Questions that are too localized (such as syntax errors, code with restricted access, hacked sites, hosting or support issues) are not in scope. See how do I ask a good question?

Closed 4 years ago.

On one of a WP installation i troubleshoot (because site is down, too much DB connection) for, there is a ADDED file at the root (with wp-config.php and other) this file is called : db.php

It's 280 KB in size and contain some cheezy data, here is a sample

Usuage google search dont reveal it's a hack, but does not reveal it's a LEGIT wp file anyway... so the question is, what i do with it...

sorry for the "garbage look" but it's as this in the file.... i am worry !

<?php
/** Adminer - Compact database management
* @link /
* @author Jakub Vrana, /
* @copyright 2007 Jakub Vrana
* @license .0 Apache License, Version 2.0
* @license .0.html GNU General Public License, version 2 (one or other)
* @version 4.1.0
*/error_reporting(6135);$Ec=!preg_match('~^(unsafe_raw)?$~',ini_get("filter.default"));if($Ec||ini_get("filter.default_flags")){foreach(array('_GET','_POST','_COOKIE','_SERVER')as$X){$_h=filter_input_array(constant("INPUT$X"),FILTER_UNSAFE_RAW);if($_h)$$X=$_h;}}if(function_exists("mb_internal_encoding"))mb_internal_encoding("8bit");if(isset($_GET["file"])){if($_SERVER["HTTP_IF_MODIFIED_SINCE"]){header("HTTP/1.1 304 Not Modified");exit;}header("Expires: ".gmdate("D, d M Y H:i:s",time()+365*24*60*60)." GMT");header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");if($_GET["file"]=="favicon.ico"){header("Content-Type: image/x-icon");echo
lzw_decompress("\0\0\0` \0�\0\n @\0�C��\"\0`E�Q����?�tvM'�Jd�d\\�b0\0�\"��fӈ��s5����A�XPaJ�0���8�#R�T��z`�#.��c�X��Ȁ?�-\0�Im?�.�M��\0ȯ(̉��/(%�\0");}elseif($_GET["file"]=="default.css"){header("Content-Type: text/css; charset=utf-8");echo
lzw_decompress("\n1̇�ٌ�l7��B1�4vb0��fs���n2B�ѱ٘�n:�#(�b.\rDc)��a7E����l�ñ��i1̎s���-4��f�    ��i7������Fé�vt2���!�r0���t~�U�'3M��W�B�'c�P�:6T\rc�A�zr_�WK�\r-�VNFS%~�c���&�\\^�r����u�ŎÞ�ً4'7k����Q��h�'g\rFB\ryT7SS�P�1=ǤcI��:�d��m>�S8L�J��t.M���  ϋ`'C����889�� �Q����2�#8А����6m����j��h�<�����9/��:�J�)ʂ�\0d>!\0Z��v�n��o(���k�7��s��>��!�R\"*nS�\0@P\"��(�#[���@g�o���zn�9k�8�n���1�I*��=�n������0�c(�;�à��!���*c��>Ύ�E7D�LJ��1�J=���1L��?�s=#`�3\$4���uȱ��zG�C YAt�?;�Q�k&��YP�u��ǯ}UaHV%G;�s��<A\0\\��P�\\��&ª�V��\n�SU�t���r���2�   l^�Z6�ej����A�d�[�sն�JP����ҝ��8�=����6#˂74*���#e���!