Incomprehensible game on sites from one hosting. wp-signups.php what's going on?

I

Ivan Petrov2021-05-11 13:23:33

PHP

Ivan Petrov, 2021-05-11 13:23:33

A WordPress-managed site has a file called wp-signups.php with completely incomprehensible content. It is wp-signuPS, not wp-signuP. It appeared not only on a site managed by WordPress, but also on other sites that have nothing to do with WordPress, but are on the same hosting account and do not overlap with each other.

There is some strange code in this file and I do not understand what function it performs. I can’t fully insert this code right here due to the character limit, so I’ll post it at the link .

In addition to the fact that this code is in the wp-signups.php files, it is also in the index.php files at the very top.

As far as I understand, in the $OoooOO0 variable

$OOOOOO = '8111m3';$OOOOOO="%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c";

alphabet and numbers? And then the values of other variables are filled from this $OOOOOO array, or what happens in general? I don’t understand yet, but there were suspicions that the sites were hacked and set up redirects under certain conditions, and to make it as incomprehensible as possible - did they bring the code to such a confused look?

I myself don’t have a redirect when I visit the site, on one site the code in index.php was corrupted and it loaded in a distorted form, on the second site an empty page was loaded, and on the third .htaccess was corrupted and I see a 500 error when I try to get to website.

It seems that someone got access to the hosting and heaped up the devil what, or what else could happen? Please help me figure out what the above code does.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

V

Vindicar, 2021-05-11
@IvanPetrow

Usual obfuscated shellcode.
At the end of the code, you can see a call to curl, and then fopen () + fwrite () - i.e. the shell is able to download content from the specified URL and write it to the specified file on the infected host, presumably for further execution.
delphinpro correctly wrote in the comments: check the modification date of the files (if the hacker is lazy, he did not correct it and the infected files will be newer), delete the shell code from everywhere.
I will also add: read the web server logs for requests to infected files, look for the hosts that accessed (probably Chinese proxies). Then look for all requests from these hosts - if you're lucky, you will understand how you were broken. And in any case, update WordPress to the latest version if it's not already.

K

Konstantin, 2021-05-11
@kot999

The site has been hacked, filled with some kind of malware.
Perhaps he is not alone,
1. you need to find and fix the vulnerability through which he was flooded
2. Clean out the malware.

P

profesor08, 2021-05-11
@profesor08

1. Look where the file appeared before, this will be a leaky site.
2. Look at the logs, you might be lucky and see where the file is accessed from, and there you will see where else they are accessing from that address. So you will understand where to look for a hole.