Understanding a Wordpress botnet code

leapswitch

After reading this interesting post - https://www.lowendtalk.com/discussion/90266/anatomy-of-a-wordpress-botnet/p1 , I tried going through recent files uploaded by hackers to vulnerable Wordpress or other CMSes. I am not a developer , and I am finding it very hard to understand this random code .

http://pastebin.com/cSy8HWcj

Can someone help me understand this code and then maybe all of us could try to hack into these botnets ?

Mad

It's encrypted, it's almost impossible to decrypt it.

MikePT

Definitely encrypted.

Not a programmer myself, maybe @GCat will look at it?

leapswitch

If it's encrypted, in order to run it on the server some loader will be required (ioncube, zend, sourceguardian etc) , else how will it execute its malicious code ?

Mad

It's not needed a loader, it will run like a normal javascript/php script.

BradND

It's not encrypted. It's obfuscated - big difference.

It's reversible but will take time.

pbgben

@BradND said:
It's not encrypted. It's obfuscated - big difference.

It's reversible but will take time.

Correct, but reversing is a manual process and would require somone to work out what each function does in order to guess the correct naming.

Mad

@BradND said:
It's not encrypted. It's obfuscated - big difference.

It's reversible but will take time.

That's correct. It's obfuscation, not encryption (that's what I meant).

There are multiple tools online to do it both with PHP and JS, but it's almost impossible to decode it, especially if it's complex.

You can try via UnPHP, DDecode but I cannot assure it.

leapswitch

@andreamada said:

@BradND said:
It's not encrypted. It's obfuscated - big difference.

It's reversible but will take time.

That's correct. It's obfuscation, not encryption (that's what I meant).

There are multiple tools online to do it both with PHP and JS, but it's almost impossible to decode it, especially if it's complex.

You can try via UnPHP, DDecode but I cannot assure it.

Already tried these 2. UnPHP gave some output which is equally obfuscated, DDecode says cannot decode.

a-super-random-user

It's obfuscated.

Seems like it uses the global variable that was assigned at the top. Then uses the string that inside the global variable to develop function, variable names.

Giulio

Fun part about interpreted code is that most of the time you can deobfuscate stuff just by writing a 'print' in the right place, without even understanding the obfuscation mechanism.
A print_r($GLOBALS) near line 28 will give you:

    [GLOBALS] => Array
 *RECURSION*
    [yfab7587] => 
    [w380ec89] => 
    [a7c65] => 1cca009e-23b4-4eb8-9777-e33b882dcdf8
    [wce1d6c] => 'T0mR1;3$px:A  "6/ko
Q)D`\]HtrahNe_F2LPn.^u7V4J[b}jESCdiK&G=f%z*U,y+9vl~IO8>sX(#q<5MW?- w
    [y876] => chr
    [ka91a] => ord
    [hd12279] => strlen
    [a5c827a75] => ini_set
    [j931c16] => serialize
    [t9ba2] => phpversion
    [cd31] => unserialize
    [t372] => base64_decode
    [i895e0e] => set_time_limit
    [r3e58] => v091d9e
    [u3183ff] => dc734765
    [c58d4b02] => Array
        (
        )

    [l1bd5b8b] => Array
        (
        )

)

So as you can see it uses common function of other PHP backdoors, ini_set, base64_decode etc. apparently it checks the PHP version somewhere, so the hex code might be a shellcode for some known bug.

That was just a one minute look at the code, if i have time more will follow.

MikePT

@Giulio said:
Fun part about interpreted code is that most of the time you can deobfuscate stuff just by writing a 'print' in the right place, without even understanding the obfuscation mechanism.
A print_r($GLOBALS) near line 28 will give you:

[GLOBALS] => Array
RECURSION
[yfab7587] =>
[w380ec89] =>
[a7c65] => 1cca009e-23b4-4eb8-9777-e33b882dcdf8
[wce1d6c] => 'T0mR1;3$px:A "6/ko
Q)D`]HtrahNe_F2LPn.^u7V4J[b}jESCdiK&G=f%z*U,y+9vl~IO8>sX(#q<5MW?- w
[y876] => chr
[ka91a] => ord
[hd12279] => strlen
[a5c827a75] => ini_set
[j931c16] => serialize
[t9ba2] => phpversion
[cd31] => unserialize
[t372] => base64_decode
[i895e0e] => set_time_limit
[r3e58] => v091d9e
[u3183ff] => dc734765
[c58d4b02] => Array
(
)

[l1bd5b8b] => Array
(
)

)

So as you can see it uses common function of other PHP backdoors, ini_set, base64_decode etc. apparently it checks the PHP version somewhere, so the hex code might be a shellcode for some known bug.

That was just a one minute look at the code, if i have time more will follow.

Should shell_exec/ini_set be disabled, I don't think it can do much.

Would appreciate if you can debug it further.

Aleksio

A quick attempt:
http://pastebin.com/bHv7wKWn

Not part of a botnet, 'just' a simple script that allows execution of code.

