Page 1 of 1

sec.php Exploit

Posted: 09 Aug 2011, 06:57
by adsparmar

My domain:

I recently shifted from Godaddy servers to Hostgator on 1st Aug 2011. Everything was working fine today until the time I went for a coffee break, came back, refreshed my site and everything was just gone. I immediately caught hold of the tech support guy from Hostgator who told me that sec.php was used to delete all my content from my website. He said that this url can be opened from anywhere in the world to remove content if someone wishes to.


What's interesting is that he told me to stay away from Suffusion as sec.php was installed by the theme itself and did not exist before that. What I want to know is whether this is true or not? Also, I've attached my entire chat log with the tech support rep for your scrutiny.

I've lost my entire website and now I have to reinstall wordpress from scratch and build everything again. My 7-8 pages worth of content is gone, my hits are gone and I'm back to square one.

Re: sec.php Exploit

Posted: 09 Aug 2011, 09:38
by Colin
I have just checked 2 of my wp installs that have Suffusion as the theme and neither has sec.php anywhere on the site. Maybe Hostgator is just blowing smoke. I know that they have some serious issues running Wordpress on their servers. Checkout the Wordpress forums for more information.

Re: sec.php Exploit

Posted: 09 Aug 2011, 10:28
by sayontan
Colin wrote:Maybe Hostgator is just blowing smoke.
HostGator is definitely blowing smoke.

You can validate this by looking at the source of the theme: This is the source that is distributed from WP. Take a look at any branch that you want and see if you can spot anything that looks remotely fishy. You will see neither sec.php nor sym in there.

Also note that every theme distributed via the WP repository ( is thoroughly checked for issues such as this. There is no way a theme you got from there could have this exploit. Every theme is checked for existence of calls such as "fopen" or "file_get_contents" or "base64_encode" or "base64_decode" - the first 2 can be exploited by hackers, and the last 2 indicate a hack in several cases. Suffusion has none of these.

So how did you get it? Quite a few ways are possible. Recently there was a vulnerability that was exposed in TimThumb. If any of your installed themes has TimThumb (your themes don't have to be activated - just being installed makes TimThumb accessible), then a hacker might have exploited it. Depending on the potency of the installed script, it is possible that somebody else's account on your host's server was infected and that person managed to write a script to your account.

Another way to get this exploit is if you downloaded the theme from a site other than There is enough literature on the web warning people to not download themes from sites offering them for free.

Re: sec.php Exploit

Posted: 09 Aug 2011, 11:09
by adsparmar
Thanks for your replies Colin and Sayontan!

The problem is, I'm not that good with php and so easily got fooled by a random reason thrown at me. As far as suffusion is concerned, this is not the first time i've used it. Never before has such a thing ever happened. In fact, my sister's website is running on suffusion as well. I've always downloaded it from wp-admin panel's inbuilt theme search. I'm not aware if any plugin caused this but then, I never download plugins from anywhere else but

Thanks for pointing me in the right direction. I'm going to reinstall suffusion whether they like it or not and I'll make sure all the other default themes and useless plugins are deleted altogether. It sure will take some time but I guess this is how I'm gonna stick it to them.


Re: sec.php Exploit

Posted: 09 Aug 2011, 11:18
by sayontan
On shared hosting sites you might consider quite a few things:
1. If you are installing your site anew, create a new user for it and install it there.
2. For each site you own do the installation for a new user.

Note that if there are infected users on the same hosted server, that itself can cause issues - I once spotted a file in my directories that had somebody else's name set as the creator, indicating some major hole in the server's security. Also see if this post applies to you in terms of security tightening: viewtopic.php?f=4&t=5133&p=21215#p21933.

Re: sec.php Exploit

Posted: 03 Oct 2015, 10:47
by ganddy
Additionally, even if Wordpress install is finished, it doesn't mean everything is done. You need to run a penetration test to your site so you would know the possible exploits. Hackers today actually target Wordpress sites. Lot's of plugins mean lots of possible exploit.