WordPress.org

Ready to get started?Download WordPress

Forums

wordpress 3.3.1 hacked (3 posts)

  1. waltercarbone
    Member
    Posted 2 years ago #

    the hacker can create a file in wordpress directory or in wp-admin directory. the filename is always wnnnnnnnnw.php where n is a number, for exemple : w80998004w.php
    this file contain the wso shel 2.5.

    Finally a find how the hacker can create this file.
    He send a post command to the webserver :
    (you can find all parameters here : http://pastebin.com/FtSLxHQQ )

    [a] => Php
    [ajax] => true
    [p1] => eval(base64_decode(str_replace(chr(32),chr(43),$_POST[chr(99)])));
    [c] => TOO BIG TO PUT HERRE
    [showimg] => ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnYyddKSk7
    [w] => ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnYyddKSk7

    Ok, if the permissions are correctly set, the file can't be created.
    But I think there is a bug somewhere.

  2. deepbevel
    Member
    Posted 2 years ago #

    Make sure you don't have any old plugins, and your wp install is up to date of course.

    how-to-completely-clean-your-hacked-wordpress-installation/

  3. Sven D.
    Member
    Posted 2 years ago #

    The hacker had full read and write access to your server via the wso shell.

    What plugins do you have? (any old versions of timthumb.php?)
    What server do you have (linux, windows, etc)?
    PHP version?

    You might want to make a new backup and compare it with the previous backup, to check for extra files etc (file dates might have been manipulated).

    http://codex.wordpress.org/FAQ_My_site_was_hacked
    http://sitecheck.sucuri.net/scanner/

    Please also report this to the WordPress team and your server host.

    BTW the file created are not w80998004w.php but w80998004t.php (there is always eight random numbers in the name), but this can be changed by the hacker.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.