File appears to be malicious or unsafe: wp_auto_login_e7eb5fc1533296eec7c9ef1cc7

  • Resolved crissineon

    (@crissineon)


    2 years, 3 months ago

    Hello,

    after Scan i get [Aug 29 01:11:36] Adding issue: File appears to be malicious or unsafe: wp_auto_login_e7eb5fc1533296eec7c9ef1cc758bae9.php

    The File is under domain.com – public_html

    Downloaded the File and checked the content, please see here:

    <?php
//
// Automatically login a single WordPress user upon arrival to main page.
//
function auto_login() {
	if (!is_user_logged_in()) {
		// Admin user_id
		$admins = get_users(array('role'=>'administrator'));
		$user_id = $admins[0]->ID;
		$user = get_user_by( 'ID', $user_id );
		if ( !$user ) {
			error_log("wp_auto_login: user_id==1 not found redirecting to admin_url");
			$redirect_page = admin_url();
			wp_redirect( $redirect_page );
			exit();
		}
		$loginusername = $user->user_login;
		wp_set_current_user($user_id, $loginusername);
		wp_set_auth_cookie($user_id);
		// Go to admin area
		$redirect_page = admin_url();
		error_log("wp_auto_login: trying to login user_id==1 loginusername=$loginusername to admin_url=$redirect_page");
		wp_redirect( $redirect_page );
		exit();
	}
}

// Initialize wordpress
define( 'WP_USE_THEMES', true );

$time_since_script_creation = time() - stat(__FILE__)['mtime'];

// Delete itself to make sure it is executed only once
unlink(__FILE__);

if ( ! isset( $wp_did_header ) ) {
	$wp_did_header = true;

	// Load the WordPress library.
	require_once( dirname( __FILE__ ) . '/wp-load.php' );

	// If the user is already logged in just redirect it to admin area
	if ( is_user_logged_in() ) {
		$redirect_page = admin_url();
		wp_redirect( $redirect_page );
		exit();
	}

	// Avalon auto-login
	// If script is older than 30 minutes, doesn't log in as admin
	if ($time_since_script_creation < 30 + 60) {
		auto_login();
	}

	// Set up the WordPress query
	wp();

	// Load the theme template
	require_once( ABSPATH . WPINC . '/template-loader.php' );
}

    Is this a false positive or not?

    Thx!

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support wfphil

    (@wfphil)

    Hi @crissineon

    Some hosting providers provide a way to be able to automatically log in to your site from your hosting control panel, without the need to enter your username and password. Such methods can create such a file as the scanner has detected. Your hosting provider can check if this is the case for you.

    Hi @wfphil and @crissineon

    I am getting the same type of notices for each of my sites that has WordFence, saying that the file is unsafe.

    A Siteground representative informed me today that these are legitimate PHP files that assist in auto-login from their site. If I delete the file, it will be regenerated.

    Additionally, I got a WordFence notice about this PHP file for a WP staging site that had already been deleted before I received the notice. This might be a different issue altogether: why is WordFence reporting on a site that has been deleted?

    Plugin Support wfphil

    (@wfphil)

    Hi @crissineon

    Thank you for the update that your host confrims that the file is theirs and is safe.

    Scan results will remain in place after a file is deleted. The scan result will only update after a new scan has run.

    @wfphil,

    Thanks. Good to know.

    The staging site had been deleted a couple of weeks ago, I believe.

    How often are scans run?

    Plugin Support wfphil

    (@wfphil)

    Hi @commontater

    Thank you for the update.

    A full scan runs every three days:

    https://www.wordfence.com/help/scan/scheduling/

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘File appears to be malicious or unsafe: wp_auto_login_e7eb5fc1533296eec7c9ef1cc7’ is closed to new replies.