Giulio

@Aleksio said:
A quick attempt:
http://pastebin.com/bHv7wKWn

Not part of a botnet, 'just' a simple script that allows execution of code.

I was almost there

Also, my previous statement was incorrect, the hex code is simply used as a dictionary to obfuscate the code.

So basically the script check for a POST request which should contain 1cca009e-23b4-4eb8-9777-e33b882dcdf8 as a secret in _POST['ak'].

The parameter _POST['a'] contains the action switch: 'i' means print info (php version and script version), 'e' means eval the code provided in the 'd' paremeter.

Also note that the variable names are short but meaningful:

• ak -> access key
• a -> action
• i -> info
• e -> eval
• pv -> php version
• sv -> software/shell? version

The above description is a bit over semplificated, because the parameters i listed are not sent as plain post parameter but base64encoded and serialized in a single big parameter which get decoded and exploded in an array by the server.

The code itself is nothing special and it actually looks strange to me that the string i think it's the control password is not hashed in any way.

noaman

I am not a decrypt expert.... if I were you I would simply change eval with some kind of print_r | var_dump and put my ethernet cable out when running this code....whats the max it could do ....just dont do it on a local pc....

mehargags

Its not encrypted, you can goto http://www.unphp.net to check the obfuscated tabbed base64 code

http://www.unphp.net/decode/8c9d98d0044e2ff84328cfe7ac5ef67a/

I see this on a lot of hacked WP sites... the only way to clean them is start from scratch.
watching your Apache access logs can help identify some malicious URLs being accessed from your domain. Also watch your exim/postfix MTA log and count Mails in queue to check malicious activity.

FlamesRunner

Here's one way to stop being hacked:

Stop using WordPress, there are alternatives out there without the security issues.

(well, less issues anyways)

kt

@FlamesRunner said:
Here's one way to stop being hacked:

Stop using WordPress, there are alternatives out there without the security issues.

(well, less issues anyways)

Is WP itself insecure? Most of the "issues" come from the plugins.

a-super-random-user

kt said: plugins.

And themes.

Clouvider

And secure is very relative.

Other platforms may be less attacked and hence less vulnerabilities discovered, which doesn't mean they are not vulnerable.

Same as with Windows and Linux, most viruses targets Windows as it's more popular. Better 'ROI' for the hacker, if it makes sense.

Giulio

Disabling common dangerous PHP functions like eval(), exec(), system() ecc. and setting open_basedir along with allow_url_fopen will break most of the automated, non targeted attacks.

doughmanes

FlamesRunner said: Here's one way to stop being hacked:

Stop using WordPress, there are alternatives out there without the security issues.

Biggest incorrect ass-umption about Wordpress.

WP suffers from the same issues our parents have with Windows- won't update for whatever reason. WP can't really force auto updates because of the complaints from developers where updates will break themes, plugins or anything customized.

FlamesRunner

Alright, fair enough - it usually is the plugins/themes that cause these issues. I would be genuinely interested though if someone found a vulnerability in WordFence...

WhizzWr

Uhm, anyone care to point which plugin/wordpress version is vulnerable to this code injection?

Ryan22

most nulled plugin/themes comes with backdoor

Ndha

@WhizzWr said:
Uhm, anyone care to point which plugin/wordpress version is vulnerable to this code injection?

You can always check in here https://wpvulndb.com/

Always update and supported by Sucuri

joepie91

kt said: Is WP itself insecure? Most of the "issues" come from the plugins.

Yes, WP itself is insecure as well, and it's not "just plugins", despite that being a popular claim. See this article, for example, and that's only the obvious issues. The entire codebase is a mess and it is extremely likely that there are more issues as a result of that.

noaman

@Ndha said:

@WhizzWr said:
Uhm, anyone care to point which plugin/wordpress version is vulnerable to this code injection?

You can always check in here https://wpvulndb.com/

Always update and supported by Sucuri

Thanx for the resource

There are many popular plugins in there..........

deadbeef

@joepie91 said:

kt said: Is WP itself insecure? Most of the "issues" come from the plugins.

Yes, WP itself is insecure as well, and it's not "just plugins", despite that being a popular claim. See this article, for example, and that's only the obvious issues. The entire codebase is a mess and it is extremely likely that there are more issues as a result of that.

Bullshit. The "issues" on that post are edge cases we talk about on software when we can't find a real exploit. WP Core is fine where fine is the PHP apps standard of fine.

mehargags

WordPress Core may be fine as such but the problem is, no one uses it at just core level. The somewhat loose standard of plugins and themes is a big problem. Half of these go EOL after 2-3 major upgrades which makes users hesitant of upgrading.

Not saying all devs / themes/ plugins are lousy but yes Code maintainability is a challenge foreseeing more than frequent updates/upgrades for WP.

tux

@FlamesRunner said:

Stop using WordPress, there are alternatives out there without the security issues.

Can you say some good alternatives?