Backdoor:PHP/tc9a16

  • Can anyone provide insight as to what “Backdoor:PHP/tc9a16” is? I’ve had a few sites running Wordfence Premium pick up on this.

    Generally, I’m seeing a non-core file being placed into one of the subfolders of /wp-includes/js/ (seems to be a random subfolder each time). It’s a malicious php file that mimics the name and date of a legitimate .js file in the directory.

    Once Wordfence picks up on it, I notice that my theme’s 404.php file has been compromised as well. Seems to happen repeatedly.

    I’ve done some searching on this but not turning up a whole lot of useful info. I’d like to try and close this thing up.

Viewing 2 replies - 1 through 2 (of 2 total)

  • I’m interested in this too. I just had the same thing happen with a site. It affected the 2016 theme. I deleted that. Then I rescanned and got “Many c99 variants including NFM, Perl, Predator, CTT, r57 and Redhatc99.” That affected the 2017 theme, so I then deleted that too.

    Hi,
    This seems to be related to that old malware reported here, there might be other infected files on the server and you will have to find the entry point from which the attacker uploaded this malware, checking the timestamps on the files and match that with entries in the server’s access logs might help, otherwise you might need to hire a professional security analyst to do site cleaning.

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Backdoor:PHP/tc9a16’ is closed to new replies.