We will explain about the characters such as \x2e and \161,\u etc. that are commonly found in WordPress malware infected files and how to read them back.
Unobfuscating backslash strings that are often found in malware
Malware code is often obfuscated, which means that it is difficult to tell what it is doing at a glance. There are also malicious programs that make full use of obfuscation to prevent malware from being detected.
One of these obfuscation processes is to use a special character notation with slashes in the string.
This special notation is a way to programmatically specify a single character in UTF8 or Unicode, which is recognized and processed as a general string in the PHP program, but is difficult for humans to read.
For example, suppose the following program is included in the malware.
function_exists("\x661457\x6754\x5f\x637\x6e\x164\x656\x74\x73")
When I tried to echo (output) this \x string code on an online PHP executable site, I got the following results.
In other words, this string is the obfuscated version of file_get_contents.
You can also use echo to un-obfuscate in this way, but there are also online services for un-obfuscating, such as the following.
If the eval function is attached to the end of the malware file
eval is a function that interprets a string as program code and executes it, and is extremely common in malware that executes obfuscated strings such as those described above.
eval("\x661.............")
or another obfuscation function, base64_decode, is often used, as shown below
eval(base64_decode("YRJD........."))
In such cases, it is sometimes possible to rewrite eval as echo to de-obfuscate and find out what kind of program the malware is executing.
(There may be several more levels of obfuscated code on the nested.)
echo("\x661.............")
What if the obfuscated malware file is on a WordPress site?
In this case, we recommend that you perform a comprehensive malware scan, as it is possible that multiple malware files are located deep in the WordPress hierarchy or in folders on other sites on the server.
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
If malware is detected, it means that your site has a vulnerability that allowed hackers to enter in the first place, so you will also need to take measures to prevent vulnerabilities.
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
