Tag: WordPress

Part 1: Analysis of a WordPress Malware

I had some time at lunch to kill, so I decided to see how Malware techniques were improving in the land of WordPress and free premium theme download sites.

Enter the Darknet.

A simple Google search got me a theme ZIP file pretty quickly.  Now, it was time to see what malicious happenings this thing would cause.
Unpacked, here’s the structure of the ZIP file.

.
├── functions.php
├── home.php
├── images
│   ├── arrow.png
│   ├── bg-pattern.png
│   ├── bg.png
│   ├── blockquote.png
│   ├── blue
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── favicon.ico
│   ├── footer-twitter.png
│   ├── footer-widgets.png
│   ├── gradient.png
│   ├── green
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── icon-dot.png
│   ├── list-after-post.png
│   ├── list.png
│   ├── logo.png
│   ├── logo-texture.png
│   ├── logo-vert-left.png
│   ├── logo-vert-right.png
│   ├── red
│   │   ├── gradient.png
│   │   ├── logo.png
│   │   ├── logo-texture.png
│   │   ├── logo-vert-left.png
│   │   └── logo-vert-right.png
│   ├── rss.png
│   ├── social-icons.png
│   └── twitter-nav.png
├── page_landing.php
├── page_landing2.php
├── README.txt
├── screenshot.png
└── style.css

Right off the bat, page_landing2.php sticks out to me. Let’s take a look.



Oh. Would you look at that fun. Time to see what this is doing.
First, I don’t like trying to read the garbled code, so I “prettify” it.


Ok, so let’s decode the above to make it readable.

There are a few interesting pieces here.



These interest me because they are making a call to a website to get additional payload/scripts. Let’s see what they are. =)

The first one, pastebin link, shows me this garbled shit. What I really care about is the compressed base64 at the end.


So, now I look to deobfuscating the compressed/base64 garbage… Here’s part of the file, my screencapture died when my computer automatically locked; [FIXME]

NOTE: Click on the image for a higher resolution. It’s like 62k pixels tall, lol.
 
What I’m interested in is the top of this file.


So again, uncompressing the base64 encoding of that gives me the following file.


Going back for a minute the the previous garbled shit $plsym variable which contains the compressed/base64 is decompressed and unencoded and saved as a perl file.


At this point, I have everything I need to begin to follow this even deeper into the dark underworld. There are a few domains (which I didn’t highlight in this article, but you can find them in the screenshots) and some passwords.

Stay tuned… in the next update, I show you what happens when I infiltrate their command servers. Much fun!

Use YOURLs Shortlink with Xoogu's Simple Social Sharing Plugin

I installed Xoogu’s Simple Social Sharing Plugin and have been using it on my site for visitors to share content.  I also use YOURLs to create shortlinks to my posts.  In order to have Xoogu’s plugin work, the YOURLs plugin I have installed is YOURLs Link Creator which will replace the shortlink with the YOURLs shortlink wherever wp_get_shortlink() is called.

Configure Xoogu Simple Social Sharing Plugin

  1. Go into Plugins > Editor in the Admin Panel of WordPress.
  2. Select the Xoogu Simple Social Sharing plugin
  3. Choose the xoogu_simpleSocialSharing.php file
  4. Look for the lines similar to below: 
    public function add_links($content){
		global $post;
		$links = $this->_options['links'];
		if(empty($links)){
			return $content;
		}
		$css = $this->_options['css'];
		$link = urlencode(get_permalink());
		$title=urlencode($post->post_title);
		$summary=get_post_meta( $post->ID, 'description', true);
		if(empty($summary)){
  5. Replace the red line with the following: 
    $link = urlencode(wp_get_shortlink());
  6. Save the file

You’ll see in the screenshot below that the YOURLs shortlink is now working.  =)
2014-07-29_114051

Disqus WordPress Plugin Vulnerability

A vulnerability has been discovered in the Disqus plugin for WordPress allowing for Remote Code Execution. The Disqus plugin is used on nearly 2 million WordPress blogs.

Who is Vulnerable?

A remote attacker could successfully execute remote code provided the following version of software are true:

  • PHP <= 5.1.6
  • WordPress <= 3.1.4
  • Disqus Plugin <= 2.75

How it Works

A specially crafted comment on a WordPress post, such as {${phpinfo()}}, followed by opening the comment synchronization URL http://www.example.com/?cf_action=sync_comments&post_id=TARGET_POST_ID, is all that is needed to execute remote code.

How do I Fix It?

Log into your WordPress administration panel and update the Disqus plugin.
Make sure PHP is up-to-date with the latest version.

Feeling Blue

I’m not really feeling blue.  Blue just happens to be my favorite color.  When someone asks me Rich, what is your favorite color?, I respond with #336699.

You’ll notice I have been working on the website color.  This is a child theme I’m creating based on the WordPress Twenty Twelve theme.  So far, I’m liking it.  I have not decided which colors to use for link hover — it is red for now.

Add a Login/Logout Menu Item to WordPress Navigation Menu

This will add a Login or Logout (depending on state) to your WordPress navigation menu. I have one on mine now; makes it easy to quickly log in/out to test things.
Put the following in your child theme’s custom functions PHP file.

add_filter( 'wp_nav_menu_items', 'add_loginout_link', 10, 2 );
function add_loginout_link( $items, $args ) {
     if (is_user_logged_in()) {
$items .= '<li><a href="'. wp_logout_url() .'">Log Out</a></li>';
}
elseif (!is_user_logged_in()) {
$items .= '<li><a href="'. site_url('wp-login.php') .'">Log In</a></li>';
}
return $items;
}