init.php reported as non-core & malicious – site dies if deleted

  • Resolved davidmcc3

    (@davidmcc3)


    9 years, 3 months ago

    Site upgraded to WP 4.3 and latest 2010 theme.
    Running WordFence on site to clear up hacking as favour.
    All fixed except /wp-includes/init.php – WordFence says this isn’t a core.theme, or plugin file.
    Yet when I delete it, site crashes with error. As I don’t have access to files or ftp, have to wait for hosting support to re-instate file.
    Is it really malicious (seems to have some odd code in it)?
    How do I get rid of it without breaking site?
    Thanks in anticipation of your help!

    https://www.ads-software.com/plugins/wordfence/

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author WFMattR

    (@wfmattr)

    If you’re able to see the site’s error log (in the site’s control panel possibly), it may mention which file tried to include init.php, when it was removed.

    It isn’t a part of the standard WP 4.3 installation, so I don’t think it should be there.

    If all of the other files are clean, it might be loaded from .htaccess or wp-config.php, since those vary on different sites and can’t be compared to the core files. You will probably need to get FTP access to the site to be able to clean it completely — you may be able to view/edit .htaccess or other files via a plugin, but I don’t know of any to recommend. You might also be able to download a backup of the site (either via the site’s control panel or a backup plugin), so you can at least view all of the files at will, and search for which one is loading the bad init.php.

    Thread Starter davidmcc3

    (@davidmcc3)

    Hi Matt (?)
    The hosting account is on quite an old package which doesn’t have ftp access or a control panel (I’m used to cPanel etc. on my hosting).
    I imagine it can be upgraded, but it might cost my friend (whose site this is).
    This is the trouble with doing favours!
    I’ve taken a backup with duplicator and installed it on my hosting. As you suspected, init.php is called from wp-config. It also calls wp-settings in the next line.
    I’ve commented out the line calling init.php – no effect on site (good news!). I’ve then renamed init.php to bin-it.php … site is still fine.
    I’ll have to ask the hosting company to edit the file and then remove the bad one.
    Thank you very much for your prompt help – much appreciated.
    I’ll be recommending my friend gets a premium WordFence license. We have a block, but I didn’t want to give him one of mine!

    Thread Starter davidmcc3

    (@davidmcc3)

    A quick update.

    Found two plugins (both required) to edit the wp-config from withjin WordPress (yes, I know it’s dangerous) – ‘CSS & JavaScript Toolbox’ and ‘WP Core Editor’.

    Commented out the init.php loader line, and then deleted the file (from within WordFence) … site still working, and WordFence reports no problems.

    All done.

    Thanks again for the help.

    Plugin Author WFMattR

    (@wfmattr)

    Great, it’s good to hear that it is solved!

    As long as you only needed the plugins for editing files temporarily, it is a good idea to delete them afterward. (You have probably done that already, but in case someone runs across this post with a similar problem in the future, I wanted to note it here.)

    -Matt R

    Thread Starter davidmcc3

    (@davidmcc3)

    Hi Matt

    Yes … plugins deleted … a good point to make.

    Best regards, David

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘init.php reported as non-core & malicious – site dies if deleted’ is closed to new replies.

Tags