Skip to content

Commit 62decf6

Browse files
bediger4000bediger4000
committed
notes about similarity to ring.php obfuscation
1 parent 8842979 commit 62decf6

File tree

1 file changed

+22
-1
lines changed

1 file changed

+22
-1
lines changed

themes/107.175.218.241-2018-10-14a/README.md

+22-1
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ Ten files' contents differ between original and compromised .zip files.
6363
* `inc/custom-header.php` - a simple "eval($_POST['something']);" style backdoor
6464
* `inc/extras.php` - same [file uploader](sessions.php) as `footer.php`, concealed in PHP dropper
6565
* `inc/jetpack.php` - the [GetDomains](../../GetDomains) recon malware
66-
* `inc/template-tags.php` - code that will probably crash
66+
* `inc/template-tags.php` - probably a [ring.php](/plugins/login_wall/ring_decoded) web shell
6767
* `single.php` - [heavily mutated WSO](wso.php) web shell
6868
* `template-parts/content-search.php` - changes user's login to have WordPress admin privileges
6969
* `template-parts/content-single.php` - changes user's login to have WordPress admin privileges
@@ -86,3 +86,24 @@ I'm quite confused by this.
8686
There's no underlying theme or obvious motivation for including
8787
this variety of malware.
8888
There's no obvious reason for including duplicates.
89+
90+
One other puzzler that isn't quite so simple. `template-tags.php`
91+
is clearly the same obfuscating method as the [ring.php](/plugins/login_wall/ring_decoded) backdoor.
92+
It's borrowed the comments and function names of some random WordPress file,
93+
and changed them to hold gzipped, Base64-encoded, text representation
94+
of some code.
95+
The Base64-encoded, gzipped code representation is disguised as a pre-composed HTML <img> tage
96+
with in-line image data.
97+
Upon an HTTP request for `template-tags.php`,
98+
the Base64-encoded text representation gets extracted from the "in-line image data".
99+
If the HTTP request invoking `template-tags.php` has the correct
100+
value of parameter named "l__l_", that code gets eval'ed.
101+
102+
None of the well-known passwords "root", "pass" or "avto",
103+
or the `ring.php` password of "G0YgIaXqx" decodes this.
104+
105+
Other places this one shows up around the web:
106+
107+
* [pastebin](https://pastebin.com/VK0E99Mg)
108+
* [malwaredecoder.com](https://malwaredecoder.com/result/2a34dabc2d1eea4bff3d9635ab0240ff)
109+
* [unphp.net](https://www.unphp.net/decode/ec823cd97bd4f411665fffe66144a227/)

0 commit comments

Comments
 (0)