E-mail of unrecognized core changes

  • Resolved The One

    (@the-one-1)


    7 years, 7 months ago

    I got an E-mail saying my core files were changed and unrecognized I think it was. Since I got the E-mail on my phone I deleted it and now it doesn’t appear in my Thunderbird so I can go and see what exactly it said again. But the E-mail did list several core file changes. I know WP updated, so not sure why this plugin is giving me this warning. I never had such a warning before. It appears I am using WP version 4.8.1.

Viewing 12 replies - 1 through 12 (of 12 total)
  • Plugin Author Paul

    (@paultgoodchild)

    I’m not sure what we can do here… since you don’t have the email. If it’s still the case, you’ll get another email in a day’s time and you’ll see. There are 2 possible emails you could receive. One to tell you core files have changed, or one to tell you that you have files there that shouldn’t be there. You will have to investigate them.

    If you don’t want to be notified of this, turn off the ‘Hack Protection’ module inside Shield.

    Hello,

    I think he is referring to the mails sent by the Hack Protection Module.
    I myself have also been receiving such mails for the last 4 days, always, pointing out that several files were not recognized:

    The following files do not match the official www.ads-software.com Core Files:
    – /wp-admin/uploader/upload.php
    – /wp-admin/uploader/pclzip.lib.php
    – /wp-admin/theme-uploader.php
    – /wp-admin/includes/upgrade.php.orig
    – /wp-admin/plugin-uploader.php
    – /wp-includes/functions.php.orig

    The first 2 messages were send by Plugin Version- 5.12.1.
    And the 2 last ones (so far) by Plugin Version- 5.12.2.

    That started after WP was updated (by shield!) to version 4.8.1.

    And I have received the same kind of message from all my WP websites.
    (And that is a lot of websites, so even a bigger lot of emails! ?? )

    It looks like Shield has not been updated to the last versions of these files…

    Regards,
    Fran?ois

    Plugin Author Paul

    (@paultgoodchild)

    Hi,

    So there are a number of important things to address here.

    1)

    I think he is referring to the mails sent by the Hack Protection Module

    – I know that that is what he was referring to, which is why I said to disable that module.

    2)

    That started after WP was updated (by shield!) to version 4.8.1

    – ‘Shield’ never updates your WordPress or plugins. Only your WordPress site does this. But you might get a notice from Shield to tell you that it happened. If you want to turn off WordPress automatic updates, Shield has a option for this. And if you want to turn off the notification, you can do this also.

    3)

    It looks like Shield has not been updated to the last versions of these files…

    These files listed by the email have nothing whatsoever to do with Shield. These files are in your core WordPress directories.

    4)
    These emails you are receiving have a link in them with ‘more info’. You need to click this link and read the article that explains what is going on here:
    https://www.icontrolwp.com/blog/eliminate-hacker-files-wordpress/
    If you do/don’t know what is going on, and you don’t want these notification emails, please turn off the hack protection module. These emails are there to direct you to take action because you may have hacked files in your WordPress installation.

    Taking your files list, for example, there is no folder called “uploader” in the official ‘wp-admin’ folder, and there is certainly no file called ‘theme-uploader.php’ in the latest official WordPress installation within the wp-admin folder.

    You need to take a closer look at the files. Read the documentation that comes with the plugin to understand what is happening.

    Again, the solution to not receiving these notices is to fix the files, or simply turn off the hack protection module.

    Thanks.
    Paul.

    Hi Paul,

    – ‘Shield’ never updates your WordPress or plugins. Only your WordPress site does this. But you might get a notice from Shield to tell you that it happened. If you want to turn off WordPress automatic updates, Shield has a option for this. And if you want to turn off the notification, you can do this also.

    OK, I took a shortcut in expressing myself.

    By default, WP does not update itself automatically.
    Shield, by default, set WP to automatically update (minor versions only).

    I should have written: “After Shield let WP update to version 4.8.1, as set by default by this plugin.”

    These files listed by the email have nothing whatsoever to do with Shield. These files are in your core WordPress directories.

    Bad choice of words again, I should have written:
    “It looks like Shield has not been updated to the most recent list of files, that have been modified by the last WP update.”

    These emails you are receiving have a link in them with ‘more info’. You need to click this link and read the article that explains what is going on here:
    https://www.icontrolwp.com/blog/eliminate-hacker-files-wordpress/
    If you do/don’t know what is going on, and you don’t want these notification emails, please turn off the hack protection module. These emails are there to direct you to take action because you may have hacked files in your WordPress installation.

