wp-info.php

In WordPress themes there are lots of file upload vulnerabilities. This trying upload embrace.php file to server and execute it embrace.php wp-info.php This malware can infect more and more malwares to server and get full control it. Final words Websites that using Malware Expert – ModSecurity rules are protected against this attack. Use Malware Expert … Read more

proc.php

Again we found new malware, that trying using php shell_exec function to download and include more malware to server. POST Payload This looks like joomla file upload vulnerability: Payload trying upload proc.php file to server and execute it: proc.php p.sh It’s trying download p.sh bash script and execute it. When it executed it remove itself … Read more

db.php

This malware try upload db.php to WordPress clickjacking vulnerability. Clickjacking is an attack that places an invisible iframe containing a webpage over top of another, visible webpage. The victim user is lured into clicking on the invisible iframe to perform an action when they think they are clicking on the webpage they can see. The … Read more

sql_dump.php – Bot network

malware botnetwork

Today we looked server’s logs and we found very active Bot network that trying use old malware and upload more PHP code files to servers. Malware files If we look access logs, we found many files which tried access, but they not are normal WordPress, Joomla etc. files. /Abbrevsprl.php /administrator/administrator.php /administrator/dbconfig.php /administrator/includes/readmy.php /administrator/webconfig.txt.php /al277.php /authenticating.php … Read more

Malicious redirects generated with mod_update.php to WordPress or Joomla .htaccess file

Sometimes you might catch down in your web-browser’s status bar that a foreign website is attempting to load content on your website, or you might notice a web-browser warning. These can be common signs of a .htaccess hack, you might also notice that you’ve fallen in search engine rankings. The typical reason for this is … Read more

Wordfence Security Plugin

We found new intresting malware that infected WordPress and Wordfence Security plugin. This malware filename is random numeric with php extension. Unlink When it just executed from remote GET Request, it remove itself at first. So it’s difficult know what happened on server and what case infection to WordPress and Wordfence. wp-blog-header.php It modifying WordPress … Read more

php fwrite base64 decode

An attacker trying hide malware, before it’s uploaded, fwrite to server and executed. This attacks type uses Cross-Site Request Forgery & Remote Content Execution vulnerability together (CSRF & RCE vulnerability) It’s also base64 encoded content, so it’s more difficult find with scanners. Example – fwrite & base64_encoded malware base64_decode malware When malware uploaded to server … Read more

work1.php

This is old Arbitrary File Upload Vulnerability in Cherry Plugin (Worpdress). Malware tries patch .htaccess files and add own redirect that file. When a user access website with correct browser, then redirect activates and redirect user to another page. Last malware unlink (removes) itself. Full sourcecode

Free Online PHP Obfuscator

Free Online PHP Obfuscator is designed to help PHP developers protect their intellectual property. Any time you give your PHP source code to someone else your intellectual property can be used and altered without your permission. It’s not one-way encryption but it will keep curious eyes away from your code. These tryed again upload to … Read more

cache-db.php

This is very old malware, Timestamp December 2015 and in Joomla /cache/cache-db.php or /libraries/simplepie/simplepie.lib.php file. This is very cleverly made, and hide assert PHP execution inside the code. First time look source code, it looks like normal file. But when look better and trace first extra code Second hidden code added Third hidden code added … Read more