2

Recently I found strange file inside Wordpress sources directory of a page I have written and I am maintaining. It was a luck case. I deploy my sources from git so when I typed git status on a server I saw one new file.

Besides this file there were two database tables wp_old_cache and wp_old_lcache, first 2.5MB and second one 25MB big.

PHP source: https://gist.githubusercontent.com/gitowiec/bae47ad4b34a68e3118b33e03603f2df/raw/49f4d76394c06caca73f9136be13757cd4c3c033/nav.php

SQL dump files: https://gist.githubusercontent.com/gitowiec/bae47ad4b34a68e3118b33e03603f2df/raw/49f4d76394c06caca73f9136be13757cd4c3c033/dump.sql

What is it and what is its name? What does it do to my Wordpress installation? What software I should use to detect such security breaches in future? I could scan my webpages from a ssh session.

I don't want to know any prevention means (like hardening Wordpress installation by obscurity, changing my login credentials, or setting folders and files permission to more restrictive) because I am not infosec expert. My role is a programmer.

I would like also to know what is the incident response in my case, and which penetration test would reveal such vulnerability?

Marecky
  • 121
  • 3
  • 1
    Thanks for adding some detail. Yes, it does look like malware and it uses those tables, which are normal for some WP caching programs, to hide itself. I'm surprised that it does not do more to obfuscate itself. Unfortunately, we are not the right place to ask for malware code reviews ("what does it do?") and I cannot find a name for it, although markers within it appear in several malware samples. – schroeder Mar 26 '19 at 09:49
  • 1
    As for scanning for breaches, that's far too broad and tricky to answer. What you want to do is to look for new, unauthorised files, just as you did, and there are several tools (or scripts) you could use to look for new files. – schroeder Mar 26 '19 at 09:50
  • 1
    Just seeing a file is not enough to determine how it got there. Someone could have logged into ssh or cpanel, there could be SQLi, an exposed directory, or a vulnerable WP plugin. So we can't help with that part. The incident response is: [How to deal with a compromised server](https://security.stackexchange.com/questions/39231/how-do-i-deal-with-a-compromised-server) – schroeder Mar 26 '19 at 13:02

1 Answers1

0

Those files are caches or saved older versions of your site. They are meant to be there. You can use the SuperCacher add on to manage your cache.

user197001
  • 21
  • 1