During a regular anaysis of a WordPress website for a new user I’ve noticed a file named wp-blogs.php in the public_html folder.
As an experienced WordPress user, the name itself drew attention, as I do not recall ever seeing a file called wp-blogs.php in WordPress core.
After opening the file it’s obvious that it is NOT part of WordPress CMS.
Same as the LeafMailer PHP Script or the WSO Shell – this script is NOT detected by ConfigServer eXploit Scanner (cxs) but Imunify360 DOES detect it!
The script itself doesn’t even deserve to be called a web shell as it provides no option to execute any arbitrary commands.
It provides a pretty basic file manager and some server information, but that’s pretty much it.
A notable feature is the Kill Me link which tries to remove the script itself and prints a message Sayonara Suckers!
File editor is also spartan:
System information page gives a lot of usefull information:
A lot of links in the code are loaded from the now-expired domain name xbox.nu which at the time when this script was uploaded looked like this:
