{"id":19783,"date":"2022-11-07T17:52:56","date_gmt":"2022-11-07T12:22:56","guid":{"rendered":"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/"},"modified":"2022-11-07T17:52:56","modified_gmt":"2022-11-07T12:22:56","slug":"solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do","status":"publish","type":"post","link":"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/","title":{"rendered":"[Solved] Malicious code found in WordPress theme files. What does it do?"},"content":{"rendered":"<p> [ad_1]<br \/>\n<\/p>\n<div id=\"answer-29433260\" class=\"answer js-answer accepted-answer js-accepted-answer\" data-answerid=\"29433260\" data-parentid=\"29421263\" data-score=\"2\" data-position-on-page=\"1\" data-highest-scored=\"1\" data-question-has-accepted-highest-score=\"1\" itemprop=\"acceptedAnswer\" itemscope itemtype=\"https:\/\/schema.org\/Answer\">\n<div class=\"post-layout\">\n<div class=\"votecell post-layout--left\"><\/div>\n<div class=\"answercell post-layout--right\">\n<div class=\"s-prose js-post-body\" itemprop=\"text\">\n<p>After digging though the obfuscated code untangling a number of <code>preg_replace<\/code>, <code>eval<\/code>, <code>create_function<\/code> statements, this is <em>my try on explaining<\/em> what the code does:<\/p>\n<p>The code will start output buffering and register a callback function triggered at the end of buffering, e.g. when the output is to be sent to the web server.<\/p>\n<p><strong>First<\/strong>, the callback function will attempt to uncompress the output buffer contents if necessary using <code>gzinflate<\/code>, <code>gzuncompress<\/code>, <code>gzdecode<\/code> or a custom <code>gzinflate<\/code> based decoder (I have not dug any deeper into this). <\/p>\n<p>With the contents uncompressed, a request will be made containing the $_SERVER values of<\/p>\n<ul>\n<li>HTTP_USER_AGENT<\/li>\n<li>HTTP_REFERER<\/li>\n<li>REMOTE_ADDR<\/li>\n<li>HTTP_HOST<\/li>\n<li>PHP_SELF<\/li>\n<\/ul>\n<p>&#8230; to the domain given by chars 0-8 or 8-15 (randomly picks one or the other) in an <code>md5<\/code> hash of the IPv4 address of &#8220;stat-dns.com&#8221; appended with &#8220;.com&#8221;, currently giving <code>md5(\".com\" . &lt;IPv4&gt; )<\/code> =&gt; <code>md5(\".com8.8.8.8\")<\/code> =&gt; <code>\"54dfa1cb.com\"<\/code> \/ <code>\"33db9538.com\"<\/code>.<\/p>\n<p>The request will be attempted using <code>file_get_contents<\/code>, <code>curl_exec<\/code>, <code>file<\/code> and finally <code>socket_write<\/code>.<\/p>\n<p>Note that <em>no request will be made<\/em> if:<\/p>\n<ul>\n<li>any of the <code>HTTP_USER_AGENT<\/code>, <code>REMOTE_ADDR<\/code> or <code>HTTP_HOST<\/code> is empty\/not set<\/li>\n<li><code>PHP_SELF<\/code> contains the word &#8220;admin&#8221;<\/li>\n<li><code>HTTP_USER_AGENT<\/code> contains any of the words &#8220;google&#8221;, &#8220;slurp&#8221;, &#8220;msnbot&#8221;, &#8220;ia_archiver&#8221;, &#8220;yandex&#8221; or &#8220;rambler&#8221;.<\/li>\n<\/ul>\n<p><strong>Secondly<\/strong>, if the output buffer contents has a <code>body<\/code> or <code>html<\/code> tag, and the response from the request above (decoded using <code>en2()<\/code> function below) contains at least one &#8220;!NF0&#8221; string, the content between the first and second &#8220;!NF0&#8221; (or end of string) will be injected into the HTML page at the beginning of the <code>body<\/code> or in case there is no <code>body<\/code> tag, the <code>html<\/code> tag.<\/p>\n<p>The code used for encoding\/decoding traffic is this one:<\/p>\n<pre><code>function en2($s, $q) {\n    $g = \"\";\n    while (strlen($g) &lt; strlen($s)) {\n        $q = pack(\"H*\", md5($g . $q . \"q1w2e3r4\"));\n        $g .= substr($q, 0, 8);\n    }\n    return $s ^ $g;\n}\n<\/code><\/pre>\n<p><code>$s<\/code> is the string to encode\/decode and <code>$q<\/code> is a random number between 100000 and 999999 acting as a key.<\/p>\n<p>The request URL mentioned above is calculated like this:<\/p>\n<pre><code>$url = \"http:\/\/ ... \/\"\n    . $op \/\/ Random number\/key\n    . \"?\"\n    . urlencode(\n          urlencode(\n              base64_encode(en2( $http_user_agent, $op)) . \".\" .\n              base64_encode(en2( $http_referrer,   $op)) . \".\" .\n              base64_encode(en2( $remote_addr,     $op)) . \".\" .\n              base64_encode(en2( $http_host,       $op)) . \".\" .\n              base64_encode(en2( $php_self,        $op))\n          )\n      );\n<\/code><\/pre>\n<p>While I have not found any sign of what initially placed the malicious code on your server, or that it does anything else than allowing for bad HTML\/JavaScript code to be injected on your web pages that does not mean that it is not still there.