Suspicious codes found in WordPress wp-config.php file
A Sophos Senior Threat Researcher, Paul O Baccas found a malware codename, Troj/PHPShll-B in a WordPress wp-config.php file that was installed in one of their IT department friend’s website.
This malware was first detected by SophosLabs automated systems as Mal/Badsrc-C from the downloaded index.html file.
Further analysis, Paul saw a suspicious piece of code written in base64 string format in the wp-config.php file. When translated, the code will only be served if the User-Agent is Internet Explorer.
Sophos now detects and disinfects this modified code as Troj/PHPShll-B.
They believed it is most likely the code was injected via compromised FTP credentials. Sophos also recommends WordPress users to regularly auditing their WordPress wp-config.php file and make sure to use strong login passwords to avoid the account being compromised.
I have checked all my eight WordPress blogs wp-config.php files and luckily there are no weird strings or suspicious codes found in them. How about you?