New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Understanding a Wordpress botnet code
leapswitch
Patron Provider, Veteran
in Help
After reading this interesting post - https://www.lowendtalk.com/discussion/90266/anatomy-of-a-wordpress-botnet/p1 , I tried going through recent files uploaded by hackers to vulnerable Wordpress or other CMSes. I am not a developer , and I am finding it very hard to understand this random code .
Can someone help me understand this code and then maybe all of us could try to hack into these botnets ?
Thanked by 1cassa
Comments
It's encrypted, it's almost impossible to decrypt it.
Definitely encrypted.
Not a programmer myself, maybe @GCat will look at it?
If it's encrypted, in order to run it on the server some loader will be required (ioncube, zend, sourceguardian etc) , else how will it execute its malicious code ?
It's not needed a loader, it will run like a normal javascript/php script.
It's not encrypted. It's obfuscated - big difference.
It's reversible but will take time.
Correct, but reversing is a manual process and would require somone to work out what each function does in order to guess the correct naming.
That's correct. It's obfuscation, not encryption (that's what I meant).
There are multiple tools online to do it both with PHP and JS, but it's almost impossible to decode it, especially if it's complex.
You can try via UnPHP, DDecode but I cannot assure it.
Already tried these 2. UnPHP gave some output which is equally obfuscated, DDecode says cannot decode.
It's obfuscated.
Seems like it uses the global variable that was assigned at the top. Then uses the string that inside the global variable to develop function, variable names.
Fun part about interpreted code is that most of the time you can deobfuscate stuff just by writing a 'print' in the right place, without even understanding the obfuscation mechanism.
A print_r($GLOBALS) near line 28 will give you:
So as you can see it uses common function of other PHP backdoors, ini_set, base64_decode etc. apparently it checks the PHP version somewhere, so the hex code might be a shellcode for some known bug.
That was just a one minute look at the code, if i have time more will follow.
Should shell_exec/ini_set be disabled, I don't think it can do much.
Would appreciate if you can debug it further.
A quick attempt:
http://pastebin.com/bHv7wKWn
Not part of a botnet, 'just' a simple script that allows execution of code.
I was almost there
Also, my previous statement was incorrect, the hex code is simply used as a dictionary to obfuscate the code.
So basically the script check for a POST request which should contain 1cca009e-23b4-4eb8-9777-e33b882dcdf8 as a secret in _POST['ak'].
The parameter _POST['a'] contains the action switch: 'i' means print info (php version and script version), 'e' means eval the code provided in the 'd' paremeter.
Also note that the variable names are short but meaningful:
The above description is a bit over semplificated, because the parameters i listed are not sent as plain post parameter but base64encoded and serialized in a single big parameter which get decoded and exploded in an array by the server.
The code itself is nothing special and it actually looks strange to me that the string i think it's the control password is not hashed in any way.
I am not a decrypt expert.... if I were you I would simply change eval with some kind of print_r | var_dump and put my ethernet cable out when running this code....whats the max it could do ....just dont do it on a local pc....
Its not encrypted, you can goto http://www.unphp.net to check the obfuscated tabbed base64 code
http://www.unphp.net/decode/8c9d98d0044e2ff84328cfe7ac5ef67a/
I see this on a lot of hacked WP sites... the only way to clean them is start from scratch.
watching your Apache access logs can help identify some malicious URLs being accessed from your domain. Also watch your exim/postfix MTA log and count Mails in queue to check malicious activity.
Here's one way to stop being hacked:
Stop using WordPress, there are alternatives out there without the security issues.
(well, less issues anyways)
Is WP itself insecure? Most of the "issues" come from the plugins.
And themes.
And secure is very relative.
Other platforms may be less attacked and hence less vulnerabilities discovered, which doesn't mean they are not vulnerable.
Same as with Windows and Linux, most viruses targets Windows as it's more popular. Better 'ROI' for the hacker, if it makes sense.
Disabling common dangerous PHP functions like eval(), exec(), system() ecc. and setting open_basedir along with allow_url_fopen will break most of the automated, non targeted attacks.
Biggest incorrect ass-umption about Wordpress.
WP suffers from the same issues our parents have with Windows- won't update for whatever reason. WP can't really force auto updates because of the complaints from developers where updates will break themes, plugins or anything customized.
Alright, fair enough - it usually is the plugins/themes that cause these issues. I would be genuinely interested though if someone found a vulnerability in WordFence...
Uhm, anyone care to point which plugin/wordpress version is vulnerable to this code injection?
most nulled plugin/themes comes with backdoor
You can always check in here https://wpvulndb.com/
Always update and supported by Sucuri
Yes, WP itself is insecure as well, and it's not "just plugins", despite that being a popular claim. See this article, for example, and that's only the obvious issues. The entire codebase is a mess and it is extremely likely that there are more issues as a result of that.
Thanx for the resource
There are many popular plugins in there..........
Bullshit. The "issues" on that post are edge cases we talk about on software when we can't find a real exploit. WP Core is fine where fine is the PHP apps standard of fine.
WordPress Core may be fine as such but the problem is, no one uses it at just core level. The somewhat loose standard of plugins and themes is a big problem. Half of these go EOL after 2-3 major upgrades which makes users hesitant of upgrading.
Not saying all devs / themes/ plugins are lousy but yes Code maintainability is a challenge foreseeing more than frequent updates/upgrades for WP.
Can you say some good alternatives?