I have a Windows Server 2008R2 / IIS7.5 hosting several Wordpress websites.
The server is fully patched and all Wordpress sites are running the latest versions of Wordpress and all WordPress plugins are up to date.
I am constantly finding suspicious .php files created in the root folder of these Wordpress sites and I cannot figure out how they are getting there. Each site runs in its own App Pool and the permissions are as follows...
CREATOR OWNER: Special Permissions
IUSR: Modify, Read & Execute, List Folder Contents, Read, Write
SYSTEM: Full Control
Administrators: Full Control
Users (servername\Users): Read & Execute, List Folder contents, Read
IIS_Users (servername\IIS_IUSRS): Read & Execute, List Folder Contents, Read
TrustedInstaller: Full Control
When I look at the Log files and filter out HTTP 200 responses I can see entries such as the following...
sc-status: 200
c-ip: IP addrress of offender
cs-method: POST
cs-uri-stem: /slic.php (This is the name of the file created in the root)
cs-uri-query: grLSEfzn=bVThQuD&TlgJPKWgf=bEYfzOzBq&HunLSRs=MHYMXRLiEszvEXL&cRAcFJfE=pkcLK
the cs-uri-query's have different iterations of strings.
It seems as if some payload is being posted to the server over http which is creating these random .php files such as slic.php files.
I am banning the IP addresses when I see the requests in the logs but would very much like to put a stop to this once and for all.
I have tried tightening the security permissions but then I find that customers cannot install or update Wordpress plugins.
Any help, pointers or insight would be very much appreciated.