    That is indeed why I have enabled that option.

    Taking your files list, for example, there is no folder called “uploader” in the official ‘wp-admin’ folder, and there is certainly no file called ‘theme-uploader.php’ in the latest official WordPress installation within the wp-admin folder.

    You need to take a closer look at the files. Read the documentation that comes with the plugin to understand what is happening.

    I did, and it appears that these files are automatically installed by Plesk Panel (that I am using to manage all my server) on all WPs.

    As it is not the less used panel, many people must have received a similar notice.
    I would not be surprised if others come to you in the future, mentioning these same files.

    This being said, I totally understand that your Hack Protection option would be limited to accepting only modified WP files as legitimate.
    Otherwise, its white-list would rapidly become enormous, and impossible to keep up to date.

    Let’s just say that I was a bit puzzled to receive, for 4 days in a row, a warning mail on the subject, with always the same list of files.
    When previously, this happened only once.

    I do not know if it is part of the last upgrades, but if it is, I think it would be interesting to have an option, saying roughly: “I only want to be warned once about new unidentified suspect files, and not everyday about the same files.”

    All that being said, let me congratulate you again on your kick-ass plugin, that has grown to become an indispensable feature to me.
    It should IMHO be included as standard in WP!

    Regards,
    Fran?ois

    • This reply was modified 7 years, 7 months ago by Fran?ois G..
    Plugin Author Paul

    (@paultgoodchild)

    Hey Fran?ois,

    Great! We’re on the same page then – but you should know WordPress does do automatic updates by default – minor versions only. Shield’s default settings actually mirror the WordPress defaults ??

    So the next update to this feature will bring 2x things:

    1) Scanning of the uploads directory for php/js files – not enabled by default, of course

    2) ability to provide custom exclude files list so in your case you can add these plesk files. (Frankly, plesk ought to not be adding this sort of thing, it’s just not necessary.)

    As to the option to only notify once, this is more complex than it sounds. It means we’ll need to store and track previous files. Not hugely complex, but not ideal. The custom excludes option will fix this.

    Very happy to hear you like the Shield plugin! Delighted to know that ?? We’ll keep the kick-ass features coming! ?? Have you had the joy of leaving us a plugin review yet as I know you’ve been with us for several years now? ??

    Thanks!
    Paul.

    Great! We’re on the same page then – but you should know WordPress does do automatic updates by default – minor versions only. Shield’s default settings actually mirror the WordPress defaults ??

    A day when I learn something is not a lost day!
    Thanks for enlightening me.

    So the next update to this feature will bring 2x things:

    1) Scanning of the uploads directory for php/js files – not enabled by default, of course

    2) ability to provide custom exclude files list so in your case you can add these plesk files. (Frankly, plesk ought to not be adding this sort of thing, it’s just not necessary.)

    Perfect!

    As to the option to only notify once, this is more complex than it sounds. It means we’ll need to store and track previous files. Not hugely complex, but not ideal. The custom excludes option will fix this.

    I totally agree.

    Very happy to hear you like the Shield plugin! Delighted to know that ?? We’ll keep the kick-ass features coming! ?? Have you had the joy of leaving us a plugin review yet as I know you’ve been with us for several years now? ??

    I thought I hadn’t, but I actually did that a long while ago: WP 3.7.1!
    That explains why I had forgotten.
    (Or I’m getting too old… LOL!)

    Regards,
    Fran?ois

    Thread Starter The One

    (@the-one-1)

    Well, I got an E-mail again with changed files and a list of those files. It says, “Warning, unrecognized files.

    These are the files given to me in the E-mail:

