Hackers are using C99 Webshell to compromise websites with installed WordPress. According to report by IBM Managed Security Services, they see a 45% increase of the attacks in March, compared to February.
All compromised websites have a file pagat.txt located on the system. The file contains obfuscated PHP code, which notifies hackers by email about successful hacking attempt and executes C99 Webshell. Since this is just a text file, attackers must use PHP File Inclusion vulnerability in some WordPress plugin (phpThumb?) to execute the script and they should have the ability to upload the file to the system.
According to Google, there are 31 000 results for pagat.txt query, meaning that infection is widely spread.
If you have this file on your website, most likely you have been hacked. If you need help removing the infection and eliminating the attack vector, please contact us by email. We will help you restore your website functionality for free.