Title: wp-admin.php EXPLOIT in WordPress Root!
Last modified: August 19, 2016

---

# wp-admin.php EXPLOIT in WordPress Root!

 *  [Shakhawat](https://wordpress.org/support/users/shakhawat_jaheed/)
 * (@shakhawat_jaheed)
 * [16 years, 2 months ago](https://wordpress.org/support/topic/wp-adminphp-exploit-in-wordpress-root/)
 * I scanned my whole WordPress site(www.kavkisfile.com) with WordPress Exploit 
   Scanner. And found an exploit(wp-admin.php, size 47 KB) in my wordpress root.
 * What should I do?
 * [**Mod Note: **Script removed.]

Viewing 7 replies - 1 through 7 (of 7 total)

 *  [Clayton James](https://wordpress.org/support/users/claytonjames/)
 * (@claytonjames)
 * [16 years, 2 months ago](https://wordpress.org/support/topic/wp-adminphp-exploit-in-wordpress-root/#post-1441341)
 * Your web space/server has been hacked. The same or similar as this:
    [ c99madshell v.
   2.0 madnet edition
 * > Webbased shell for administration your resources
   >  Credits: Start coding by 
   > CCTeaM. Edited and Finished by MADNET ICQ 751777
 * Start here [FAQ My site was hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
 *  [Clayton James](https://wordpress.org/support/users/claytonjames/)
 * (@claytonjames)
 * [16 years, 2 months ago](https://wordpress.org/support/topic/wp-adminphp-exploit-in-wordpress-root/#post-1441342)
 * Here is an interesting article. One of many. You may want to speak with your 
   host and advise them of your situation.
 * [http://www.derekfountain.org/security_c99madshell.php](http://www.derekfountain.org/security_c99madshell.php)
 *  [Clayton James](https://wordpress.org/support/users/claytonjames/)
 * (@claytonjames)
 * [16 years, 2 months ago](https://wordpress.org/support/topic/wp-adminphp-exploit-in-wordpress-root/#post-1441345)
 * Would a mod be kind enough to to take a look at the encoded script at the top
   of the page please and see if it might merit a partial or complete redaction 
   due to the nature of the obfuscated content.
 * Thanks!
 *  Thread Starter [Shakhawat](https://wordpress.org/support/users/shakhawat_jaheed/)
 * (@shakhawat_jaheed)
 * [16 years, 2 months ago](https://wordpress.org/support/topic/wp-adminphp-exploit-in-wordpress-root/#post-1441371)
 * Thanks for the info.
 * Is my mysql database infected by this exploit?
 *  [inspired2write](https://wordpress.org/support/users/inspired2write/)
 * (@inspired2write)
 * [16 years, 2 months ago](https://wordpress.org/support/topic/wp-adminphp-exploit-in-wordpress-root/#post-1441373)
 * Your database very well could have been compromised. You may want to go into 
   your phpmyadmin and take a look at your database. Also, look for possible rogue
   users in the profiles, and the meta profile areas. You could also do a search
   for some of the code like for `eval` and for `base64_decode` and see what you
   come up with.
 * If the exploit scanner revealed it is in your admin php files, it doesn’t mean
   it’s the only place that’s been affected.
 * By the way, I didn’t notice if you stated whether or not you notified your host,
   plus be sure to immediately change all your passwords to good strong ones. Good
   luck. You have your work cut out for you!
 *  Thread Starter [Shakhawat](https://wordpress.org/support/users/shakhawat_jaheed/)
 * (@shakhawat_jaheed)
 * [16 years, 2 months ago](https://wordpress.org/support/topic/wp-adminphp-exploit-in-wordpress-root/#post-1441392)
 * I re-installed only the WordPress core files and changed cPanel, WordPress, mysql
   passwords. Anyway I guess my database table (prefix_options) is infected, cause
   it looks suspicious to me.
 * I have my full database backup but I want to restore only the *_options table.
   How to do that?
 *  [inspired2write](https://wordpress.org/support/users/inspired2write/)
 * (@inspired2write)
 * [16 years, 2 months ago](https://wordpress.org/support/topic/wp-adminphp-exploit-in-wordpress-root/#post-1441437)
 * shakhawat_jaheed,
 * Database stuff isn’t a strong area of experience for me, so I’m not the best 
   one to provide assistance. If you haven’t already taken a look at these, you 
   may find them helpful if you haven’t done database restore from a backup before.
   
   [http://www.tamba2.org.uk/wordpress/restore/](http://www.tamba2.org.uk/wordpress/restore/)
   [http://codex.wordpress.org/Restoring_Your_Database_From_Backup](http://codex.wordpress.org/Restoring_Your_Database_From_Backup)
 * My assumption is that you should be able to drop just the wp_options, and then
   restore just that portion, but again, I’m not the one to ask. Maybe one of those
   links above might be of help until someone else here can give you some assistance.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘wp-admin.php EXPLOIT in WordPress Root!’ is closed to new replies.

## Tags

 * [exploit](https://wordpress.org/support/topic-tag/exploit/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 7 replies
 * 3 participants
 * Last reply from: [inspired2write](https://wordpress.org/support/users/inspired2write/)
 * Last activity: [16 years, 2 months ago](https://wordpress.org/support/topic/wp-adminphp-exploit-in-wordpress-root/#post-1441437)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics