Over the past few weeks we've observed a wave of scanners targeting WordPress sites looking for backdoors with a parameter called slince_golden
(a play on "Silence is Golden," used by WordPress on empty index files). It has been going on for a while, and it is not a new backdoor, but just recently we decided to look more into it since we could not find any articles or public information about it.
First, the scanners look mostly for these 3 files: .wp-content.php
, .wp-includes.php
, and .wp-admin.php
, which do not exist in the standard WordPress installation. And all the requests include query strings such as ?slince_golden=test
and additional encoded parameters like &is=%40ikisifre&m=[a-z]_
. This is how the logs look like:
[REDACTED] 146.19.215.12 "GET /wp-admin/.wp-admin.php?slince_golden=test"
[REDACTED] 146.19.215.12 "GET /wp-content/.wp-content.php?slince_golden=test"
[REDACTED] 146.19.215.12 "GET /wp-include/.wp-include.php?slince_golden=test"
[REDACTED] 146.19.215.118 "POST /wp-includes/.wp-includes.php?slince_golden=true&is=%40ikisifre&m=drw_"
[REDACTED] 146.19.215.118 "POST /wp-admin/.wp-admin.php?slince_golden=true&m=sks_"
[REDACTED] 146.19.215.118 "POST /wp-content/.wp-content.php?slince_golden=true&m=zwf_"
Note that the presence of these files on a site strongly suggests either prior compromise (e.g., a webshell upload) and that the attackers are using them to reinfect the site and/or modify whatever malware they already uploaded there. Legitimate WordPress core directories should never contain dot-prefixed or duplicate-named PHP files. Detection tip: Defenders are encouraged to set up alerts for access to hidden PHP files and validate all core files against clean installs.
Technical Analysis: What 'slince_golden' Is Really Doing
We only see the scanners looking for this backdoor, but we don't have access to any site compromised by it. However, searching online, we found the actual PHP code that is tied to the slince_golden
keyword. It attempts to:
r57shell[.]net
, a known malicious domain for sharing backdoors..wp-content.php
and others inside core directoriesslince_golden
as a test or trigger — returning <!-- //Silence is golden. -->
to signal successful installation?f=base64_decode&c=encoded_payload
Top IP Addresses Involved
From our monitoring, the following IPs have been the most active in scanning or attempting access using the slince_golden
parameter past 7 days:
And that's it. We found interesting that specific keyword on some many scan against multiple sites and decided to spend some time looking into it. Let us know if you want additional information for us to look more.
We love logs. In this section we will share some articles from our team to help you get better at logging.
Logging for fun and a good night of sleep.
Latest articles from our learning center.
Do you have an idea for an article that is not here? See something wrong? Contact us at support@noc.org
14 days free trial. No credit card required.