Old_fart

@p-mt, sorry for late response, was busy last week …

sudo grep -r turnitupnow * > badfiles.txt

is good, but…

Do you know that:
1. PHP can be easily embedded in gif, jpg, png, mp3, wav… ?
2. A lot of plugins after unpacking has executable rights on gif, jpg, png, txt files, which can be executed as CGI in this case?
Always cure them with help of

find ./ -type d  -exec chmod -vv 755 {} \;
find ./ -type f  -exec chmod -vv 644 {} \;

3. Bunch of installations has 777 permissions on all wp-content folder instead of restricting it to “upload” only? (The best choice would be to remove ANY writable by HTTP server folders outside DOCUMENT_ROOT as it possible to do with other CMS, but changing it in the WordPress it’s a challenge)
4. Almost any HTTP server allows write permissions to /tmp which is most loveable place for any backdoors?
5. Most servers have bash, gawk… base utilities which can be called by anyone and can be easily used as backdoor channel,(so no need to keep anything on servers cuz it always available ?? ) any trace of activity will be logged on hosting?

Well there is a lot of scary things that out of your control if you dont run your own server. Hackers rarely infect systems in old fashion way. They usually keeps spare ways to reactivate itself after their visible stuff was detected and deleted. Spare ways could be anywhere, in database triggers, inside images or mp3 files(that actually always exposed by WordPress to the world)…etc

To be sure that you care at least your parts of software, check ALL your files that exposed by HTTP server with this simple commands(change directory to the ROOT of HTTP accessible aka DOCUMENT_ROOT):

# Check if some files trying to obfuscate itself
find . | xargs grep -i base64 > ../000-obfuscation.txt

# Check for links to external sites
# Especially pay attention if it is in php files
find . | xargs grep '\<:alpha:*://[^/]*'> ../001-external_links_in_urls.txt

# Review potentially malicious content
find . | xargs grep -Ei 'iframe|src|javascript:|eval|include' > ../002-active_content.txt

# Delete anything in temporary folder that was created by your
# account. (Dont worry that you may delete others files,
# /tmp has a stiky bit set on most servers, so you can not delete
# files that was created by others) 

rm -fr /tmp/* ;

Dump MySQL database so it will be possible to parse it as a single text file and search for the same keywords inside it.

Well, there no universal advises because of different environments on servers and situation heavily depended on what type of plugins/themes do you use(BTW, don’t keep deactivated plugins/themes since it still callable from outside and if one find a hole he/she will able to use it)

Best regards,
Alex

@pkwooster On FreeBSD based hosting there is OS utility

mtree

that can calculate and later compare hash of any directories/files. Linux based OS need third party application called tripwire that do the same. Ask provider what they have. It is better than plugin because those programs has system wide permissions 555 and can be hacked only if attacker gain root privilege.

@jamieedwards, malicious script automatically search everywhere beginning from root directory. Take a look what kind of information was taken:

[Code moderated as per the Forum Rules. Please use the pastebin]

if you restrict in php.ini dangerous functions(and did restart HTTP server after that) and you still continue have problem – try to delete everything in /tmp like that rm -fr /tmp/*. Some system may allow you read/write access to /var/tmp so delete everything from there too. If you know other places where you have write permissions take a look on that places too.

Sorry for later response. Finally I got a time to analyze file provided by p-mt.
It actually isn’t too dangerous PHP script, it is really old crackers/hackers tools called WSO which is basically is a web shell.

What it does:

It has Authorization for cookies
Get Server Information
Disable logging
Rewrite php setttings
File manager (copy, rename, move, delete, chmod, touch, creating files and folders)
View, hexview, editing, downloading, uploading files
Working with zip archives (packing, unpacking) + compression via tar
Console
SQL Manager (MySql, PostgreSql)
Execute PHP code
Working with Strings + hash search online databases
Bindport and can make back-Connect (via Perl. php script drop to /tmp files bp.pl and bc.pl)
Bruteforce FTP, MySQL, PgSQL
Search files, search text in files
Works on nix-like and Windows systems
Anti search engine (check User-Agent, if it is a search engine then returns 404 error)
Use AJAX
…

Actually, on infected systems should be something else(other files) that created this WebShell. It could be a hole in WP or in other servers (HTTP, FTP), but usually it happened because of really weak passwords.

Grab KeePass(it works with the same database file on any platform – unix based, windows, iPhone, Android), create strong passwords with embedded generator and keep that passwords in KeePass.

@p-mt wrote “do you think, wordpress will work after that??”

Mine is working. There could be some plugins that use those functions, but all of them should be avoided. You may search for that functions through all wordpress’s php files, but legal application rarely use that funcs.

@richardlin File names generated by virus is unique cuz it made with help of random generator.

@impackt As I can see from virus code – it reply with redirected link to search engines bots ONLY and obviously will not discover itself to well known scanner. sitecheck.sucuri.net can check only produced by PHP code output, but it can’t examine your file system. You can download to Firefox plugin “User agent switcher” and check your site with user agent set to “Google” or “Slurp” or “MSNBot” or “ia_archiver” or “Yandex” or “Rambler”

Thanks, I will take a look on it, but you all who got this shit need to do following steps:

1. locate your php.ini file
2. replace there
disable_functions =
to
disable_functions = “apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode”
3. force to restart http server

Funny thing that php-ids.org is hacked too.

code that you are posted is decoded to :

eval(gzinflate(base64_decode(‘7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJk …

which is mean: execute some shit that ziped in base64.

P.S.
@p-mt, could you please upload one of malicious file from your system to pastebin.com and post link here. It seems like mass attack, so we need to know what to expect.