Exploit in Wordpress theme, what is wrong?

Hello,

it was quite surprise, i got mail from namecheap (they have exploit scanner) and they detected new .php exploit file:

'[PHP Shell Exploit [P0297]]':    /home/myusername/public_html/wp-content/themes/forex/stcchatcc.php

Code (markup):

i watched the directory structure folder permissions and they are 755 from wp-content to forex folder. Is it correct folder permission?

The wordpress theme (/forex/) used is: "forex, ValidThemes.com WordPress theme."

i wanted to know more about that exploit so i found this source code: rstforums.com/forum/forum/leet-zone/reverse-engineering-exploit-development/82761-trojan-html-agent-vsvbn-web-shell?t=80795

and when tried to upload it, result is: http://i.snag.gy/EKYAg.jpg

Im quite shocked the script of this kind was able to be somehow injected into my directory structure. Please can anyone help debug the cause of this to be possible? and how to prevent?

 

hello , first download all your website files and scan them with your local antivirus scan ( i suggest eset )
second remove that file for sure , the hacker can do anything with that file
third 755 is not important if the server files able to access and write on behalf of itself your sever files do
fourth : look at my video :
and do all steps to have secure wordpress
also open all your theme php files maybe it has option to upload files directly !

 

http://sitecheck2.sucuri.net/

I typically start there but simply removing the file won't secure things by any stretch.

Nigel

 

Third party theme from a site called "ValidThemes.com"? That sounds about as trustworthy as a politician! Chances are the developer sneaked a little backdoor into their theme design, just for this purpose.

 

An idea on what to do can be adding .htaccess into wp-content or wp-content/themes
with this inside:

# disallow php execution
<files *.php>
Deny from all
</files>
so any malicious .php wont be able to execute, not sure if its enoug solution to prevent php abuse