.php", $tm);
touch("$level" . "blog.dir/500.php", $tm);
touch("$level" . "license.php", $tm);
touch("$level" . "systemcache.php", $tm);
touch("$level" . "wp-object-cache.php", $tm);
touch("$level" . "object-cache.php", $tm);
touch("$themesPath$themesName" . "/.htaccess", $tm);
touch("$themesPath$themesName" . "/404.php", $tm);
touch("$themesPath$themesName", $tm);
touch("$level" . "wp-content/plugins/revslider/settings/generas_settings.php", $tm);
touch("$level" . "wp-content/plugins/revslider/temp/.htaccess", $tm);
touch("$revsliderPATH$revsliderFOLDERS" . "/.htaccess", $tm);
touch("$revsliderPATH$revsliderFOLDERS" . "/index.php", $tm);
touch("$revsliderPATH$revsliderFOLDERS" . "/index2.php", $tm);
touch("$revsliderPATH$revsliderFOLDERS" . "/index.php4", $tm);
touch("$revsliderPATH$revsliderFOLDERS" . "/index2.php4", $tm);
touch("$revsliderPATH$revsliderFOLDERS" . "/index.phtml", $tm);
touch("$level" . "coockies", $tm);

Signatures – Detecting

wp-admin/css/colors/styles.php: {HEX}Malware.Expert.generic.empty.string.0.UNOFFICIAL FOUND
wp-includes/SimplePie/Cache/SQL.php: {HEX}Malware.Expert.generic.empty.string.0.UNOFFICIAL FOUND
wp-includes/js/tinymce/wp-mce-js.php: {HEX}Malware.Expert.generic.empty.string.0.UNOFFICIAL FOUND
wp-admin/ms-menu.php: {HEX}Malware.Expert.generic.eval.gzinflate.base64.12.UNOFFICIAL FOUND
wp-admin/includes/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
wp-admin/includes/images.php: {HEX}Malware.Expert.generic.stpd.1.UNOFFICIAL FOUND
wp-admin/maint/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
wp-content/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
wp-content/wp-object-cache.php: {HEX}Malware.Expert.generic.base64.decode.16.UNOFFICIAL FOUND
wp-content/plugins/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
wp-content/themes/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
wp-content/themes/CherryFramework/404.php: {HEX}Malware.Expert.generic.uploader.31.UNOFFICIAL FOUND
wp-content/themes/theme46547/404.php: {HEX}Malware.Expert.generic.uploader.31.UNOFFICIAL FOUND
wp-content/uploads/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
wp-includes/class.wp-date.php: Malware.Expert.class.wp-date.php.UNOFFICIAL FOUND
wp-includes/generalwtemplate.php: {HEX}Malware.Expert.generic.base64.decode.17.UNOFFICIAL FOUND
wp-includes/functions.wp-date.php: {HEX}Malware.Expert.generic.strrev.0.UNOFFICIAL FOUND
wp-includes/js/utilities.js: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND
wp-includes/pomo/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
wp-includes/pomo/so.php: {HEX}Malware.Expert.generic.stpd.1.UNOFFICIAL FOUND
wp-includes/Text/index.php: {HEX}Malware.Expert.generic.assert.13.UNOFFICIAL FOUND
wp-includes/Text/Tiff.php: {HEX}Malware.Expert.generic.stpd.1.UNOFFICIAL FOUND
wp-includes/Requests/IPconfig.ini: {HEX}Malware.Expert.generic.malware.39.UNOFFICIAL FOUND

Final Words

Use Malware Expert – Signatures detect this malware from web server files for FREE!

Web servers that using Malware Expert – ModSecurity rules are protected against this kind attacks.