Backdoor found in Wordfence by other services

If the file still exists, can you send a copy to me? My email address is mattr (at) wordfence.com

If the file is already gone, it might be a false positive from the other service, since the file contains temporary data from a Wordfence scan and would normally be removed at the end of a scan.

If a scan is not currently running, it is normally safe to remove it — if it is actually infected, it might be loaded from malware in a different part of the site, so removing it also could potentially stop the site from working, but this would be rare. If it did, I could help track down where it is loading from, if needed. Let me know what you find.

-Matt R

I want to start this post saying that I think Wordfence plugin is probably the best and most useful plugin I have ever used.

But then, this is the issue I am facing with Wordfence.

My site was hacked right after I enabled the Wordfence Falcon Engine.
After cleaning up the site, it was hacked several more times.
After a long search, I realized that the hacker was using one of the wordpress files for writing the code that steals the site′s information.
The file is: /wp-content/plugins/wordfence/tmp/configCache.php

Initially I deleted the file, but it kept coming back, so I deleted the /tmp/ folder. It came back.
So I proceeded to delete the plugin, manually deleted all Wordfence tables and only then I reinstalled Wordfence. But to my dismay, I found that the malicious code kept being writed to the file as soon as I enabled the plugin.

To this day, I have not been able to locate where the spurious code is nested, so I have to keep Wordfence disabled. A new installation is out of the question as the site has massive amounts of posts and data.

I will very much appreciate any help.

Got something similar (@majofa): now three times over the course of 2 months, ‘they’ managed to create a new admin-user – without logging in. We only found out when WF alerted is (yes, thank you, WF!). Ran a scan, found some bad files, deleted them. No luck. Then complete new WP install, with only 5 trusted (!) plugins, changing account and password. Same thing.
Our host just says it must be a file on the server – nice…. which one then, as no scanner (WF nor Sucuri) finds anything suspicious.

It only happens on one site, using a premium theme that we use on other sites as well. I realize this is not much help, but it might be a confirmation something more serious needs to be fixed (either in WP or in server-software?).

FWIW: configcache.php is only 1.3kb on my site. But, we do have an .htaccess file in the tmp folder – you might want to look into adding it to your folder?

majofa, try this: https://www.ads-software.com/plugins/gotmls/

You do have to register to download latest definitions but it’s free and very effective.

@trois there is an .htaccess file in the tmp folder.
And one interesting thing: even if I disable the WF cache and delete the /tmp/ folder, in a few second the folder and the file with the malicious code are created again, including the .htaccess file.
I am running gotmls as per @yitwail advice and found some interesting results. The malware scan returned a list of .js files marked as potential threats.
I am reviewing very carefully each one of them and I will post the results.

@yitwail – thanks for the link – installed it and found something ‘weird’.

First run, it marked wp-config.php as a threat – inside there were these lines:

/** Outputs the WordPress header. */
//require_once(ABSPATH . ‘wp-head.php’);

As is – meaning, the second line was commented out – probably by some other plugin, as it refers to a non-WP-core file: wp-head.php – which was not present (anymore?) at my server… and appears to be malware (others reporting it).

After removing both lines, GotMLS only flags the .js files – they seem legit, as otherwise Wordfence would flag them as non-core files?

@majofa: check that new .htaccess file as well (just to be sure), although I figure Wordfence creates it (as I have it in my tmp folder as well). I will post the list of .js files here.

@majofa (as I can’t PM you):

these are the 14 files that GotMLS marked as potential threat – hope this helps.
(I grouped them: the first group is generic WP plus Wordfence)

?…/public_html/wp-content/plugins/wordfence/js/jquery-ui-timepicker-addon.js
?…/public_html/wp-includes/js/json2.js
?…/public_html/wp-includes/js/json2.min.js
?…/public_html/wp-includes/js/tw-sack.min.js
?…/public_html/wp-includes/js/tinymce/tiny_mce_popup.js
?…/public_html/wp-includes/pomo/translations.php

IWP:
?…/public_html/wp-content/plugins/iwp-client/init.php
?…/public_html/wp-content/plugins/iwp-client/pclzip.class.php

Theme:
…/public_html/wp-content/plugins/fusion-core/admin/page-builder/assets/js/editor.js
?…/public_html/wp-content/themes/Avada/assets/js/external_plugins.js
?…/public_html/wp-content/themes/Avada/assets/js/ilightbox.js
?…/public_html/wp-content/themes/Avada/assets/js/jquery.carouFredSel.js
?…/public_html/wp-content/themes/Avada/assets/js/main.js
?…/public_html/wp-content/themes/Avada/assets/js/main.min.js

@majofa: The configCache.php file is re-generated by Wordfence intentionally, to cache commonly used options (different from the page caching options), but you can disable it by turning on “Disable config caching” near the bottom of the Wordfence Diagnostics page. Are you certain the code you’re seeing is malicious? The code we write there is a serialized object, so it does look different from normal PHP files.

@trois: Creating a user without WordPress access could be caused by a malicious file like the host mentioned — if that is the case, you can check the time that you received notice from the Wordfence plugin about the login, and see if there are suspicious hits in the site’s access log file around the same time. If not, there’s a chance that the attacker has direct access to your mysql database (changing the mysql password would stop that though), or one of the plugins has an undiscovered bug. It’s also possible (though rare these days), that the file permissions are set such that other users on the server can write files in your site’s directory.

We also have a guide here, to help clean hacked sites. Some of the more aggressive scan options in Wordfence may find additional files, and there are recommendations on updates, passwords, etc., which may help prevent reinfection:
How to clean a hacked website

-Matt R

Thanks Matt,

I’m gonna save your ‘potential hacks’.

Would it be possible, once they have access to the DB, to add malicious code in a table? And if so, does Wordfence scan for that? How else would one detect it within the DB?

When I reinstalled the site (latest WP and theme), I didn’t specifically scan the DB (not even sure what tool to use) – so, theoretically it could still be in there? (my host said they checked the DB, as there were 75 (!) admin accounts in it – they removed them manually – but nothing about potential malicious code).

Thanks for that guide as well!