0

Found this on a WordPress server under the filename wp-includes/class-wp-image-editor-fd.php when WordFence picked it up as being an unexpected file.

Link to source is here: https://pastebin.com/DWe4d33K

Very clearly looks like malware due to the classic obfuscation. VirusTotal gave me no detections: https://www.virustotal.com/gui/file/bac2bb4d0dac58e5563b47e6e63f3b332caba11da065861269e87ebc249f34e9/detection

I tried using deobfuscation tools to no avail. This isn't really more forte so I'm hoping someone with more experience can help me figure out what this code does and how it might have been triggered by an attacker.

All help is very much appreciated as it'll be huge for understanding what kind of access may have been gained.

returneax
  • 552
  • 2
  • 8
  • I actually tried the suggested tools in that post to no avail. My question is specific to the malware I found. Also it's currently FUD on virustotal. – returneax Jun 03 '19 at 02:46
  • 1
    Unfortunately, that other post exists because we are not a code review/de-obfuscation site. Else we would be flooded with random strings to decode. – schroeder Jun 03 '19 at 09:26
  • Fair enough @schroeder that policy makes sense to me. Should I take some action to close the question or leave it as is? – returneax Jun 03 '19 at 17:48
  • No action needed on your part. It is closed. – schroeder Jun 04 '19 at 09:22

1 Answers1

1

I did this myself. By essentially replacing eval's with echo's I was able to peel away enough layers until I reached the ugly webshell underneath. Appears to be the FilesMan webshell. This blog post matches the code I'm seeing pretty well: http://blog.codeguard.com/malwaregone-threat-analysis-wso-filesman-backdoor/

returneax
  • 552
  • 2
  • 8