{"id":5694,"date":"2024-01-16T16:38:39","date_gmt":"2024-01-16T15:38:39","guid":{"rendered":"https:\/\/ekiwi.de\/index.php\/5694\/wordpress-website-hacked-strange-code-with-eval\/"},"modified":"2024-01-17T18:32:34","modified_gmt":"2024-01-17T17:32:34","slug":"wordpress-website-hacked-strange-code-with-eval","status":"publish","type":"post","link":"https:\/\/ekiwi.de\/en\/index.php\/5694\/wordpress-website-hacked-strange-code-with-eval\/","title":{"rendered":"WordPress website hacked? Strange code with eval"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of content<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/ekiwi.de\/en\/index.php\/5694\/wordpress-website-hacked-strange-code-with-eval\/#The_script_and_code\" >The script and code<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/ekiwi.de\/en\/index.php\/5694\/wordpress-website-hacked-strange-code-with-eval\/#Clean_up_WordPress\" >Clean up WordPress<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/ekiwi.de\/en\/index.php\/5694\/wordpress-website-hacked-strange-code-with-eval\/#Update_Code_also_in_the_functionsphp\" >Update: Code also in the functions.php<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/ekiwi.de\/en\/index.php\/5694\/wordpress-website-hacked-strange-code-with-eval\/#Change_passwords_and_close_sessions\" >Change passwords and close sessions<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/ekiwi.de\/en\/index.php\/5694\/wordpress-website-hacked-strange-code-with-eval\/#And_now\" >And now?<\/a><\/li><\/ul><\/nav><\/div>\n<p>Suspicious cloaked code discovered in website.<\/p>\n<p><!--more--><\/p>\n<p>Today we received a warning message from the virus scanner when visiting one of our websites. A suspicious URL was called up. Of course, I immediately looked into the matter and checked the browser&#8217;s network tools to see what was being accessed. I noticed the domain &#8220;cdn.specialtaskevents.com&#8221;.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The_script_and_code\"><\/span>The script and code<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2024\/01\/hack_1.png\" alt=\"\" width=\"445\" height=\"71\" class=\"alignnone size-full wp-image-5677\" srcset=\"\/wp-content\/uploads\/2024\/01\/hack_1.png 445w, \/wp-content\/uploads\/2024\/01\/hack_1-300x48.png 300w\" sizes=\"auto, (max-width: 445px) 100vw, 445px\" \/><\/p>\n<p>But where did the script come from? I found it elsewhere. At least a line number has now been added here.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2024\/01\/hack_2.png\" alt=\"\" width=\"739\" height=\"69\" class=\"alignnone size-full wp-image-5679\" srcset=\"\/wp-content\/uploads\/2024\/01\/hack_2.png 739w, \/wp-content\/uploads\/2024\/01\/hack_2-300x28.png 300w\" sizes=\"auto, (max-width: 739px) 100vw, 739px\" \/><\/p>\n<p>In line 138 I found what I was looking for. Here was a Java script, which cannot be assigned to anything else for the time being. It&#8217;s not always that easy with WordPress and the abundance of plugins.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2024\/01\/hack_3.png\" alt=\"\" width=\"633\" height=\"218\" class=\"alignnone size-full wp-image-5681\" srcset=\"\/wp-content\/uploads\/2024\/01\/hack_3.png 633w, \/wp-content\/uploads\/2024\/01\/hack_3-300x103.png 300w\" sizes=\"auto, (max-width: 633px) 100vw, 633px\" \/><\/p>\n<p>The script is suspicious! A variable is declared which contains a Base64 encoded string. ChatGPT was quite helpful here and converted the function back.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2024\/01\/hack_5.png\" alt=\"\" width=\"569\" height=\"233\" class=\"alignnone size-full wp-image-5683\" srcset=\"\/wp-content\/uploads\/2024\/01\/hack_5.png 569w, \/wp-content\/uploads\/2024\/01\/hack_5-300x123.png 300w\" sizes=\"auto, (max-width: 569px) 100vw, 569px\" \/><\/p>\n<p>What we see here is another encoded string containing a URL. This is then added to the website as another script, executed and then removed again.<\/p>\n<p>The URL points to the following server:<\/p>\n<blockquote><p>\nThe decoded content of the inner Base64 string is a URL: https:\/\/near.flyspecialline.com\/hnkKKF.\n<\/p><\/blockquote>\n<p>I have also downloaded the script here. It is even more &#8220;encrypted&#8221; and much longer. ChatGPT was also no longer able to decrypt the script here.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2024\/01\/hack_6.png\" alt=\"\" width=\"1014\" height=\"581\" class=\"alignnone size-full wp-image-5685\" srcset=\"\/wp-content\/uploads\/2024\/01\/hack_6.png 1014w, \/wp-content\/uploads\/2024\/01\/hack_6-300x172.png 300w, \/wp-content\/uploads\/2024\/01\/hack_6-768x440.png 768w\" sizes=\"auto, (max-width: 1014px) 100vw, 1014px\" \/><\/p>\n<p>However, there was an online <a href=\"https:\/\/obf-io.deobfuscate.io\/\">option to decode the script<\/a> halfway. A similar procedure here too. Another script is loaded, this time from &#8220;cdn.specialtaskevents.com&#8221;.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2024\/01\/hack_7.png\" alt=\"\" width=\"566\" height=\"349\" class=\"alignnone size-full wp-image-5687\" srcset=\"\/wp-content\/uploads\/2024\/01\/hack_7.png 566w, \/wp-content\/uploads\/2024\/01\/hack_7-300x185.png 300w\" sizes=\"auto, (max-width: 566px) 100vw, 566px\" \/><\/p>\n<p>Here, too, there is a long script that contains a few interesting things at the end. It looks at WordPress cookies and executes code accordingly.