malicious 96.php in wordpress

  • Hi there,
    I was goggling the last time and found some links to a “96.php” file on my website. I opened that file (which is in the root folder) and it contains three instances of the function :
    <? eval(gzuncompress(base64_decode('eNqdWNt....'))); ?>
    I don’t know what is the idea behind it but I found links to this file in my website referenced by google, when you click on it it redirects to another malaware java app website!
    I searched the plugins I have installed in my website but couldn’t find any fugitive ??
    I have this plugins:
    * akismet
    * contact-form-7
    * download-monitor
    * easy-fancybox
    * flipping-team
    * nextgen-gallery
    * wassup

    here’s the query to reproduce this bug:
    https://www.google.com/search?q=village+durable
    my website is villagedurable dot org

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter Abdessamad Idrissi

    (@numediaweb)

    I checked my other blogs and found it there too!

    the name now is 51.php with the same scenario as above;

    this is a serious security hole!

    Thread Starter Abdessamad Idrissi

    (@numediaweb)

    one of the files I found in the logs mentions a url: pzyilmog.cw.cm (reported risky site by firefox)

    I verified all my domains and found this “virus/trojan” in installations that use wordpress, other domains that don’t use wordpress platform are not infected by this. this leads to a fact that this virus uses wordpress as a mean to write to the root directory of wesite hosting wordpress.
    So to conclude this is high security hole in WordPress, that we should fix.. i’ll inspect more to try and find out how can this b*****ds got in ??

    Thread Starter Abdessamad Idrissi

    (@numediaweb)

    This is not related to WordPress; so far it is said that it’s a virus getting access to ftp accounts on your machine.

    same symptoms are described in this post

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘malicious 96.php in wordpress’ is closed to new replies.