web dev & more!

Status Update + wp-class.php backdoor

Published: September 15, 2015

It’s been a very long time since I’ve written anything, and I’m really sorry about that. This summer has been crazy, but I know that’s not an excuse. That being said, I have a new job now, so I’m not putting in as much time with WordPress as I’d like to. I’m working with a different framework (Yii2, still PHP) now and WordPress development may become something more like a hobby for me. I still have plans to develop some more plugins, but being realistic, those things might not happen until the cold winter falls and I’m stuck indoors for 9+ months. Such is life in the tundra of ND. Also, security and penetration testing have fallen on my radar so there may be more blog posts about things like that. Actually, this is a great post to lead into that, so let’s talk about security.

A long while back, I found another compromised site, and it being my job to clean it up, I had to do some dirty work by getting into a few files. While I was doing that, I found this little guy. It was so obfuscated that I almost just deleted it and left it at that, but I’m glad I didn’t. I cleaned it up, and made it legible so take a look at it.

This file, is pretty cool actually. It’s basically a backdoor to read, write, and delete anything on the file system. It has a file system browser built in, plus a few tools to execute code, and some others to analyze the system it’s on. Basically, once somebody gets this onto your system, they’re making their life easier to make your life harder. All of the things this file does, could be done with other tools, but how great is it to have one file do it all on the target system? Plus, if you’ve got a bot crawling known exploits on systems anyways, it’d be even easier to just have it drop this little devil on the target for you so you can come back later. It also helps that it was called wp-class.php (not a real WordPress file), because nobody would think to delete something that sounds that important.

Jesse, over at blackdoorsec.blogspot.com, did a nice write up on this file, and posted some comments on it line by line. I definitely recommend taking a look at his post. He’s much more thorough than I was here.