malware on wordpress installation

  • Yesterday I received an e-mail from someone telling me about an apache-attack coming from one of the servers I manage, which has been rather negy,lected for some time.

    Anyway, I searched for somewhat newer php files and I came across this metawp.php which resides in wp-includes. As far as I could see, on a default wp installation, there’s no file called “metawp.php”, only “meta.php”.
    This “metawp.php” is a huge one-liner, with the exception of the header, which looks like this:

    [ SNIP! ]

    I see there’s no option of uploading files here. Anyway, I’m trying to roughly understand this code and see exactly what is executing it.
    Any suggestions are greatly appreciated. As well as finding other dubious files.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter quas

    (@quas)

    I’m not really interested in doing that too fast – fixing the site. I’m more interested in understanding the code, as I said, roughly, given that I’m not a programmer. Is there any way I can get that kind of help here? I’m trying to understand what the chain of events is and how this whole thing is being triggered.

    P.S. Your condescending pieces of advice (coffee, breath) really soothe me.

    • This reply was modified 6 years, 2 months ago by quas.
    • This reply was modified 6 years, 2 months ago by quas.
    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    It’s not condescending… it’s practical. Many folks with malware infects arrive here in virtual state of breathlessness. It’s a pat on the shoulder and a hint that things will (probably) work out alright.

    Anyhow, these fora are for tech support — for fixing things — and not really for taking apart base64 code. and understanding how it works. Follow the blogs at sucuri.net and wordfence.com for some really good writing on how these things work.

    Thread Starter quas

    (@quas)

    I’m not worried. This is a situation I was, in a way, thrown into. That’s exactly why I’m trying to understand better what is going on in order to shield myself more easily in the future and do it as non-mechanically as possible.

    Ok, I might have interpreted your advice wrongly. In this clearer context I get it.

    I’ll take a good look at those two links. I’ve already looked at sucuri sites, I’m going to take another look there too.

    Thanks for clearing things up, anyway.

    • This reply was modified 6 years, 2 months ago by Jan Dembowski.
    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Moved to Fixing WordPress, this is not an Everything else WordPress topic.

    Also do not post malware code in these forums. I’ve removed that from your post.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘malware on wordpress installation’ is closed to new replies.