We will explain about the characters such as \x2e and \161,\u etc. that are commonly found in WordPress malware infected files and how to read them back.

Unobfuscating backslash strings that are often found in malware

Malware code is often obfuscated, which means that it is difficult to tell what it is doing at a glance. There are also malicious programs that make full use of obfuscation to prevent malware from being detected.

Please keep in mind that obfuscation does not necessarily mean malware. Sometimes obfuscation is used to protect the confidentiality of themes, plug-ins, data, etc., or to improve convenience.

One of these obfuscation processes is to use a special character notation with slashes in the string.
This special notation is a way to programmatically specify a single character in UTF8 or Unicode, which is recognized and processed as a general string in the PHP program, but is difficult for humans to read.

For example, suppose the following program is included in the malware.

function_exists("\x661457\x6754\x5f\x637\x6e\x164\x656\x74\x73")

When I tried to echo (output) this \x string code on an online PHP executable site, I got the following results.

In other words, this string is the obfuscated version of file_get_contents.
You can also use echo to un-obfuscate in this way, but there are also online services for un-obfuscating, such as the following.

https://malwaredecoder.com/

http://php-decoder.site/

If the eval function is attached to the end of the malware file

eval is a function that interprets a string as program code and executes it, and is extremely common in malware that executes obfuscated strings such as those described above.

eval("\x661.............")

or another obfuscation function, base64_decode, is often used, as shown below

eval(base64_decode("YRJD........."))

In such cases, it is sometimes possible to rewrite eval as echo to de-obfuscate and find out what kind of program the malware is executing.
(There may be several more levels of obfuscated code on the nested.)

echo("\x661.............")

What if the obfuscated malware file is on a WordPress site?

In this case, we recommend that you perform a comprehensive malware scan, as it is possible that multiple malware files are located deep in the WordPress hierarchy or in folders on other sites on the server.

Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

If malware is detected, it means that your site has a vulnerability that allowed hackers to enter in the first place, so you will also need to take measures to prevent vulnerabilities.

Related Posts:

  1. How to restore (decode) a malware file that has infected WordPress?
    We will explain how to restore (decode) a malware file that has infected WordPress....
  2. eval function used in over 50% of WordPress malware (tampering and viruses)
    We will explain the process called eval, which is used in more than half of the malware files detected by WordPress Doctor, and how to stop eval....
  3. 5 characteristics of malware files that infect WordPress
    Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware....
  4. Characteristics and decoding methods of malware code infecting WordPress
    We will explain the characteristics of malware code embedded by WordPress tampering and how to make the code readable and analyze its contents....
  5. What is the obfuscation process used in over 90% of WordPress malware?
    More than 90% of WordPress malware has obfuscated PHP programs. This article describes the obfuscation process....
  6. Characteristics of malware code when WordPress is tampered with
    We will explain what kind of malware (programs that perform malicious behavior) can be embedded in a site when WordPress is defaced by hackers....