<\/p>\n<p>You really should make a clean install, like suggested by @Bulk above:<\/p>\n<blockquote>\n<p>The only way you&#8217;ll ever know for sure it&#8217;s been cleaned is to<br \/>\n  re-install absolutely everything you can from scratch &#8211; i.e. fresh<br \/>\n  wordpress install, fresh plugin install. Then literally comb every<br \/>\n  line of your theme for anything out of the ordinary. Also of note,<br \/>\n  they often will put things in wp-content\/uploads that look like images<br \/>\n  but aren&#8217;t &#8211; check those too.<\/p>\n<\/blockquote>\n<p>Pastebin <a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/pastebin.com\/Z03USpr7\">here<\/a>.<\/p>\n<\/p><\/div>\n<div class=\"mt24\"><\/div>\n<\/div>\n<p>            <span class=\"d-none\" itemprop=\"commentCount\">1<\/span> <\/p><\/div>\n<\/div>\n<p>[ad_2]<\/p>\n<p>solved Malicious code found in WordPress theme files. What does it do? <\/p>\n","protected":false},"excerpt":{"rendered":"<p>[ad_1] After digging though the obfuscated code untangling a number of preg_replace, eval, create_function statements, this is my try on explaining what the code does: The code will start output buffering and register a callback function triggered at the end of buffering, e.g. when the output is to be sent to the web server. First, &#8230; <a title=\"[Solved] Malicious code found in WordPress theme files. What does it do?\" class=\"read-more\" href=\"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/\" aria-label=\"More on [Solved] Malicious code found in WordPress theme files. What does it do?\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[320],"tags":[3523,1267,339,4679,597],"class_list":["post-19783","post","type-post","status-publish","format-standard","hentry","category-solved","tag-code-injection","tag-malware","tag-php","tag-trojan","tag-wordpress"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>[Solved] Malicious code found in WordPress theme files. What does it do? - JassWeb<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"[Solved] Malicious code found in WordPress theme files. What does it do? - JassWeb\" \/>\n<meta property=\"og:description\" content=\"[ad_1] After digging though the obfuscated code untangling a number of preg_replace, eval, create_function statements, this is my try on explaining what the code does: The code will start output buffering and register a callback function triggered at the end of buffering, e.g. when the output is to be sent to the web server. First, ... Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/\" \/>\n<meta property=\"og:site_name\" content=\"JassWeb\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-07T12:22:56+00:00\" \/>\n<meta name=\"author\" content=\"Kirat\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Kirat\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/\"},\"author\":{\"name\":\"Kirat\",\"@id\":\"https:\/\/jassweb.com\/solved\/#\/schema\/person\/65c9c7b7958150c0dc8371fa35dd7c31\"},\"headline\":\"[Solved] Malicious code found in WordPress theme files. What does it do?\",\"datePublished\":\"2022-11-07T12:22:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/\"},\"wordCount\":427,\"publisher\":{\"@id\":\"https:\/\/jassweb.com\/solved\/#organization\"},\"keywords\":[\"code-injection\",\"malware\",\"php\",\"trojan\",\"wordpress\"],\"articleSection\":[\"Solved\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/\",\"url\":\"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/\",\"name\":\"[Solved] Malicious code found in WordPress theme files. What does it do? - JassWeb\",\"isPartOf\":{\"@id\":\"https:\/\/jassweb.com\/solved\/#website\"},\"datePublished\":\"2022-11-07T12:22:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jassweb.com\/solved\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"[Solved] Malicious code found in WordPress theme files. What does it do?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jassweb.com\/solved\/#website\",\"url\":\"https:\/\/jassweb.com\/solved\/\",\"name\":\"JassWeb\",\"description\":\"Build High-quality Websites\",\"publisher\":{\"@id\":\"https:\/\/jassweb.com\/solved\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jassweb.com\/solved\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jassweb.com\/solved\/#organization\",\"name\":\"Jass Web\",\"url\":\"https:\/\/jassweb.com\/solved\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jassweb.com\/solved\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jassweb.com\/wp-content\/uploads\/2021\/02\/jass-website-logo-1.png\",\"contentUrl\":\"https:\/\/jassweb.com\/wp-content\/uploads\/2021\/02\/jass-website-logo-1.png\",\"width\":693,\"height\":132,\"caption\":\"Jass