Recommended Posts

This isn't related to Processwire, but just so the PW community is aware, today we discovered several malicious files in our server (Wordpress environment). The code in the files ultimately allows for the same thing, remote code execution.

I'm guessing some security hole allowed an attacker to execute code via a plugin, which wrote a file to www.example.com/dump.php

This file contained the following code: http://pastebin.com/dsLZnbCW

After deciphering it slightly: http://pastebin.com/NiCe9ftn

I then realised it was looking for a post request variable "n59a097"

Malicious code was then being sent base64 encoded to this post variable, where it was then being decoded and run through the eval() function.

Digital Ocean alerted us of the issue, after our server had been reported to them for sending out spam email.

Just a heads up really as to the possibility of security holes allowing simple files to be written, that then allow for remote code execution.

I'm sure Processwire is far less a target than Wordpress for these types of exploits but keep an eye out.

  • Like 2

Share this post


Link to post
Share on other sites

After so many times for so long, being in the news being compromised makes you wonder if wordpress is still worth anyones time and effort.

  • Like 2

Share this post


Link to post
Share on other sites

Quite a clever bit of code, that, obfuscating base64_decode in the hope of avoiding security scanners. Can't hide eval(), though.

  • Like 1

Share this post


Link to post
Share on other sites

Yup... On a sidenote: The wp-admin Wordpress template / code / PHP editor is by itself a huge security-risk. I would immediately uninstall it.

  • Like 2

Share this post


Link to post
Share on other sites

hi mrjasongorman,

thanks for sharing! could you please also share some details on how you deciphered the code?

thank you

Share this post


Link to post
Share on other sites

Hi all, worked it out using a pen and paper haha, followed the code and wrote down the word it seemed to be spelling out from the random string at the top.

The random string turned out to be not so random spelling out base64_decode.

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By ---
      I've got this code to fetch all pages:
      /** @var PageArray $pages */ $pages = $this ->wire('pages') ->find(sprintf( 'has_parent!=2,id!=2|7,status<%s', Page::statusTrash )); With this I fetch all pages except admin, but that includes the 404 page as well. Is there a way to exclude pages like the 404 page from the result? Or maybe loop through the result set to check for the pages response code (without curl that is)?
      I want to avoid filtering the 404 page by ID if possible.
    • By MaryMatlow
      At page editor level I need to place a piece of code which is unique to that page. This is the code:
      <healcode-widget data-type="class_lists" data-widget-partner="mb" data-widget-id="xxxxxxxx" data-widget-version="0.1"></healcode-widget> This code pulls in data from a third-party site. The Body Field won't accept this code. I could place this in the template file but for that I'd have to crate a separate template file for each page. I'd rather use a common "basic_page" template file for most pages. Also, I would like to give the client the ability to change/edit code when necessary if it is at page editor level. Is there any way to achieve this? Thanks.
    • By mn-martin
      Hello,
      today I've tried the following:
      Use .htaccess to rewrite the url conditionally if an image file was not found.
      Rewrite target was http://www.this-is-the-live-system.com/site/assets/files/$1
      I guess that would work out great. Unfortunately Processwire checks to see if the file exists and outputs an error message in the Page Editor.
      An option to disable this check would be great. (Similar to $config->debugIf = '::1'; or something)
      It would be great being able to just use the live database locally without broken images all over the place.
      I guess this might be a simple good enough solution for most use cases.
    • By bmacnaughton
      I'm looking for the module(s) that contain the code used to define and process forms. I don't see anything in the dist/wire/* directories that has 'form' in the name.
      Does anyone know where this code is?
    • By oma
      Hi folks,

      I am using AJAX on a site I am building, specifically PJAX, and I have built all this locally and it has all been working great with no problems. Upon pushing this from local to remote the AJAX is failing to retrieve my pages, and thus falling back to the normal page loading.

      I have had a look at the Network tab in Google devtools to find out more and it looks like the request goes through but the PJAX url call (for example: http://www.juleslister.co.uk/projects/photography?_pjax=%23pjax) is returning as a 301 error. I have a screenshot of the Network issue here: http://i.imgur.com/oC2ZPce.png

      Any thoughts?

      Many thanks,
      R