Caught Hacking File that modifies and damages WP via backdoor

Hello,

I managed to track down the vulnerability .. It involves a rfi exploit inside the WordPress Download Manager plugin.
the malicious code to be evaluated -> https://pastebin.com/r95QVeXE

Please consult following link for security update:
https://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html

First RevSlider and now these. Interesting. Thank you for the info rawcoder!

oh, you also have to remove line 9 from the script you pasted:
$code_inject_sape = //malicious code//

.. and try to look for other obfuscated code blocks ( eval(base64_decode(..) ) .. generally when you can’t read that code, someone is trying to hide something ??

I found them all, I’m just doing a quick brush up on them.

However, the beautiful thing is I’m lucky the main file wasn’t deleted, and I can track all the locations the hacks occured, including the footer of every theme.

This hack is quite annoying!

Here are some useful commands/information for anyone interested in targeting some files

Locate files modified on December 31, 2013 at 4:17 GMT. The command for such hack can be found at:

touch("wp-optionstmp.php", mktime(12, 17, 11, 12, 31, 2013));

Some hacks occurred on this date: October 25 2013

Weird hack involving auth and humungous base64 code

$auth_pass = "63a9f0ea7bb98050796b649e85481845";
$default_charset = 'Windows-1251';

Find files between certain times

find public_html/ -newermt 2013-10-25 ! -newermt 2013-10-26 -ls

Find files affected by hacks

grep -rnw public_html/ -e "<!-- Begin WordPress Cache (DO NOT MODIFY) -->"

Find all instance where eval base64 code occurs

grep -rnw public_html/ -e "eval(base64_decode("