SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Hybrid View

  1. #1
    SitePoint Addict bimalpoudel's Avatar
    Join Date
    Feb 2009
    Location
    Kathmandu, Nepal
    Posts
    279
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    WordPress theme's cache folder compromised

    I found a malware file uploaded on the server through WordPress's file upload feature or something else.
    And sooner, it spanned to multiple locations with different file names.

    It had 4,325 bytes size and a md5 hash of f6500d327f40da301cbec3779e8e4103.
    And further, I detected that it was running on the server via shell script as well and doing mischievous activities.

    The cache in the shell and path were something like below in "ps aux" command list:
    /usr/bin/php /home/PATH/wp-content/themes/NAME/cache/BADNAME.php

    Now the problem is:

    Can I list out the files that matches the given md5 hash? Because, even if the file was renamed, the hash should be same.
    I want to remove them from the server scanning entirely.
    Bimal Poudel @ Sanjaal Framework over Smarty Template Engine
    ASKING INTERESTING QUESTIONS ON SITEPOINT FOURM

    Hire for coding support - PHP/MySQL

  2. #2
    SitePoint Wizard
    Join Date
    Oct 2005
    Posts
    1,849
    Mentioned
    5 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by bimalpoudel View Post
    Can I list out the files that matches the given md5 hash? Because, even if the file was renamed, the hash should be same.
    I want to remove them from the server scanning entirely.
    A file hash is not going to matter one bit (nor will any file modification times as those can be faked). When a hacker compromises an account, they often stick other exploits in the account so if the main one is found they still have a way to get inside. Sometimes they will modify existing PHP files and stick a small section of code in it allowing them access. When your hosting account has been compromised, your best option is to delete all of your files under public_html and restore from backups you know are clean. Otherwise, you are going to have to manually examine every PHP file and see if there is malicious code in it. That's not going to be easy with something like Wordpress.

  3. #3
    Certified Ethical Hacker silver trophybronze trophy dklynn's Avatar
    Join Date
    Feb 2002
    Location
    Auckland
    Posts
    14,672
    Mentioned
    19 Post(s)
    Tagged
    3 Thread(s)
    Also, don't forget the admins in your database ... a favorite place for hackers to leave easy access for later exploits.

    THEN use something like strongpasswordgenerator.com to create STRONG passwords for your admin account ... the ONLY admin account!

    Regards,

    DK
    David K. Lynn - Data Koncepts is a long-time WebHostingBuzz (US/UK)
    Client and (unpaid) WHB Ambassador
    mod_rewrite Tutorial Article (setup, config, test & write
    mod_rewrite regex w/sample code) and Code Generator


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •