1

I have enough security that I was alerted to a PHP backdoor that was uploaded to a WordPress site hosted on one of my servers. It was removed within minutes of being uploaded so no damage was done. No other sites show abnormal file uploads and have been checked for extra files and any files that were recently changed or added. It seems that only one site was affected. I was thinking that maybe the new WP or the theme has a bug that allows someone to upload files.

My main question is how can someone upload a file to a server without FTP or access to WordPress to upload it. I found the first uploaded file in the root of the directory.

I have already scanned and clean the site so now I just would like to figure out how they uploaded the file.

Pure Geek
  • 11
  • 3
  • The link to the article lists ZenCart which is not what I am using. I looked through the linked article and it does not have the answer I am looking for. – Pure Geek May 30 '16 at 23:43
  • 1
    The article is a reminder, more that if a file was modified in a system path and that all your app are up-to-date, then how you actually know your server is not rooted ? can you put sensible data on it now ? In enterprise when that happen, a format is done and we restart. To know how they entered is good, to prevent other case, but the fact is that they already entered your server. – yagmoth555 May 30 '16 at 23:58
  • Usually someone exploits a bug in a WordPress plugin to upload a php script to your wp-content/uploads folder. They then call that php script which further exploits the server (downloading & executing more backdoors, rootkits etc or accessing sensitive data). Make sure your WordPress installation and all plugins are updated, and file permissions are correctly set but consider restoring the entire server from known good backups. – Dan Jun 02 '16 at 23:03
  • After combing through the log file I found the point of entry, a plugin that was used and is commonly used on many many sites, the attacker was actually a bot – Pure Geek Jun 03 '16 at 03:35

0 Answers0