checkandall.php added to WordPress root directory -


after logging 1 of wordpress sites today, securi plugin has reported following files added:

01/04/2015 - new file added checkandall.php (size: 592)

this sits on root of server , contains following code: 

<?php error_reporting(0); function getlistfiles($folder,&$all_files){     $fp=opendir($folder);     while($cv_file=readdir($fp)) {         if(is_file($folder."/".$cv_file)) {         if(is_writable($folder)){             $all_files[]=$folder."/*";             }         }elseif($cv_file!="." && $cv_file!=".." && is_dir($folder."/".$cv_file)){             getlistfiles($folder."/".$cv_file,$all_files);         }     }     closedir($fp); } $all_files=array(); getlistfiles("/var/sites/w/www.mydomain/public_html/",$all_files); $result = array_unique($all_files); print_r($result); ?>

can more php experience please explain doing? assume it's file has been injected monitor rest of wordpress site.

other actions concern me:

01/04/2015 - plugin deleted: php code posts (v1.2.0; php-code-for-posts/phppostcode.php) - not actioned me

01/04/2015 - plugin deactivated: sucuri security - auditing, malware scanner , hardening - not actioned me

01/04/2015 - media file added; identifier: 328; name: maink.php; type. - not actioned me

01/04/2015 - plugin installed: maink.php - not actioned me

luckily, host daily, offsite backups, can restore. i'm curious understand how happened , effect of hack be.

this script getting list of files in directories specific base directory("/var/sites/w/www.mydomain/public_html/") in case, , prints list of directories writeable screen. attacker find places upload new scripts to, use perform further attacks.

it looks got administrative access wordpress site , using upload other scripts more damage. plugin installed opens further vulnerabilities attacker exploit. take server offline, restore backups, change database , wordpress admin credentials, update wordpress latest version.

take @ this: http://www-personal.umich.edu/~markmont/awp/


Comments

Post a Comment

Popular posts from this blog

javascript - AngularJS custom datepicker directive -

i make custom datepicker directive custom template. but have no idea how start building it... how include date data directive? i appreciate guide or give me advice work on more precisely. it might you! follow below steps html code sample: <label>birth date</label> <input type="text" ng-model="birthdate" date-options="dateoptions" custom-datepicker/> <hr/> <pre>birthdate = {{birthdate}}</pre> <script type="text/ng-template" id="custom-datepicker.html"> <div class="enhanced-datepicker"> <div class="proxied-field-wrap"> <input type="text" ui-date-format="yy-mm-dd" ng-model="ngmodel" ui-date="dateoptions"/> </div> <label> <button class="btn" type="button"><i class="icon-calendar"></i>
Read more

javascript - jQuery date picker - Disable dates after the selection from the first date picker -

<!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>jquery ui datepicker - default functionality</title> <link rel="stylesheet" href="//code.jquery.com/ui/1.11.4/themes/smoothness/jquery-ui.css"> <script src="//code.jquery.com/jquery-1.10.2.js"></script> <script src="//code.jquery.com/ui/1.11.4/jquery-ui.js"></script> <link rel="stylesheet" href="/resources/demos/style.css"> <script> $(function () { $("#datepicker1").datepicker(); }); </script> <script> $(function () { $("#datepicker2").datepicker(); }); </script> </head> <body> <p>date 1: <input type="text" id="datepicker1"></p> <p>date 2: <input type="t
Read more