Unknown file in WordPress core:

  • Resolved bizdevweb

    (@bizdevweb)


    4 years, 3 months ago

    Starting this week I’m getting a wordfence warning message emailed to me from some of my sites. The messages refer to files in different WordPress core folders (wp-includes & wp-admin). The files vanish quickly and so it’s hard to see what they are doing. The files all start and end with .mx.(IncrementalNumber).mx Are these temp files used by Wordfence scanner or have my sites been compromised? They also show up in the wordfence scan report page but when I run a new scan the files are gone.

    Here’s an example:
    High Severity Problems:
    * Unknown file in WordPress core: wp-includes/sodium_compat/src/Core/Curve25519/Ge/.mx.14031752.mx
    * Unknown file in WordPress core: wp-includes/sodium_compat/src/Core/Curve25519/Ge/.mx.14031753.mx
    * Unknown file in WordPress core: wp-includes/sodium_compat/src/Core/Curve25519/Ge/.mx.14031754.mx
    * Unknown file in WordPress core: wp-includes/sodium_compat/src/Core/Curve25519/Ge/.mx.14031755.mx

    High Severity Problems:
    * Unknown file in WordPress core: wp-admin/.mx.78906782.mx
    * Unknown file in WordPress core: wp-admin/.mx.78906783.mx

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter bizdevweb

    (@bizdevweb)

    Another Wordfence email warning today:

    High Severity Problems:
    * Unknown file in WordPress core: wp-includes/Requests/Utility/.mx.73796162.mx
    * Unknown file in WordPress core: wp-includes/Requests/Utility/.mx.73796163.mx

    A similar issue reported here: https://www.ads-software.com/support/topic/unknown-mx-files-found-by-scan/

    Plugin Support wfphil

    (@wfphil)

    Hi @bizdevweb

    We have seen a few other cases of this.

    Who is your hosting provider please to help us track this?

    The number between .mx and .mx appear to be the inode numbers of the original files and something on the server is generating these MX files when the Wordfence scanner reads these files.

    Please ask your hosting provider to investigate and let us know the outcome.

    Plugin Support wfphil

    (@wfphil)

    Hi @bizdevweb

    As you haven’t mentioned who your hosting provider is then they may be owned by EIG (Endurance International Group).

    EIG have said that the MX files are being created by a server-side malware scanner called Monarx and that the MX files will be removed from your hosting account automatically. We asked EIG how quickly the MX files should be removed and we were still waiting for a response one week later. The current course of action that you have if these MX files are being reported in your Wordfence scan results is to manually delete them from your hosting account.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Unknown file in WordPress core:’ is closed to new replies.