�7{�6��<o�C�9v[�M��-`��k�>�l�ڴ��I��H�3�x����w0t6��%MR%��jh�B�<�\0�AQ<P<:��u/�;\\>��-��ʈ��QH\nv�L+v�æ�<�\r��v����\\*����Ӵݢg��n˩��TЩ2P�\r��ߋ\"+z�8���:#�����2��J[�i����;z����r�3#�ى�:�n�\r㽃e�pdݍ� �2c��4�k���\rG��E6_����މb��/��HB%�0�>���hoW�nxl֍�浃CQ^�������\r����4lK{�Z��:���Ã�.�p��Ă�J�B-�+B���(�T�%��J�0�l�T�`+�-��@B��ۄV��\0��C�,�0t��F���?Ġ�\na@Ɍ>��ZEC��O�-���^Q�&���)I)�����R�]\r��9�7_��\r�F80�Ob�  ���>���\nR�_��8��٫�ov0�bCA�F!�t��ă%0�/�zAYO(4������ '�] I��8hH�05�3�@x&n��|T���)`�.�s6eY�D�z�����Jѓ�.��{GEb��Ӌ����2��{\$**��@�C��-:zYHZI��5F]��Y��C�O�A����`x'�.*9t'{�(�wP����=�*���*�xwr��*c���c|�D���V��\r�V.�0���V�d�?Ҁ��,E͝`T��6ۈ-����ڎT[ѐ�z��.Ar��̀P��n�c=a�9F�n�!�u��A���0iP��J6e�T]V�[\rX��a��v�k�\n+E���ܕ*\0�~���@g\"�NCI\$��Ɍ���x@W�y�*vuD�\0�v�댆V\0�V`G�u�E�֕��f�l�h�@�)0@�T��7���§RA�ٷ�3ۘ��/Q�]�,s�{VR�����F���A��<�vץ�%@9��F��5t�%�+�/�8;�W����J��o:�N�`�   ����h��{ܣ�� �Ԑ8�Eu�&�W|Ɇ���U�&\r\"����|-udž�N��:nc��fV����#U20�>\"���>�`�k]�-��x�S�͇Т����c��B��}�&`��r+E��\$�yN���b,���Wx ��-9��r�,��`�+���ˊ��C��)��7�x\r��W�fM�SR�\\�z��Q�̓��uA���2���4�L&�Hi µ���S\$)e���g rȌ��\$]Z�iYs���kW�n>�7E1k8�d�r�k����E���w�wcm�Ty����a�\$tx\rB��=����*�<���l�f�K��N/���  �l���kH��8�.���?f�����6�ч�{gi/\"�@��K��@2��a|#,Z��� ��w�d�������6w�^&��t��P�����]���.����T��kro����\ro=�%��h`:\0᱂����|ꊣ�a�Ԯ6*:��*��rO-^����n���M�}���Aya���\n�u^��rnO\r���`�T~</�w�y�}�:�|�����̡6������v�\rc<�b#����\$�s��|燇V)�h�TC��(Ľ���]6��1�!1M��@a�/�`�>ٸ�ߣ�����C/�6ഷ#p@p���`Z���ch��\0��\0o��4O�O�i\0-\n���/�\0�D�.� ���.�Đ\0fi��ȫ���\0��ID��\0��\r��0f��o�����G����eJ|\r���l �3�~�iP��&���/�\0�9 ^\0r�0]�� �o��.�\"� ���M���v�P�Z��mp�P���ڜ�ޏ���{��C?��k��ϼ}��d��ʏ�~=�.��- � �m1>h���Е1;QI�OP�\r��c�pApV�k\rQ*�Q}���q>��u�15�BqQ[1f��l���ap���\0��*�J�Q=�����G��������_��b�GHF.�0��  = 2P��������P!�#(3 \n�!1&72f��`�/��\0��\"P�U�\$�\r0��,QrU&2f��_�X���]�9\"�S'�'�y�8\r����kW)O�)��*Ra%�\\i�%�&ҳ+r��3�S`�,�v��&2�L�&Pu*��-�0\"�%HĬԞ��@ؓ��H�B�P(��\$p&�,1M� �ح��;\rn�.�� I�.�',1�)�4���2�u+�3� `�S��pL\nt��_*�S3;6r�'h35�55䜋d2q+6�8�O7sC\"pm8ҭ��6��9�m\n@e0�<8B�8�<,(���8��\0�  �0�J�<@��I���R6pԭmG�\"11�6��.\"����5̂��:��8b�A1�;�';�?<*\$�,�̍o= �T��/3�#��҆�");}elseif($_GET["file"]=="functions.js"){header("Content-Type: text/javascript; charset=utf-8");echo
lzw_decompress("f:��gCI��\n0��S��a9��S`�����&�(��n0���QI��f��\$�At^ s�G��tf6e��y��()L�S��P'�����R'�fq]\"�s> )�`�H2�Eq9��?�*)��t'��ϧ�\n  \r�s<�Pi2IN��*(=2�gX��.3�N�Y4�B<�L���i�̥2��z=�0H���'�ꌚ�u�tt:������e�]`pX9��o5�g��I��,2O4��х�M�S�(�a��#������|�G�b���x�^Z[��G��uTv�(ҝm@V�(���bN<��`��X�1�+��9J8�2\r�K�9�h�   ���

[...] there is a lot more in the file, it's just the first page or so !

Questions that are too localized (such as syntax errors, code with restricted access, hacked sites, hosting or support issues) are not in scope. See how do I ask a good question?

Closed 4 years ago.

On one of a WP installation i troubleshoot (because site is down, too much DB connection) for, there is a ADDED file at the root (with wp-config.php and other) this file is called : db.php

It's 280 KB in size and contain some cheezy data, here is a sample

Usuage google search dont reveal it's a hack, but does not reveal it's a LEGIT wp file anyway... so the question is, what i do with it...

sorry for the "garbage look" but it's as this in the file.... i am worry !

<?php
/** Adminer - Compact database management
* @link http://www.adminer/
* @author Jakub Vrana, http://www.vrana.cz/
* @copyright 2007 Jakub Vrana
* @license http://www.apache/licenses/LICENSE-2.0 Apache License, Version 2.0
* @license http://www.gnu/licenses/gpl-2.0.html GNU General Public License, version 2 (one or other)
* @version 4.1.0
*/error_reporting(6135);$Ec=!preg_match('~^(unsafe_raw)?$~',ini_get("filter.default"));if($Ec||ini_get("filter.default_flags")){foreach(array('_GET','_POST','_COOKIE','_SERVER')as$X){$_h=filter_input_array(constant("INPUT$X"),FILTER_UNSAFE_RAW);if($_h)$$X=$_h;}}if(function_exists("mb_internal_encoding"))mb_internal_encoding("8bit");if(isset($_GET["file"])){if($_SERVER["HTTP_IF_MODIFIED_SINCE"]){header("HTTP/1.1 304 Not Modified");exit;}header("Expires: ".gmdate("D, d M Y H:i:s",time()+365*24*60*60)." GMT");header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");if($_GET["file"]=="favicon.ico"){header("Content-Type: image/x-icon");echo
lzw_decompress("\0\0\0` \0�\0\n @\0�C��\"\0`E�Q����?�tvM'�Jd�d\\�b0\0�\"��fӈ��s5����A�XPaJ�0���8�#R�T��z`�#.��c�X��Ȁ?�-\0�Im?�.�M��\0ȯ(̉��/(%�\0");}elseif($_GET["file"]=="default.css"){header("Content-Type: text/css; charset=utf-8");echo
lzw_decompress("\n1̇�ٌ�l7��B1�4vb0��fs���n2B�ѱ٘�n:�#(�b.\rDc)��a7E����l�ñ��i1̎s���-4��f�    ��i7������Fé�vt2���!�r0���t~�U�'3M��W�B�'c�P�:6T\rc�A�zr_�WK�\r-�VNFS%~�c���&�\\^�r����u�ŎÞ�ً4'7k����Q��h�'g\rFB\ryT7SS�P�1=ǤcI��:�d��m>�S8L�J��t.M���  ϋ`'C����889�� �Q����2�#8А����6m����j��h�<�����9/��:�J�)ʂ�\0d>!\0Z��v�n��o(���k�7��s��>��!�R\"*nS�\0@P\"��(�#[���@g�o���zn�9k�8�n���1�I*��=�n������0�c(�;�à��!���*c��>Ύ�E7D�LJ��1�J=���1L��?�s=#`�3\$4���uȱ��zG�C YAt�?;�Q�k&��YP�u��ǯ}UaHV%G;�s��<A\0\\��P�\\��&ª�V��\n�SU�t���r���2�   l^�Z6�ej����A�d�[�sն�JP����ҝ��8�=����6#˂74*���#e���!�7{�6��<o�C�9v[�M��-`��k�>�l�ڴ��I��H�3�x����w0t6��%MR%��jh�B�<�\0�AQ<P<:��u/�;\\>��-��ʈ��QH\nv�L+v�æ�<�\r��v����\\*����Ӵݢg��n˩��TЩ2P�\r��ߋ\"+z�8���:#�����2��J[�i����;z����r�3#�ى�:�n�\r㽃e�pdݍ� �2c��4�k���\rG��E6_����މb��/��HB%�0�>���hoW�nxl֍�浃CQ^�������\r����4lK{�Z��:���Ã�.�p��Ă�J�B-�+B���(�T�%��J�0�l�T�`+�-��@B��ۄV��\0��C�,�0t��F���?Ġ�\na@Ɍ>��ZEC��O�-���^Q�&���)I)�����R�]\r��9�7_��\r�F80�Ob�  ���>���\nR�_��8��٫�ov0�bCA�F!�t��ă%0�/�zAYO(4������ '�] I��8hH�05�3�@x&n��|T���)`�.�s6eY�D�z�����Jѓ�.��{GEb��Ӌ����2��{\$**��@�C��-:zYHZI��5F]��Y��C�O�A����`x'�.