[resolved] malicious 96.php in wordpress (4 posts)

  1. Abdessamad Idrissi
    Posted 5 years ago #

    Hi there,
    I was goggling the last time and found some links to a "96.php" file on my website. I opened that file (which is in the root folder) and it contains three instances of the function :
    <? eval(gzuncompress(base64_decode('eNqdWNt....'))); ?>
    I don't know what is the idea behind it but I found links to this file in my website referenced by google, when you click on it it redirects to another malaware java app website!
    I searched the plugins I have installed in my website but couldn't find any fugitive :(
    I have this plugins:
    * akismet
    * contact-form-7
    * download-monitor
    * easy-fancybox
    * flipping-team
    * nextgen-gallery
    * wassup

    here's the query to reproduce this bug:
    my website is villagedurable dot org

  2. Abdessamad Idrissi
    Posted 5 years ago #

    I checked my other blogs and found it there too!

    the name now is 51.php with the same scenario as above;

    this is a serious security hole!

  3. Abdessamad Idrissi
    Posted 5 years ago #

    one of the files I found in the logs mentions a url: pzyilmog.cw.cm (reported risky site by firefox)

    I verified all my domains and found this "virus/trojan" in installations that use wordpress, other domains that don't use wordpress platform are not infected by this. this leads to a fact that this virus uses wordpress as a mean to write to the root directory of wesite hosting wordpress.
    So to conclude this is high security hole in WordPress, that we should fix.. i'll inspect more to try and find out how can this b*****ds got in :(

  4. Abdessamad Idrissi
    Posted 5 years ago #

    This is not related to WordPress; so far it is said that it's a virus getting access to ftp accounts on your machine.

    same symptoms are described in this post

Topic Closed

This topic has been closed to new replies.

About this Topic