PHP code injected onto website
#1
I manage a website for a non-profit (volunteer work).  They have been shut down multiple times by their hosting company because of malicious software.  The attack replaces common WordPress files with a new version containing Base64 code that "includes" another file on the system that is much more thoroughly encrypted (base64 plus a key that is pulled from a cookie).  When I look at the web server log files, I see things like:

198.1.110.241 - - [29/Dec/2017:22:37:39 -0600] "POST /wp-content/plugins/meta-data-filter/languages/xjwtfhlc.php HTTP/1.0" 200 69606 "http://example.server.com/wp-content/plu...wtfhlc.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:48.0) Gecko/20100101 Firefox/48.0"

How are they able to do this?  Or better... how do I stop this?
Reply
#2
Update your wordpress installation, update and uninstall any uneeded plugins, and disable any file upload pages that don't require authentication. Aditionally you might want to take a look at your user credentials and change the login information for any administrative accounts.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] PHP CGI exploit Insider 0 1,041 06-16-2020, 11:34 AM
Last Post: Insider
  Basics of website and server hacking Insider 0 2,185 03-26-2020, 09:34 PM
Last Post: Insider
  XSS vulnerable website ekultek 11 11,985 04-28-2018, 07:00 PM
Last Post: EnigmaCookie
  [Video] Basic LFI and uploading PHP Shell Insider 7 9,389 01-04-2017, 07:29 PM
Last Post: Vector