Hi Raul, sorry to hear that your sites got attacked.
I have never seen this kind of attack nor anyone else reported it. Have you check with your host support if they can trace in server access logs what was the vulnerable point that got exploited?
Strange, I would expect more details… Have you tried to scan your site with the Wordfence plugin to see if there any other files infected and get the list of all newly created/uploaded files?
Sharing this list might help other users recognize the same problem.
now I have clean all sites and change Wordfence settings and update all sites php to latest version. I will be on eye for now. If I detect another attack I will report a new topic with more details.
What plugin is/was in the ‘Update’ folder or was that created by the compromise ?
That would indicate a scripted attack which only looks for the ‘root’ of the website for the WP install.
What server platform are you using, is it CPanel ? Your service provider should have CXS/CSF installed which should block that activity. Assuming that it is not being accessed through a known account/password within the Wordpress install.
“Update” was the name of the plugin created and uploaded by the hacker. If you make a short search on google by “Bangladesh United Hackers” you will find how they act.
But I still not find the vulnerability on my sites