At least 500 WordPress websites have been recently hacked by a  new attack which will replace main index page and not allow access to any other site pages.  Compromised websites will display “hacked by psycho00.dat” and even a google search will reveal this.  Web ADMINS need to recover & strengthen controls as this new threat continues to be investigated

A few days ago, one of our readers contacted reported an incident affecting his website based on WordPress. He performed quick checks by himself and found some pieces of evidence:

1. The main index.php file was modified and some very obfuscated PHP code was added on top of it.
2. A suspicious PHP file was dropped in every sub-directories of the website.
3. The wp-config.php was altered and database settings changed to point to a malicious MySQL server.

The strange PHP file (called “thnxx.php”) discovered in multiple directories was easy to spot. It is a web shell. This web shell is in the wild for some time and used by many Indonesian hacker groups. 519 compromized websites! Some of them were already cleaned, others are still running the malicious databases. Let’s inspect one of the malicious database. The WordPress settings are almost the default ones, with the default WordPress post and one admin user.  The next question is: how did the attacker compromise the WordPress instance (fully patched, according to our reader)?