Dec

Reversing engineering to a malware wordpress theme

admin

I was reading the malware concept inside wordpress themes (Anatomy of a theme malware (a brillant post)) and also in Weblog Tools Collection with a excellent video . ¿What about the themes I downloaded? Maybe some of them have a monster in his chest, ready to blow up…

Something's going on on this wordpress theme...

Something nasty inside this theme...

To my concern, a few of them (downloaded from not-so-respectable places) had something like this in the footer.php:

<?php $_F=__FILE__;$_X='Pz48IS0tIGI1ZzRuIGYyMnQ1ciAtLT4NCg0KPGQ0diBzdHlsNT0iY2w1MXI6Yj
J0aDsiPjwvZDR2Pg0KDQo8ZDR2IDRkPSJmMjJ0NXIiPg0KDQoJPHA+QzJweXI0Z2h0ICZjMnB5OyBhMDA4ICZt
NGRkMnQ7IEFsbCBSNGdodHMgUjVzNXJ2NWQgJm00ZGQydDsgPDEgaHI1Zj0iaHR0cDovL3d3dy5jcDEtbjV0dz
Jyay4ycmciID5DUEEgTjV0dzJyazwvMT4gdGg1bTUgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy5jcDEtbjV0dzJy
a3MubjV0IiA+Q1BBIE41dHcycmtzPC8xPiAmbTRkZDJ0OyBQMnc1cjVkIGJ5IDwxIGhyNWY9Imh0dHA6Ly93d3
cudzJyZHByNXNzLjJyZy8iPlcycmRQcjVzczwvMT4gJm00ZGQydDsgPD9waHAgd3BfbDJnNG4yM3QoKTsgPz48
L3A+DQoNCjwvZDR2Pg0KDQo8P3BocCBkMl8xY3Q0Mm4oJ3dwX2YyMnQ1cicpOyA/Pg0KDQo8L2Q0dj4NCg0KPC
9iMmR5Pg0KPC9odG1sPg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydH
IoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCIn
Ii4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

You will see a few variables $_F y $_X and a base64_decode function beginning the long sentence.

I used the decode to base 64 page to see what is hidden in the following evaluation:

eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZS
csJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZh
bCgkX1IpOyRfUj0wOyRfWD0wOw=='));

Getting:

$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);
$_R=0;
$_X=0;

In short, decode the $_X and then evaluate.I did a little modification to render the code harmless:

";//added
echo ($_R); //changed to echo
echo "

“;//added
$_R=0;
$_X=0;
?>

To finally get:

?>

Home

Fortunately, no malware code inside, although some advertisement exists. There are a few tools who do this encoding task, like PHP Free Encoder. There are no smart WordPress, just smart people , for good & for bad.

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

4 Comments to “Reversing engineering to a malware wordpress theme”

Buy Online %A %B %e%q, %Y at %I:%M %p
Good Article
Cristhian %A %B %e%q, %Y at %I:%M %p
EXCELENT
EXCELENT
EXCELENT
EXCELENT
EXCELENT
EXCELENT
EXCELENT
WordPress Arena: A Blog for WordPress Developers, Designers and Blogger %A %B %e%q, %Y at %I:%M %p
[...] Reversing engineering to a malware wordpress theme [...]
How to Find, Remove and Protect WordPress Site from Malware | codeManiac %A %B %e%q, %Y at %I:%M %p
[...] Reversing engineering to a malware wordpress theme [...]