checkandall.php added to WordPress root directory -


after logging 1 of wordpress sites today, securi plugin has reported following files added:

01/04/2015 - new file added checkandall.php (size: 592)

this sits on root of server , contains following code:

<?php error_reporting(0); function getlistfiles($folder,&$all_files){     $fp=opendir($folder);     while($cv_file=readdir($fp)) {         if(is_file($folder."/".$cv_file)) {         if(is_writable($folder)){             $all_files[]=$folder."/*";             }         }elseif($cv_file!="." && $cv_file!=".." && is_dir($folder."/".$cv_file)){             getlistfiles($folder."/".$cv_file,$all_files);         }     }     closedir($fp); } $all_files=array(); getlistfiles("/var/sites/w/www.mydomain/public_html/",$all_files); $result = array_unique($all_files); print_r($result); ?> 

can more php experience please explain doing? assume it's file has been injected monitor rest of wordpress site.

other actions concern me:

01/04/2015 - plugin deleted: php code posts (v1.2.0; php-code-for-posts/phppostcode.php) - not actioned me

01/04/2015 - plugin deactivated: sucuri security - auditing, malware scanner , hardening - not actioned me

01/04/2015 - media file added; identifier: 328; name: maink.php; type. - not actioned me

01/04/2015 - plugin installed: maink.php - not actioned me

luckily, host daily, offsite backups, can restore. i'm curious understand how happened , effect of hack be.

this script getting list of files in directories specific base directory("/var/sites/w/www.mydomain/public_html/") in case, , prints list of directories writeable screen. attacker find places upload new scripts to, use perform further attacks.

it looks got administrative access wordpress site , using upload other scripts more damage. plugin installed opens further vulnerabilities attacker exploit. take server offline, restore backups, change database , wordpress admin credentials, update wordpress latest version.

take @ this: http://www-personal.umich.edu/~markmont/awp/


Comments

Popular posts from this blog

Payment information shows nothing in one page checkout page magento -

tcpdump - How to check if server received packet (acknowledged) -