file that was not identified as a malware

  • Resolved zuykis

    (@zuykis)


    6 years, 4 months ago

    Hi Eli,

    Thank you for your great job that saved many lives.
    I found a malware (multiple sites, multiple directories) that was not identified as a malware although it really is.
    Usually it’s filename is ‘server.php’ or ‘cund.php’ that is hidden in any of the plugin’s, somewhere deeply.
    The file is usually created by another known malware (from threat files that are recognized and quarantined properly) as a child on the time of it’s activation.
    Or is it known, bus sometimes skipped due to server related issues?
    The code is here: https://pastebin.com/yGVpsnPN

    I see some more similar files under other filenames and even similar code on some known threats (identified as malware) so this is probably something you will recognize. Seems that many of such files have the same origin and are coming from the same known issue and this should help: https://pastebin.com/LmyvtRTa
    In the pastebin there are two lists of created and edited files that was done by malware (most edits I suppose).

    By the way, the WP version is something between 4.7 and 4.8.4 (couldn’t notice due to the updates).

    Thank you.

    • This topic was modified 6 years, 4 months ago by zuykis.
    • This topic was modified 6 years, 4 months ago by zuykis.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter zuykis

    (@zuykis)

    6 years, 4 months ago

    UPD: By the way, the WP version was something between 4.7 and 4.8.4 on the moment of infection (couldn’t notice due to the updates, but on the moment of scan it was the newest v4.9.1).

    Plugin Author Eli

    (@scheeeli)

    6 years, 4 months ago

    Just wanted to say thanks for posting that code and let you know that this new variant has been added to my definition updates.

    Thread Starter zuykis

    (@zuykis)

    6 years, 4 months ago

    Thank you a lot!

    This might be helpful to have a clue in the future, so i’m adding some additional information.

    My guess is that this issue is related to XAttacker.php script (could harm not only WordPress, but actually any CMS, like Joomla).
    Usually it’s exploiting plugins “Visual composer” and/or “Revolution slider” (some older versions that were released in past 8 months).

    It creates several files, like server.php, cund.php, qunin.php (and might add few other like list**.php, view**.php, search.php, footer.php, etc) in various (random) directories of wp core, plugins, uploads, themes (usually as deep as possible).

    It also might add the code to other random files, usually large ones (which has few thousands of lines, like class-pclzip.php) to be avoided on the scan while some servers have low memory_limit and are not able to read those files due to timeout during the scan.

    Sometimes it sends spam via php mail(); or wp_mail();

    Although it’s main purpose is to act as a SEO malware.

    Also once inserted then it is usually executed via wp-cron.php (via the core to create other files and rewrite the main index.php file with SEO malware code which main line is masked in regexp syntax).

    server.php: https://pastebin.com/EHYpjPGp

    cund.php: https://pastebin.com/9PPmTnax

    view48.php (could be any number): https://pastebin.com/3kQKME0s

    list98.php (could be any number): https://pastebin.com/8R8ePzSm

    search.php (could be any filename that is not suspicious): https://pastebin.com/q7mW6DYB

    qunin.php: <?php

    echo ‘say7h’;
    ?>

    Thank you again for your work.

    Plugin Author Eli

    (@scheeeli)

    6 years, 4 months ago

    Yes, to confirm, all those threats you have posted on pastebin have been added to my latest definition update.

    Thanks again 😉

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘file that was not identified as a malware’ is closed to new replies.