I recently noticed /tmp/.tmp folders created seemingly coming from a WordPress install. It seems related to php code inclusions into standard WordPress files. Most likely it was accomplished using the timthumb exploit.
One way to fix the issue is of course to update or overwrite your WordPress install with the latest or same version of WordPress you are currently using. I however was interested to find which exact file was infected and wanted to research the code a little more.
So, here are instructions on how to trace down what exact file is causing the creation of the /tmp/.tmp folder and its content.
- check the WordPress version currently installed (wp-include/version.php)
- download the same version of WordPress from the WordPress website.
- unpack it next to your wordpress install.
- Next run this diff where wordpress is the wordpress you just downloaded and installfolder is your current WordPress install.
diff -qr wordpress installfolder | grep differ | grep .php
- you should get a bunch of results like this:
Files wordpress/wp-admin/about.php and csc/wp-admin/about.php differ Files wordpress/wp-admin/includes/dashboard.php and csc/wp-admin/includes/dashboard.php differ Files wordpress/wp-admin/includes/ms.php and csc/wp-admin/includes/ms.php differ Files wordpress/wp-admin/includes/template.php and csc/wp-admin/includes/template.php differ Files wordpress/wp-admin/includes/update-core.php and csc/wp-admin/includes/update-core.php differ Files wordpress/wp-admin/load-scripts.php and csc/wp-admin/load-scripts.php differ
- look through those php files and you will quickly find a file containing weird eval or replace code.