*9t'{�(�wP����=�*���*�xwr��*c���c|�D���V��\r�V.�0���V�d�?Ҁ��,E͝`T��6ۈ-����ڎT[ѐ�z��.Ar��̀P��n�c=a�9F�n�!�u��A���0iP��J6e�T]V�[\rX��a��v�k�\n+E���ܕ*\0�~���@g\"�NCI\$��Ɍ���x@W�y�*vuD�\0�v�댆V\0�V`G�u�E�֕��f�l�h�@�)0@�T��7���§RA�ٷ�3ۘ��/Q�]�,s�{VR�����F���A��<�vץ�%@9��F��5t�%�+�/�8;�W����J��o:�N�`�   ����h��{ܣ�� �Ԑ8�Eu�&�W|Ɇ���U�&\r\"����|-udž�N��:nc��fV����#U20�>\"���>�`�k]�-��x�S�͇Т����c��B��}�&`��r+E��\$�yN���b,���Wx ��-9��r�,��`�+���ˊ��C��)��7�x\r��W�fM�SR�\\�z��Q�̓��uA���2���4�L&�Hi µ���S\$)e���g rȌ��\$]Z�iYs���kW�n>�7E1k8�d�r�k����E���w�wcm�Ty����a�\$tx\rB��=����*�<���l�f�K��N/���  �l���kH��8�.���?f�����6�ч�{gi/\"�@��K��@2��a|#,Z��� ��w�d�������6w�^&��t��P�����]���.����T��kro����\ro=�%��h`:\0᱂����|ꊣ�a�Ԯ6*:��*��rO-^����n���M�}���Aya���\n�u^��rnO\r���`�T~</�w�y�}�:�|�����̡6������v�\rc<�b#����\$�s��|燇V)�h�TC��(Ľ���]6��1�!1M��@a�/�`�>ٸ�ߣ�����C/�6ഷ#p@p���`Z���ch��\0��\0o��4O�O�i\0-\n���/�\0�D�.� ���.�Đ\0fi��ȫ���\0��ID��\0��\r��0f��o�����G����eJ|\r���l �3�~�iP��&���/�\0�9 ^\0r�0]�� �o��.�\"� ���M���v�P�Z��mp�P���ڜ�ޏ���{��C?��k��ϼ}��d��ʏ�~=�.��- � �m1>h���Е1;QI�OP�\r��c�pApV�k\rQ*�Q}���q>��u�15�BqQ[1f��l���ap���\0��*�J�Q=�����G��������_��b�GHF.�0��  = 2P��������P!�#(3 \n�!1&72f��`�/��\0��\"P�U�\$�\r0��,QrU&2f��_�X���]�9\"�S'�'�y�8\r����kW)O�)��*Ra%�\\i�%�&ҳ+r��3�S`�,�v��&2�L�&Pu*��-�0\"�%HĬԞ��@ؓ��H�B�P(��\$p&�,1M� �ح��;\rn�.�� I�.�',1�)�4���2�u+�3� `�S��pL\nt��_*�S3;6r�'h35�55䜋d2q+6�8�O7sC\"pm8ҭ��6��9�m\n@e0�<8B�8�<,(���8��\0�  �0�J�<@��I���R6pԭmG�\"11�6��.\"����5̂��:��8b�A1�;�';�?<*\$�,�̍o= �T��/3�#��҆�");}elseif($_GET["file"]=="functions.js"){header("Content-Type: text/javascript; charset=utf-8");echo
lzw_decompress("f:��gCI��\n0��S��a9��S`�����&�(��n0���QI��f��\$�At^ s�G��tf6e��y��()L�S��P'�����R'�fq]\"�s> )�`�H2�Eq9��?�*)��t'��ϧ�\n  \r�s<�Pi2IN��*(=2�gX��.3�N�Y4�B<�L���i�̥2��z=�0H���'�ꌚ�u�tt:������e�]`pX9��o5�g��I��,2O4��х�M�S�(�a��#������|�G�b���x�^Z[��G��uTv�(ҝm@V�(���bN<��`��X�1�+��9J8�2\r�K�9�h�   ���

[...] there is a lot more in the file, it's just the first page or so !

• installation
• hacks

• 3 This is appears normal for adminer's php file structure. If you look at github/vrana/adminer you can analyze and compare for yourself. Adminer is a MySQL visual interface similar to phpMyAdmin. adminer/en/phpmyadmin. It appears to be safe, but that seems to only be a little bit of the file right? There's much more to the one page PHP file structure. If that it is, it could raise some flags. Either way, I would put some permissions on it if there isn't already so it can't be accessed publically since it's in the root. Hope this helps. – Ryan Dennler Commented Dec 30, 2014 at 17:30
• i have rename it, and nothing append... – menardmam Commented Dec 30, 2014 at 21:02
• This is really old topic, but because it's popping up at Google searches: db.php is a legit file (and has symlink in wp-content) and is by plugin Query Monitor. – Jakke Lehtonen Commented Jan 23, 2020 at 11:04
• During the website scan, this was marked as Malware and removed by SiteGuard. It should be malicious code. – Shark 9988 Commented Oct 4, 2020 at 17:23

1 Answer 1

I remove the file, nothing append, so i think it's garbage !