FilesMan backdoor

Home Forums Support Forum FilesMan backdoor

Tagged: ,

This topic contains 2 replies, has 2 voices, and was last updated by  Anti-Malware Admin 11 years, 5 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #791

    Ivica D.
    Member

    Hi Eli!

    Just one info for you. Namely, I scanned one of the sites with your fantastic plugin and for the following line in the wp-config.php file I got just warningthat it is a Potential Threat and in fact it is is real threat/backdoor script:

    if(isset($_GET[w5838t])){ $auth_pass=”";$color=”#df5″;$default_action=”FilesMan”;$default_use_ajax=true;$default_charset=”Windows-1251″;exit; }

    Can you change this in the GOTML so it recognize this php line as Known threat or similar so GOTML can clean it?

    Thx, Ivica

     

    #792

    Anti-Malware Admin
    Key Master

    Hi Ivica,
    Thanks for that code snippet but I’ll need more info to add this to my definition update.

    This looks like only part of the threat with the dangerous part having already been removed. Can you look in Quarantine to see it there is a completely infected version of your wp-config.php file?

    If you have the whole infected file can you email it to me (you can remove your database credentials from the file before sending it to me).

    Aloha, Eli

    #793

    Anti-Malware Admin
    Key Master

    Ivica,
    Thanks for sending me access to your site. I don’t know where this code came from but it is not a complete threat. The harmful code that usually follows that line at the top of your wp-config.php file is just not there. I removed that line of code from the file and I could not find any other sign of malicious content.

    Aloha, Eli

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

Comments are closed.