Malicious(?) code in plugin-generated php files

  • Hi,

    I had some potentially malicious code in files like this(name changed):

    wp-content/cache/supercache/www.example.org/meta-wp-cache-www.example.org12ef834fsaf32r23f43gsdf95.php

    here is the sample:

    @eval($_GET[%27fuck%27]);&fuck=fputs(fopen(base64_decode(

    @donncha has written some time ago that these PHP files are generated off the website. What kind of requests are they generated from? Are they error logs generated from debugging tab – there is a link to non-existing php file with hashed name?

    I looked into other files and database and they seem clean. Is it possible that the plugin has cached a malicious request?

Viewing 2 replies - 1 through 2 (of 2 total)

  • They’re generated by people trying to exploit the software on your site. If you look in that meta file you should find the URL of the request.
    There should be, as you discovered, a corresponding PHP file with a hashed name that holds the content of the page but maybe the plugin has deleted that file as part of it’s garbage collection (but it should have deleted the meta file too, do you have some sort of scanning software installed to find these files?)

    Yep, it’s very likely that the plugin has cached a malicious request.

    Thread Starter al2357

    (@al2357)

    Thanks for the explanation. I use Wordfence for scanning.

    So this is a .php meta-file(wp-content/cache/supercache/www.example.org/meta-wp-cache-www.example.org12ef834fsaf32r23f43gsdf95.php) that can’t execute any code – because of <?php die(); ?> in the first lane and hashed filename, and it contains JSON-encoded information about the request.

    The malicious code that was found in this file is just a request saved in JSON – so the website was not compromised(these files were not edited by 3-rd party) and the code can’t be used.

    • This reply was modified 4 years, 9 months ago by al2357.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Malicious(?) code in plugin-generated php files’ is closed to new replies.