I’ve seen things like this a bit lately on a few of our WordPress installs:
The plugin ../../../.../wp-content/uploads/2009/06/wp-cache.old has been deactivated due to an error: Invalid plugin path.
At first I thought it was just a glitch, but today I checked out the file itself and found that it’s a plugin file contained encoded text. It claims to be a plugin called “HTML Code Filter”, though the actual body of the plugin is encoded somehow.
I’ve zipped up one of these infections in the hopes someone more skilled can figure out what it’s doing and how it got there.
You can download it at http://www.alderac.com/wp-hack.zip
I’ve changed my uploads folders to 775 (rather than 777) hoping this will stop the attack, but I don’t know enough about this to know for sure. Does anyone know how they could be uploading a file to my uploads (and sub-folders!) folder without admin access?
We’re hosted on a dedicated linux server running Apache/Cpanel/WHM, PHP 5.2.9, Apache 2.2.11, mySQL 5.0.81.
There are several different filenames of this attack, including wp-cache.old, wp-cache.cache, wp-cache.bak, wp-db-backup.cache, and one named after an image I had uploaded but with .jpg replaced with .cache
I haven’t seen anything adverse from this yet, but I may have caught it early. Or it could be hidden and I haven’t found it yet.
- The topic ‘Hacker uploading malicious plugin to uploads folder’ is closed to new replies.