LeedsInk

Thank You. I should learn to research a little more. Didn’t see that when I looked. Thanks again.

Thanks a lot. Worked perfectly.

Hi NortonT, The file you’ve pasted is an automated script that looks for vulnerabilities in older wordpress versions, I don’t think this is the only file that’s been installed, this is usally the last. Have a look for other files you don’t recognise, for a start you’ll have one in your etc/ folder called passwd.dic, you may also find other php and html files.

Do you by any chance have anything added to your footer on your home page? View the source code of your site and scroll to the bottom for anything you don’t recognise.

I’ll assume now that you’re not using the latest version of WordPress? Possibly prior to version 3? First thing I would do is change your FTP password to something more secure. As it appears that they managed to bruteforce it using the words contained within passwd.dic.

I would then scan your home computer using Malware Bytes in Safe Mode. (Assuming you use Windows) as it’s possible that they obtained your username and password from your PC.

If you work at normal times of the day, look in your FTP for when the files were last modified, assuming you’ve not overwritten them. And try to find any other files around the same time. Make sure you view hidden files and folders, and check your htpasswd file and other admin files.

Hope this helps. If you want more info then do a google search for Web Shell by Orb for other cases of the same attack.

Not that it’ll make any difference, but the md5 hash on line 6 is ‘dasha’.