Recently I found strange file inside Wordpress sources directory of a page I have written and I am maintaining. It was a luck case. I deploy my sources from git so when I typed git status
on a server I saw one new file.
Besides this file there were two database tables wp_old_cache
and wp_old_lcache
, first 2.5MB and second one 25MB big.
SQL dump files: https://gist.githubusercontent.com/gitowiec/bae47ad4b34a68e3118b33e03603f2df/raw/49f4d76394c06caca73f9136be13757cd4c3c033/dump.sql
What is it and what is its name? What does it do to my Wordpress installation? What software I should use to detect such security breaches in future? I could scan my webpages from a ssh session.
I don't want to know any prevention means (like hardening Wordpress installation by obscurity, changing my login credentials, or setting folders and files permission to more restrictive) because I am not infosec expert. My role is a programmer.
I would like also to know what is the incident response in my case, and which penetration test would reveal such vulnerability?