CODEWITHSUNDEEP
phpwordpress
Sam
Sam

Reputation: 1461

checkandall.php added to WordPress root directory

After logging into one of my WordPress sites today, the Securi plugin has reported that the following files were added:

01/04/2015 - New file added checkandall.php (size: 592)

This sits on the root of my server and contains the following code: 

<?php
error_reporting(0);
function GetListFiles($folder,&$all_files){
    $fp=opendir($folder);
    while($cv_file=readdir($fp)) {
        if(is_file($folder."/".$cv_file)) {
        if(is_writable($folder)){
            $all_files[]=$folder."/*";
            }
        }elseif($cv_file!="." && $cv_file!=".." && is_dir($folder."/".$cv_file)){
            GetListFiles($folder."/".$cv_file,$all_files);
        }
    }
    closedir($fp);
}
$all_files=array();
GetListFiles("/var/sites/w/www.mydomain/public_html/",$all_files);
$result = array_unique($all_files);
print_r($result);
?>

Can someone with more PHP experience please explain what this is doing? I assume it's a file that has been injected to monitor the rest of my WordPress site.

Other actions that also concern me:

01/04/2015 - Plugin deleted: PHP Code for posts (v1.2.0; php-code-for-posts/PHPPostCode.php) - Not actioned by me

01/04/2015 - Plugin deactivated: Sucuri Security - Auditing, Malware Scanner and Hardening - Not actioned by me

01/04/2015 - Media file added; identifier: 328; name: maink.php; type. - Not actioned by me

01/04/2015 - Plugin installed: maink.php - Not actioned by me

Luckily, my host does daily, offsite backups, so I can just do a restore. I'm curious to understand how this happened and what the likely effect of the hack would be.

Upvotes: 0

Views: 770

Answers (1)

Frank
Frank

Reputation: 664

This script is getting a list of all files in all directories from a specific base directory("/var/sites/w/www.mydomain/public_html/") in this case, and prints a list of directories that are writeable to the screen. This is probably for the attacker to find places to upload new scripts to, which they will use to perform further attacks.

It looks like someone got administrative access to your Wordpress site and is using that to upload other scripts to do more damage. That plugin that was installed likely opens up further vulnerabilities for the attacker to exploit. Take the server offline, restore it from backups, change all database and Wordpress admin credentials, then update Wordpress to the latest version.

Take a look at this: http://www-personal.umich.edu/~markmont/awp/

Upvotes: 1

Related Questions