We will explain the characteristics of malware code embedded by WordPress tampering and how to make the code readable and analyze its contents.
Malware code embedded in WordPress
WordPress can be subject to site modification by hackers due to a variety of factors. This causes program code that performs malicious activities unintended by the site operator, collectively referred to as malware.
Malware code is often very distinctive, and most often consists of a single line of unintelligible text, such as the following
$WDP0PDP00D=$WPDD0D0P0P [14]. $WPDD0D0P0P[ 25]. $WPDD0D0P0P[ 6]. $WPDD0D0P0P[11] . $WPDD0D0P0P[. $WPDD0D0P0P[ 8] 18 ]. $WPDD0D0P0P[34 ]. $WPDD0D0P0P[ 32 ]. $WPDD0D0P0P[ 24]. $WPDD0D0P0P[18] . $WPDD0D0P0P[. $WPDD0D0P0P[ 8] 34 ]. $WPDD0D0P0P[ 20]. $WPDD0D0P0P[ 19]. $WPDD0D0P0P[11] . $WPDD0D0P0P[8].....
/*12236*/ @include "7hom5/fu6tre7fun4re.3om/\160ubl.....
;VZDKQPY@ KHHYYS;E@oM K^AEDARG_SY^A UWSI]W^WVQU^^HP ZWBBYVY VMD\Y \VZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
Why would such a string act as malware?
Most malware is obfuscated.
The aforementioned code is obfuscated from common PHP program code, making it difficult to understand how it works, even for those with programming knowledge.
Since PHP is executed mechanically, the machine can execute the process, but people cannot understand the mechanism of how the code works.
Sometimes obfuscated code is also added to avoid malware scanners by inserting comments into the code for people to read.
/*ydhr6ei*/"base". /*ydhr6ei*/." 64_". /*ydhr6ei*/." decode".
How do I de-obfuscate?
Unobfuscating such code can be difficult. It may be possible to use a combination of the following techniques to remove the obfuscation.
manually base64_encode base64_decode (or str_rot13 urlencode, etc.)
Obfuscated strings can be directly output by echo.
Try to manually assign a key file or hash value and output it by echo.
Rewrite an eval string to echo and output the code to be executed.
Use an obfuscation program (available on Github, etc.)
You can also use php-decoder.site, which does some of the above work automatically and online.
Free WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].