Obscure PHP code in WordPress files

I received word recently, that a site I have previously done work on, was getting some syntax errors. After checking those errors out, and seeing that certain files were giving the error Warning: Cannot modify header information – headers already sent by (/path/somefile.php) in /path/anotherfile.php, I determined the issue to be malicious PHP code that was being injected into WordPress core files, plugin files, and theme files. How it got there, I can’t be entirely certain, but my best guess is this vulnerability with Gravity Forms had something to do with it.

The code looked something like this:

Looks like a jumbled mess, right? Well it is, but it’s supposed to appear like a jumbled mess to anyone who might stumble across it in an attempt to intimidate you to just leave it alone. And even though it looks like a chaotic disaster, it does have functionality. Let’s break it down into a few pieces.

Basically, this is just a string. Or maybe it’s better to call it an alphabet. Other variables are making access of the characters in this string. For instance:

Which translates to:

Sneaky, eh? Some of the other variables are using ASCII codes to get the text they want but overall, it’s just a way of obscuring code. So we can take this idea, and apply it to the rest of this and come up with something like this:

That’s essentially what it all boils down to. But what’s with all that encoded nonsense? I ran a var_dump() on it and came back with this little piece of work:

Like I said earlier , I think all of this was possible because of this vulnerability but I could very well be wrong. It would make sense though, as this hack is attempting to move some files around, and then echo success or failure (+/-).

Dylan Hildenbrand

profile for Dylan Hildenbrand on Stack Exchange, a network of free, community-driven Q&A sites

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.