While browsing a friends website, I recognized malicious popups that opened up. It was hard to reproduce, because they
showed up quite rarely and my friend never noticed them. Fortunately, I could convince her to have a look into her
website by myself.
I noticed strange, minified PHP-Code in the footer.php of the used theme. After reformatting was done,
analyzing it was quite easy.
The malware has an IP based filter to show the popup just to new users. That’s why I was not able to reproduce it.
In Addition to that, it checks for certain Wordpress cookies. That’s the reason my friend has never seen the popup.
But that is not the only feature: The malware has a small Administration interface.
The attacker can change the website that opens up and read out the current one. By sending a POST-Request with
8Yx5AefYpBp07TEocRmv=MaliciousWebsite.com as parameter, http://maliciouswebsite.com is set. Adding the
parameter https=true leads to https://maliciouswebsite.com.
The XORed and base64-encoded url is written into .SIc7CYwgY or /var/tmp/.SIc7CYwgY,
if writing in the first file is not available.
If the POST-Request has the parameter 6FoNxbvo73BHOjhxokW3 the current URL is decoded and printed out.
To remove the malware, it should be enough to delete the malicious part out of the footer.php and remove the
In Addition to that, you should definitely check the how the intruder came into your Wordpress. Change all the passwords,
and have a look around for obscure Wordpress Plugins or themes that you did not install. Furthermore, have a
look into your uploads folder for other, malicious files.
It is important to have Wordpress up-to-date, as the updates often fix security related issues. For system hardening,
you can identify possible issues with the open source tool wpscan.
While searching for the malware, I found severalrelatedvariants, but the source code
differs. Both blog posts provide some security advices for Wordpress.
If cookies with the keys wordpress_logged, wp-settings or wordpress_test are set,
the malware aborts.
Otherwise, it checks whether the IP of the user exists in the file ips1.txt.
After that, it checks the IP File. If it contains more then 3000 IPs, it is truncated.
If the IP existed, the malware exits. Otherwise, it adds the IP to this file and decrypts the
After the first click, a popup opens with the decoded domain.
There are two methods for administration: Reading out the current URL or setting a new one.
Post Request with 6FoNxbvo73BHOjhxokW3:
If a Post Request with this parameter is sent, the domain will be read out of the configuration files and printed in plain text.
Post Request with 8Yx5AefYpBp07TEocRmv:
If a Post Request with this parameter is sent, a new domain is set and the $_POST-Array is printed.
The content of 8Yx5AefYpBp07TEocRmv is the new domain in plain text without http(s).
If the Post parameter https is set, HTTPS is used. Otherwise, HTTP is used. The domain is written into the config file.
It is obscured with first an xor-operation with the XOR Key. The result is base64 encoded.
.SIc7CYwgY - Stores current domain, encrypted
/var/tmp/.SIc7CYwgY - Fallback for .SIc7CYwgY
.ips1.txt - IPs of User, that already got a Popup
/var/tmp/.ips1.txt - Fallback for .ips1.txt
Domains are obscured by an XOR Operation with the key and base64 encoded after that.
There exist several unreachable statements, for example to redirect US based users to Google instead of the
malicious site or, my personal highlight in the redirect function:
The intention is obviously to have the redirect happen after 5 to 20 seconds, but since it is PHP,