._ Unknown files in WordPress core (Version 6.1.11)

Matt

Thanks for the clarification, it is really appreciated. Time to go have a clean up it would appear.

– Neil.

@neilcford – I am getting the same notifications on those files. If you update doing something like wget .. tar xzvf .. then you won’t delete those files if they existed in a previous version of wordpress. Which is my case.

@wfmattr – as a suggestion, maybe checking the files and in the notification mention they were previously part of wordpress core but no longer and mentioning that in the notification? You should be able to md5sum the files and determine if they are part of some exploit or old wordpress core.

I’ll submit to your link as well.

Matt

Thanks for the explanation.

These are the files that Wordfence is returning as “unknown”.

wp-admin/.bt
wp-admin/data.txt
wp-admin/edit-form-tags.php
wp-admin/includes/class-wp-admin-list-table.php
wp-admin/includes/class-wp-filesystem-admin.php
wp-admin/includes/jquery.php
wp-admin/link-parse-editor.php
wp-admin/link-parse-form.php
wp-admin/link-parse-gate.php
wp-admin/media-parse-new.php
wp-admin/options-admins.php
wp-admin/plugin-change.php
wp-admin/scripts/script1.php
wp-admin/scripts/script211.php
wp-admin/scripts/script3.php
wp-admin/scripts.zip
wp-includes/.DS_Store
wp-includes/SimplePie/Net/IPv4.php

Hi Matt,

Thanks for your quick response to this issue. I see you’ve marked this case as resolved. Unfortunately the the latest update 6.1.12 generates the exact same ~1040 list of unknown ._* file warnings as the previous version.

Tested on different sites with the same results.

All files concerned start with ._ and all are found within the wp-admin/ and wp-includes/ directories.

If you’d like me to start a new thread, I’d be happy to do so. Or maybe you could re-open this thread?

Many Thanks
Steve

@Hue Marketing:
I’ve reopened it since this was originally your thread. I misunderstood your original request and thought you had meant the entire filename was “._”, so can you give some examples of filenames? If you want to post the full list, please use pastebin.com or similar, and just post a link here (per www.ads-software.com rules for long posts).

@david: Some of the files in your list look suspicious — I recommend checking our guide to cleaning a hacked website. If you need more help, please make a new post using the form at the bottom of the Wordfence forum here.

-Matt R

Hi Matt,

Thanks for re-opening the thread.Please find attached link to a complete list of files starting with ._ that have been flagged by Wordfence. I hope it helps.

Complete list of files in pastebin

Below is a small sample:
wp-admin/._about.php
wp-admin/._admin-ajax.php
wp-admin/._admin-footer.php
wp-admin/._admin-functions.php
wp-admin/._admin-header.php
wp-admin/._admin-post.php
wp-admin/._admin.php
wp-admin/._async-upload.php

Many Thanks
Steve

Thanks Steve, I’ve sent this onto the dev team and we’ll address it in an upcoming version. (Reference number FB2303.) In the meantime, if you need to avoid seeing these in the scan results, you can turn off “Scan wp-admin and wp-includes for files not bundled with WordPress” on the Wordfence options page. Since this was a new type of scan, turning off this option will still let the existing scans run without cluttering the results.

-Matt R

Sorry, just want to verify that nothing needs to be done if getting the same files as noted by neilcford? I have the same warnings.

I’d also like to verify the files noted by @neilcford are safe. I have the same warnings.

Matt

I just went through all the files. All but one were empty. I’ve cleaned them all out and run another scan. It didn’t find anything, but in the Scan Detailed Activity window, the following popped up:

Notice: Undefined index: coreUnknown in /home4/rxxxxxxx/public_html/wp-content/plugins/wordfence/lib/wordfenceHash.php on line 141

Please advise.

I was relieved, soory to say, that others are having these strange alerts, but my seven sites affected so far (on two hosts) are a different list than pasted above. Other scans find no malware. Do we wait this one out?

Feeling much better, well not about the error but that I am not the only one. Here’s my error…

Notice: Undefined index: coreUnknown in /home/blah, blah, blah…/wp-content/plugins/wordfence/lib/wordfenceHash.php on line 141

Oddly, this is only happening on one of my sites, other one is just fine.

Just came across this thread! Ensuring that there is indeed a Unknown file in WordPress core issue as i received the following wordfence alert for the below files. My concern is pretty high right now; do I just wait for a Wordfence Security update??

Looks like i have Version 6.1.12

Warnings:
* Unknown file in WordPress core: wp-admin/css/colors/_mixins_bck_old.php
* Unknown file in WordPress core: wp-admin/css/colors/light/colors-rtl.min_backup.php
* Unknown file in WordPress core: wp-admin/css/colors/midnight/colors-rtl_old.php
* Unknown file in WordPress core: wp-admin/css/colors/ocean/colors_bck_old.php
* Unknown file in WordPress core: wp-admin/css/farbtastic-rtl_infoold.php
* Unknown file in WordPress core: wp-admin/includes/dashboard_ver1.php
* Unknown file in WordPress core: wp-admin/js/editor.min_ver1.php
* Unknown file in WordPress core: wp-admin/maint/repair_new.php
* Unknown file in WordPress core: wp-admin/ms-options_ver1.php
* Unknown file in WordPress core: wp-admin/user/freedoms_new.php
* Unknown file in WordPress core: wp-includes/SimplePie/Parse/Date_bck_old.php
* Unknown file in WordPress core: wp-includes/Text/Diff/Engine/native_ver1.php
* Unknown file in WordPress core: wp-includes/Text/Diff/Renderer/inline_ver1.php
* Unknown file in WordPress core: wp-includes/images/down_arrow_indesit.php
* Unknown file in WordPress core: wp-includes/js/tinymce/plugins/7e1f37f0_indesit.php
* Unknown file in WordPress core: wp-includes/js/tinymce/plugins/tabfocus/plugin_new.php
* Unknown file in WordPress core: wp-includes/js/tinymce/plugins/wpview/plugin_indesit.php
* Unknown file in WordPress core: wp-includes/js/tinymce/skins/wordpress/images/gallery-2x_infoold.php
* Unknown file in WordPress core: wp-includes/js/tinymce/themes/modern/theme_prevv1.php
* Unknown file in WordPress core: wp-includes/theme-compat/footer_ver1.php

Thanks Matt,

No worries, I have already deactivated the new scan feature so no problems there. If there’s any other information I can provide that might be of help, just let me know.

I look forward to the next release and once again thank you for your quick responses.

Many thanks
Steve

Matt

Like @david @ginawhipp in the Scan Detailed Activity window, I received the following error with the last version of Wordfence released yesterday:

Undefined index: coreUnknown (8) File: /home/xxxxxxx/public_html/wp-content/plugins/wordfence/lib/wordfenceHash.php Line: 141

On re-running the scan:
Undefined index: coreUnknown in /home/xxx/public_html/wp-content/plugins/wordfence/lib/wordfenceHash.php on line 141

Please take note.
Thank you