Random .php files in core folder not detected by scanning

  • Resolved awardbee

    (@awardbee)


    10 years, 4 months ago

    Hi there, I installed Wordfence on a recently hacked site. The hackers are still uploading random .php files into my core wordpress folder periodically, along with extra folders and .html files

    I’m wondering why Wordfence doesn’t always catch these? I’ll do a scan and it will say everything is OK when there’s obvious .php files in the core folder that don’t belong there. For example:

    4 fw41u1.php 4 wp-blog-header.php 12 wp-mail.php
    4 hyxjhlkc.php 8 wp-comments-post.php 12 wp-settings.php
    12 index.html 4 wp-config.php 28 wp-signup.php
    4 index.php 4 wp-config-sample.php 4 wp-snapshots
    20 license.txt 4 wp-content 4 wp-trackback.php
    4 qkzq8mz.php 4 wp-cron.php 4 xmlrpc.php
    4 qtk9kef.php

    https://www.ads-software.com/plugins/wordfence/

Viewing 5 replies - 1 through 5 (of 5 total)

  • Hi Awardbee

    Sorry this is happening to you. I think the first thing to do is worry about the hack. I’m sure you probably already did this but have you followed all the steps in this guide?

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    If they are still uploading code then I would be scared we still are exploited and need to deal with that. You never know what code was put in the database to block detection. One time when I was hacked they kept turning off plugins I used. Very annoying. :/

    Something else that might help is disabling *.php* in the uploads folder
    See here: https://www.wpbeginner.com/wp-tutorials/how-to-disable-php-execution-in-certain-wordpress-directories/

    Let me know about the guide and good luck.

    tim

    Thread Starter awardbee

    (@awardbee)

    Hi there Tim! I did do all the steps in the guide. I had Wordfence clean out both WordPress blogs that I run, both of which were hacked. ??

    I think they must have a backdoor or something, and maybe it’s interfering with Wordfence being able to detect malicious files.

    Last night my server was apparently used for a brute force attack! And my server has since been shut down. I’m working now to try and migrate my files out (the one step I didn’t follow in the guide was backing up!) and fire up a new server, this time more secure!

    Thanks for your help. I think maybe by the time I had Wordfence installed it was too late, my site was too compromised.

    The thing is that you never know what the hackers have done while they were there. I believe you posted elsewhere that you have restored everything with a backup and are working again for which I am glad.

    One thing you should probably do is make sure all your plugins are up to date and replace anything that is not in the wordpress plugins repository. I know lots of people that have used free plugins for a function unaware that they have opened the door for nastiness.

    tim

    Thread Starter awardbee

    (@awardbee)

    @tim, yes I have got things back up and running, although it wasn’t fun spending a whole day on it! Stupid hackers…

    I’m definitely a lot more vigilant now about the plugins I install. It’s sad, since a lot of plugins do such useful things…

    Thanks for all your hard work on WordFence, ever since getting my sites back up it’s the first plugin I installed. I didn’t mean to imply in another thread that WordFence doesn’t work well or it isn’t effective, just that installing it after a site is already heavily compromised might be too late, and of course a site might be compromised through another backdoor besides WP

    Exploits were the reason I installed it on the site I manage. They aren’t fun and I’m pretty sure I was less than pleasant while I worked my way through the process of restoring everything. Hang in there, keep your plugins up to date, and hopefully we won’t have to do this again. ??

    tim

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Random .php files in core folder not detected by scanning’ is closed to new replies.