Hi I found some new code in the wp-config.php file of one of my sites, it seems to have been placed there by a hacker, anyone can explain what it does?
Leave a Reply
You must be logged in to post a comment.
Hi I found some new code in the wp-config.php file of one of my sites, it seems to have been placed there by a hacker, anyone can explain what it does?
You must be logged in to post a comment.
There are 3 main ‘functions’ of this code. The two lines check that
pingnow
andpass
are defined and thatpass
is the correct value.pingnow
is used later to switch between ‘functions’.The first is run if the
pingnow
GET variable islogin
. It logs in the requesting user as the ‘admin’ user. This won’t work if there is not a user called ‘admin’.The second part allows for uploading of defined files to your server. If the
pingnow
variable isexec
then the script downloads the file and saves it on your server with the name of a random md5 hash. It then redirects the attacker to the script.The third part allows for evaluation of remote php. It downloads a file and then
eval
s it, running it on your server.