Troj/PHPShll-B malware in WordPress wp-config.php file!

Suspicious codes found in WordPress wp-config.php file

A Sophos Senior Threat Researcher, Paul O Baccas found a malware codename, Troj/PHPShll-B in a WordPress wp-config.php file that was installed in one of their IT department friend’s website.

This malware was first detected by SophosLabs automated systems as Mal/Badsrc-C from the downloaded index.html file.

Further analysis, Paul saw a suspicious piece of code written in base64 string format in the wp-config.php file. When translated, the code will only be served if the User-Agent is Internet Explorer.

Sophos now detects and disinfects this modified code as Troj/PHPShll-B.

They believed it is most likely the code was injected via compromised FTP credentials. Sophos also recommends WordPress users to regularly auditing their WordPress wp-config.php file and make sure to use strong login passwords to avoid the account being compromised.

I have checked all my eight WordPress blogs wp-config.php files and luckily there are no weird strings or suspicious codes found in them. How about you?

via Troj/PHPShll-B: Malware injects itself into WordPress installations


  1. Great identification of the threat. In todays new generation of online services its very important to have strong authentication and secure passwords.
    I work for a security software company, EZMCOM we are conducting a survey to find out security threats faced by business. Participants will be entered for a lucky draw were iPod shuffles will be won. Please click on the link to take the 2minute survey
    Please also like and share our Facebook Page
    Thanks guys!