Web\"},\"image\":{\"@id\":\"https:\/\/jassweb.com\/solved\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/jassweb.com\/solved\/#\/schema\/person\/65c9c7b7958150c0dc8371fa35dd7c31\",\"name\":\"Kirat\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jassweb.com\/solved\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/jassweb.com\/solved\/wp-content\/litespeed\/avatar\/1261af3c9451399fa1336d28b98ea3bb.jpg?ver=1776403586\",\"contentUrl\":\"https:\/\/jassweb.com\/solved\/wp-content\/litespeed\/avatar\/1261af3c9451399fa1336d28b98ea3bb.jpg?ver=1776403586\",\"caption\":\"Kirat\"},\"sameAs\":[\"http:\/\/jassweb.com\"],\"url\":\"https:\/\/jassweb.com\/solved\/author\/jaspritsinghghumangmail-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"[Solved] Malicious code found in WordPress theme files. What does it do? - JassWeb","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/","og_locale":"en_US","og_type":"article","og_title":"[Solved] Malicious code found in WordPress theme files. What does it do? - JassWeb","og_description":"[ad_1] After digging though the obfuscated code untangling a number of preg_replace, eval, create_function statements, this is my try on explaining what the code does: The code will start output buffering and register a callback function triggered at the end of buffering, e.g. when the output is to be sent to the web server. First, ... Read more","og_url":"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/","og_site_name":"JassWeb","article_published_time":"2022-11-07T12:22:56+00:00","author":"Kirat","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Kirat","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/#article","isPartOf":{"@id":"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/"},"author":{"name":"Kirat","@id":"https:\/\/jassweb.com\/solved\/#\/schema\/person\/65c9c7b7958150c0dc8371fa35dd7c31"},"headline":"[Solved] Malicious code found in WordPress theme files. What does it do?","datePublished":"2022-11-07T12:22:56+00:00","mainEntityOfPage":{"@id":"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/"},"wordCount":427,"publisher":{"@id":"https:\/\/jassweb.com\/solved\/#organization"},"keywords":["code-injection","malware","php","trojan","wordpress"],"articleSection":["Solved"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/","url":"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/","name":"[Solved] Malicious code found in WordPress theme files. What does it do? - JassWeb","isPartOf":{"@id":"https:\/\/jassweb.com\/solved\/#website"},"datePublished":"2022-11-07T12:22:56+00:00","breadcrumb":{"@id":"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/jassweb.com\/solved\/solved-malicious-code-found-in-wordpress-theme-files-what-does-it-do\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jassweb.com\/solved\/"},{"@type":"ListItem","position":2,"name":"[Solved] Malicious code found in WordPress theme files. What does it do?"}]},{"@type":"WebSite","@id":"https:\/\/jassweb.com\/solved\/#website","url":"https:\/\/jassweb.com\/solved\/","name":"JassWeb","description":"Build High-quality Websites","publisher":{"@id":"https:\/\/jassweb.com\/solved\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jassweb.com\/solved\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jassweb.com\/solved\/#organization","name":"Jass Web","url":"https:\/\/jassweb.com\/solved\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jassweb.com\/solved\/#\/schema\/logo\/image\/","url":"https:\/\/jassweb.com\/wp-content\/uploads\/2021\/02\/jass-website-logo-1.png","contentUrl":"https:\/\/jassweb.com\/wp-content\/uploads\/2021\/02\/jass-website-logo-1.png","width":693,"height":132,"caption":"Jass Web"},"image":{"@id":"https:\/\/jassweb.com\/solved\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/jassweb.com\/solved\/#\/schema\/person\/65c9c7b7958150c0dc8371fa35dd7c31","name":"Kirat","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jassweb.com\/solved\/#\/schema\/person\/image\/","url":"https:\/\/jassweb.com\/solved\/wp-content\/litespeed\/avatar\/1261af3c9451399fa1336d28b98ea3bb.jpg?ver=1776403586","contentUrl":"https:\/\/jassweb.com\/solved\/wp-content\/litespeed\/avatar\/1261af3c9451399fa1336d28b98ea3bb.jpg?ver=1776403586","caption":"Kirat"},"sameAs":["http:\/\/jassweb.com"],"url":"https:\/\/jassweb.com\/solved\/author\/jaspritsinghghumangmail-com\/"}]}},"_links":{"self":[{"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/posts\/19783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/comments?post=19783"}],"version-history":[{"count":0,"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/posts\/19783\/revisions"}],"wp:attachment":[{"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/media?parent=19783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/categories?post=19783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jassweb.com\/solved\/wp-json\/wp\/v2\/tags?post=19783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}