Malicious Files Reported

  • Resolved Jeff Lambert

    (@lambje)


    1 year, 9 months ago

    Wordfence reported on 3 malicious files. I checked and could not find them but they must have been written to the directory somehow for Wordfence to have reported on them as “File Type:?Not a core, theme, or plugin file from www.ads-software.com.”. The 3 report details are as follows:

    Details:?This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans.?The matched text in this file is:?array_intersect_ukey(array($_REQUEST[$password]

    The issue type is: Suspicious:PHP/dangerousCallback.11042
    Description: Dangerous function accepts a string parameter which could be used to call a function of the attacker’s choice

    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: eval($_POST[admin]);?>”}

    The issue type is:?Backdoor:PHP/EvalSuperGlobal.B.10191
    Description:?Code executed from user input – almost always indicates a backdoor

    This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: eval($_GET[%27fuck%27]);&fuck=fp

    The issue type is:?Backdoor:PHP/EvalSuperGlobal.B.10191
    Description:?Code executed from user input – almost always indicates a backdoor

    An example of the file path is as follows with my redacting the domain and home dir details:

    /home/redacted/public_html/wp-content/cache/supercache/redacted.com/meta-wp-cache-redacted.comb7421d9ae4e260e7ad791641ed6adce8.php

    As I mentioned, these files are not in the directory as far as I can see. This was reported two days ago. Main concern is that this folder was able to be written to.

Viewing 4 replies - 1 through 4 (of 4 total)

  • There’s nothing to worry about WRT WP Super Cache. It was only caching requests to your website. The “meta-wp-cache-….php” files hold information about requests like the URL and cookies.

    That eval() chunk of code looks like it was in the URL and was simply cached by the plugin. The plugin records the URL so it knows what page was cached.

    If you check your web server access logs, you should see the same URL appear there some time in the last few days.

    Hi Jeff, I have the same error on some of my websites on the same server. Reparing files or replacing all core files from WordPress solves the problem for some minutes then the same files gets reinfected. Also changed the passwords, removed a trigger in the database.
    Did you solve this problem?

    Thread Starter Jeff Lambert

    (@lambje)

    Hello Norman,

    I took Donncha’s reply as meaning there shouldn’t really be an issue. I’ve not noted the same scan alerts from Wordfence since I first caught this and the site seems steady, so, have not put in any more effort on this.

    Cheers,
    Jeff

    @normanwebchimp – as Jeff said, there shouldn’t be an issue if the only files reported are cached pages. As I said in my reply before, check your access_logs and you’ll probably see requests with those strings in the URL.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Malicious Files Reported’ is closed to new replies.

Tags