0

I have been alerted to by our system that a PHP shell has been found in the /tmp directory. Firstly - I would like to know how it could have got here and why it would be here - is there any way PHP can be executed at this level?

Secondly it has somehow been uploaded through a WordPress installation - tracing how this happened won't be easy but does anybody have a general idea how this might have been? There are no public facing upload forms on the site.

Thanks, Chris.

Chris
  • 1,269
  • 2
  • 17
  • 34

1 Answers1

1

You havent mentioned where your tmp folder relative to the webroot, but in many ways, this doesn't really matter. Can PHP be executed there? It depends on your/Your web hosts apache configuration. How did it get there? Again, its speculation but:

  1. Wordpress itself - How up to date is it? Has it been patched for the latest security vulnerabilities?
  2. All the wordpress plugins you have installed - same applies, are they up to date?
  3. If you are using shared hosting, there's always the possibility that your site wasn't the entry point for the hack. In this case any single vulnerable site on the same server as your site can be used to compromise any or all other sites hosted on the same server (or even others too, depending on how badly the webhost has things configured!)

As for finding out where it came from, the web server logs are the obvious place to start looking. You are looking for requests that don't "fit" usual traffic. E.g. country of the source IP address, what resources are being GET'd or POST'd.

Also, unless you have some solid way of verifying your site hasn't been compromised in other ways, then you'll almost certainly want to restore your last known good backup.

Good luck

GeoSword
  • 1,647
  • 12
  • 16