Answer the question
In order to leave comments, you need to log in
Incomprehensible game on sites from one hosting. wp-signups.php what's going on?
A WordPress-managed site has a file called wp-signups.php with completely incomprehensible content. It is wp-signuPS, not wp-signuP. It appeared not only on a site managed by WordPress, but also on other sites that have nothing to do with WordPress, but are on the same hosting account and do not overlap with each other.
There is some strange code in this file and I do not understand what function it performs. I can’t fully insert this code right here due to the character limit, so I’ll post it at the link .
In addition to the fact that this code is in the wp-signups.php files, it is also in the index.php files at the very top.
As far as I understand, in the $OoooOO0 variable
$OOOOOO = '8111m3';$OOOOOO="%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c";
alphabet and numbers? And then the values of other variables are filled from this $OOOOOO array, or what happens in general? I don’t understand yet, but there were suspicions that the sites were hacked and set up redirects under certain conditions, and to make it as incomprehensible as possible - did they bring the code to such a confused look? Answer the question
In order to leave comments, you need to log in
Usual obfuscated shellcode.
At the end of the code, you can see a call to curl, and then fopen () + fwrite () - i.e. the shell is able to download content from the specified URL and write it to the specified file on the infected host, presumably for further execution.
delphinpro correctly wrote in the comments: check the modification date of the files (if the hacker is lazy, he did not correct it and the infected files will be newer), delete the shell code from everywhere.
I will also add: read the web server logs for requests to infected files, look for the hosts that accessed (probably Chinese proxies). Then look for all requests from these hosts - if you're lucky, you will understand how you were broken. And in any case, update WordPress to the latest version if it's not already.
The site has been hacked, filled with some kind of malware.
Perhaps he is not alone,
1. you need to find and fix the vulnerability through which he was flooded
2. Clean out the malware.
1. Look where the file appeared before, this will be a leaky site.
2. Look at the logs, you might be lucky and see where the file is accessed from, and there you will see where else they are accessing from that address. So you will understand where to look for a hole.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question