WordPress.org

Ready to get started?Download WordPress

Forums

wp-admin.php EXPLOIT in WordPress Root! (8 posts)

  1. Shakhawat
    Member
    Posted 4 years ago #

    I scanned my whole WordPress site(www.kavkisfile.com) with WordPress Exploit Scanner. And found an exploit(wp-admin.php, size 47 KB) in my wordpress root.

    What should I do?

    [Mod Note: Script removed.]

  2. ClaytonJames
    Member
    Posted 4 years ago #

    Your web space/server has been hacked. The same or similar as this:

    c99madshell v. 2.0 madnet edition

    Webbased shell for administration your resources
    Credits:
    Start coding by CCTeaM.
    Edited and Finished by MADNET
    ICQ 751777

    Start here FAQ My site was hacked

  3. ClaytonJames
    Member
    Posted 4 years ago #

    Here is an interesting article. One of many. You may want to speak with your host and advise them of your situation.

    http://www.derekfountain.org/security_c99madshell.php

  4. ClaytonJames
    Member
    Posted 4 years ago #

    Would a mod be kind enough to to take a look at the encoded script at the top of the page please and see if it might merit a partial or complete redaction due to the nature of the obfuscated content.

    Thanks!

  5. Shakhawat
    Member
    Posted 4 years ago #

    Thanks for the info.

    Is my mysql database infected by this exploit?

  6. Inspired2Write
    Member
    Posted 4 years ago #

    Your database very well could have been compromised. You may want to go into your phpmyadmin and take a look at your database. Also, look for possible rogue users in the profiles, and the meta profile areas. You could also do a search for some of the code like for eval and for base64_decode and see what you come up with.

    If the exploit scanner revealed it is in your admin php files, it doesn't mean it's the only place that's been affected.

    By the way, I didn't notice if you stated whether or not you notified your host, plus be sure to immediately change all your passwords to good strong ones. Good luck. You have your work cut out for you!

  7. Shakhawat
    Member
    Posted 4 years ago #

    I re-installed only the WordPress core files and changed cPanel, WordPress, mysql passwords. Anyway I guess my database table (prefix_options) is infected, cause it looks suspicious to me.

    I have my full database backup but I want to restore only the *_options table. How to do that?

  8. Inspired2Write
    Member
    Posted 4 years ago #

    shakhawat_jaheed,

    Database stuff isn't a strong area of experience for me, so I'm not the best one to provide assistance. If you haven't already taken a look at these, you may find them helpful if you haven't done database restore from a backup before.
    http://www.tamba2.org.uk/wordpress/restore/
    http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    My assumption is that you should be able to drop just the wp_options, and then restore just that portion, but again, I'm not the one to ask. Maybe one of those links above might be of help until someone else here can give you some assistance.

Topic Closed

This topic has been closed to new replies.

About this Topic