Shared hosting back door

Kris Constable

Thanks to my friend Kevin McArthur for helping unveil this badboy, as it seems to be infecting quite a few machines. It appears that it was local machine attack, taking advantage of a world writeable directory hidden behind a not viewable home directory.

$ find . -name files.php
./connect/images/avatars/upload/files.php

$ ls -la ~me
total 50360
drwxr-x–x 8 me mygroup 4096 2011-10-05 19:22 .

$ ls -la ./connect/images/avatars/upload/
total 88
drwxrwxrwx 2 me mygroup 4096 2011-10-05 19:37 .
drwxr-xr-x 4 me mygroup 4096 2010-11-19 04:22 ..
-rw-r–r– 1 me mygroup 51 2010-11-19 04:22 .htaccess
-rw-r–r– 1 unpri Notmygroup 23343 2011-09-05 14:22 files.php
-rw-r–r– 1 me mygroup 169 2010-11-19 04:22 index.htm

Now onto the juicy bits, check out files.php and then backdoor.txt.

UPDATE Jan 9th, 2012: I found a wp-template.php.txt in the root WordPress directory. It was called via @include in index.php that was cleverly nested right  after the */ at the end of the intro 5 line comment.