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2024\/01\/hack_8.png\" alt=\"\" width=\"531\" height=\"164\" class=\"alignnone size-full wp-image-5689\" srcset=\"\/wp-content\/uploads\/2024\/01\/hack_8.png 531w, \/wp-content\/uploads\/2024\/01\/hack_8-300x93.png 300w\" sizes=\"auto, (max-width: 531px) 100vw, 531px\" \/><\/p>\n<p>A wide URL is built into the script, which contains the same script again. My guess here would be that the script loads the script from an alternative server in the event of a server error.<\/p>\n<p>Unfortunately, I have not been able to decrypt the script completely, but I would not be surprised if the session is hijacked here to gain access to the WordPress instance.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Clean_up_WordPress\"><\/span>Clean up WordPress<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now let&#8217;s move on to the cleanup. Fortunately, this was easy at first. The script was integrated into the &#8220;<strong>wp-blog-header.php<\/strong>&#8221; and was therefore at least easy to remove. I removed the script directly via FTP, i.e. without login and not online.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Update_Code_also_in_the_functionsphp\"><\/span>Update: Code also in the functions.php<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Another small update. After searching for the server addresses via Google yesterday, I came across a <a href=\"https:\/\/www.bleepingcomputer.com\/forums\/t\/793455\/complex-wordpress-php-js-exploit\/\">forum entry<\/a> that describes the same problem\/hack.<\/p>\n<p>This refers to the fact that code is also inserted in the &#8220;functions.php&#8221;. This did not affect all WordPress pages. I only found the code in one website. I suspect that this website was also the gateway in the end.<\/p>\n<p>The entry in the forum also describes that a new user with admin rights is created. I could not reproduce this or it does not seem to have occurred in our case.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2024\/01\/hack_add_1.jpg\" alt=\"\" width=\"1217\" height=\"126\" class=\"alignnone size-full wp-image-5700\" srcset=\"\/wp-content\/uploads\/2024\/01\/hack_add_1.jpg 1217w, \/wp-content\/uploads\/2024\/01\/hack_add_1-300x31.jpg 300w, \/wp-content\/uploads\/2024\/01\/hack_add_1-1024x106.jpg 1024w, \/wp-content\/uploads\/2024\/01\/hack_add_1-768x80.jpg 768w\" sizes=\"auto, (max-width: 1217px) 100vw, 1217px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Change_passwords_and_close_sessions\"><\/span>Change passwords and close sessions<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Once this was done, I logged in. First check whether the script is still in the cache (network tools) and empty the cache if necessary. I then changed the password in the account management and also cancelled all sessions.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"\/wp-content\/uploads\/2024\/01\/hack_9.png\" alt=\"\" width=\"674\" height=\"254\" class=\"alignnone size-full wp-image-5691\" srcset=\"\/wp-content\/uploads\/2024\/01\/hack_9.png 674w, \/wp-content\/uploads\/2024\/01\/hack_9-300x113.png 300w\" sizes=\"auto, (max-width: 674px) 100vw, 674px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"And_now\"><\/span>And now?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>How the script got in is unfortunately still unclear and needs to be monitored. As this only occurred on one webspace, I assume that an insecure plugin may be responsible.<\/p>\n<p>In any case, a regular check is scheduled for the next few days.<\/p>","protected":false},"excerpt":{"rendered":"<p>Suspicious cloaked code discovered in website.<\/p>\n","protected":false},"author":1,"featured_media":4489,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[883,885],"tags":[1020,898],"class_list":["post-5694","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-en","category-wordpress-en","tag-security-en","tag-wordpress-en"],"_links":{"self":[{"href":"https:\/\/ekiwi.de\/en\/index.php\/wp-json\/wp\/v2\/posts\/5694","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ekiwi.de\/en\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ekiwi.de\/en\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ekiwi.de\/en\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ekiwi.de\/en\/index.php\/wp-json\/wp\/v2\/comments?post=5694"}],"version-history":[{"count":0,"href":"https:\/\/ekiwi.de\/en\/index.php\/wp-json\/wp\/v2\/posts\/5694\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ekiwi.de\/en\/index.php\/wp-json\/wp\/v2\/media\/4489"}],"wp:attachment":[{"href":"https:\/\/ekiwi.de\/en\/index.php\/wp-json\/wp\/v2\/media?parent=5694"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ekiwi.de\/en\/index.php\/wp-json\/wp\/v2\/categories?post=5694"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ekiwi.de\/en\/index.php\/wp-json\/wp\/v2\/tags?post=5694"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}