    he following files do not match the official www.ads-software.com Core Files:
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/jquery.tinymce.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/langs/readme.md
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/atomic/alien/UuidTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/atomic/alien/ArrTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/atomic/core/MatcherTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/atomic/core/ConvertTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/atomic/core/UrlTypeTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/browser/file/SelectionMatcher.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/browser/file/ConversionsTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/browser/alien/BookmarkTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/browser/alien/UnlinkTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/browser/ThemeTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/browser/core/PredicateIdTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/browser/core/MeasureTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/browser/core/ElementMatcher.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/browser/core/ActionsTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/browser/core/SelectionMatcherTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/js/browser/core/LayoutTest.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/test/.eslintrc
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/demo/html/demo.html
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/demo/js/tinymce/inlite/Demo.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/demo/css/demo.css
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/file/Conversions.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/file/Picker.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/alien/Bookmark.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/alien/Uuid.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/alien/Arr.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/alien/Unlink.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/ui/Buttons.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/ui/Forms.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/ui/Panel.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/ui/Toolbar.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/core/ElementMatcher.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/core/Convert.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/core/Actions.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/core/Measure.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/core/SkinLoader.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/core/SelectionMatcher.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/core/Layout.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/core/UrlType.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/core/Matcher.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/core/PredicateId.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/src/main/js/tinymce/inlite/Theme.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/config/dent/depend.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/config/bolt/browser.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/config/bolt/bootstrap-browser.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/config/bolt/prod.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/config/bolt/bootstrap-atomic.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/config/bolt/bootstrap-prod.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/config/bolt/bootstrap-demo.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/config/bolt/demo.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/config/bolt/atomic.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/scratch/inline/theme.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/scratch/inline/theme.raw.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/scratch/compile/theme.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/themes/inlite/scratch/compile/bootstrap.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/pagebreak/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/importcss/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/autoresize/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/advlist/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/bbcode/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/noneditable/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/anchor/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/fullpage/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/example/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/example/dialog.html
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/codesample/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/codesample/css/prism.css
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/visualchars/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/wordcount/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/legacyoutput/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/insertdatetime/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/preview/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/visualblocks/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/visualblocks/css/visualblocks.css
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/layer/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/example_dependency/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/contextmenu/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/searchreplace/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/autolink/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/nonbreaking/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/code/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/link/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/table/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/save/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/print/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/template/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/textpattern/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-cool.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-kiss.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-cry.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-frown.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-innocent.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-yell.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-laughing.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-money-mouth.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-undecided.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-embarassed.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-tongue-out.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-surprised.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-smile.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-sealed.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-foot-in-mouth.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/img/smiley-wink.gif
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/emoticons/plugin.min.js
    – /home/systechf/public_html/toddexler.com/wp-includes/js/tinymce/plugins/imagetools/plugin.min.js

    Common theme here seems to be tinymce. I never had this happen before and I’m pretty sure I haven’t been hack since I have a WAF and I run a security wrapper that’s pretty powerful. I also have mod_security. In addition to that I use CloudFlare.

    Plugin Author Paul

    (@paultgoodchild)

    Please read here:
    https://icontrolwp.freshdesk.com/support/solutions/articles/3000069312

    • This reply was modified 7 years, 7 months ago by Paul.

    I’m getting these emails all of a sudden, too. I’ve checked with my host and the two files in question are valid files. Is there a way to create an exception for these particular files, while maintaining the core file scanner’s email report for other unrecognized files that might come up?

    Plugin Author Paul

    (@paultgoodchild)

    The next release will have the option to exclude file names.

    I started receiving these emails recently so I’m not exactly sure what’s considered bad or false positives.

    This is one of the emails I’ve received:
    wp-admin/css/colors/midnight/wp-category.php.
    wp-admin/includes/wp-block.php.
    wp-admin/uploader.php
    wp-includes/certificates/wp-register.php
    wp-includes/images/media/error.php
    wp-includes/js/imgareaselect/code.php
    wp-includes/js/mediaelement/xml.php
    wp-includes/js/swfupload/plugins/wp-find.php
    wp-includes/js/swfupload/plugins/wp-ping.php
    wp-includes/js/tinymce/plugins/wpeditimage/wp-register.php
    wp-includes/js/tinymce/include.php
    wp-includes/random_compat/session.php
    wp-includes/SimplePie/Cache/wp-theme.php
    wp-includes/SimplePie/Parse/wp-page-update.php
    wp-includes/SimplePie/XML/search.php
    wp-includes/SimplePie/wp-query.php
    wp-includes/Text/code.php
    wp-includes/widgets/start.php
    wp-includes/widgets/include.php
    wp-includes/class-wp-config.php
    wp-includes/include.php

    Another site we have is saying these ones:
    wp-includes/ID3/index.php
    wp-includes/customize/start.php
    wp-includes/widgets/mssqli.php
    wp-includes/widgets/init.php

    Plugin Author Paul

    (@paultgoodchild)

    https://icontrolwp.freshdesk.com/support/solutions/articles/3000069312

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘E-mail of unrecognized core changes’ is closed to new replies.