Wordfence file version differs from the server version

Hi Peter (@peter1),

Just to be sure (to be sure), is Wordfence pointing at wp-admin/includes/widgets.php or wp-includes/widgets.php?

I’m looking at other explanations for this and I will revert to you.

Absolutely sure it’s the wp-admin but just went back and checked again, yes it’s wp-admin/includes/widgets.php

But I also looked at wp-includes/widgets.php as well just to make sure and I can’t see the horrible stuff there either, so it’s not in either one.

Thanks Wfyann, cheers

Anything further on this @wfyann ? Cheers

Hello @peter1,

Sorry about the delayed response. I’m still trying to figure out what’s happening.

What do you see if you click the “See how the file has changed” link?

Also, could you let me know how you “look at the same file on the server“?

Do you confirm you haven’t clicked the “Restore the original version of this file” link prior to checking on the server?

Do you have any sort of caching feature enabled?

HI Wfyann,

If I click “see how the file has changed” I see about a dozen lines of goobledegook highlighted in yellow.

I look at the same file on the server by going to my cpanel and then file manager then finding the file and viewing it.

No I’m pretty confident that I haven’t clicked restore the original version and as far as I know if I had the red cross/warning, would have gone. It’s still there, in fact I’ve got 2 red crosses for the same file. One says

“This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “${“\x47\x4c\x4fB\x41\x4c\x53″}”. The infection type is: Backdoor:PHP/kidslug.”

and the other says:

“This WordPress core file has been modified and differs from the original file distributed with this version of WordPress.”

No caching feature that I’m aware of, I’m not massively technical, sadly.

Just ran the scan again and still see the same 2 files there

Hi @peter1,

After discussing this issue with my colleagues, we suspect the malicious code might be placed after a significant amount of whitespace on a very long line, or after many line feeds at the end of the file.

Could you download the file and open it in a text-only editor then scroll far to the right, or enable line wrapping in the editor, or use the editor’s search to look for a short piece of the code. (Preferably a word without spaces or symbols, as various amounts/types of whitespace could be in between.)

Also, you’ll find here some steps you can take to check if your site has been hacked.

• This reply was modified 7 years, 10 months ago by wfyann.

Wow you’re right, it’s right off to the far right after a whole lot of white space. Now that you’ve suggested it I don’t even need to download it. If I view the file from file manager and scroll right it’s all there. I never thought of that.

But I downloaded it to a text doc anyway and it shows right there immediately, no need to scroll.

Great work picking that, I hadn’t thought of that at all. Thanks @wfyann

Just “restored” and all is good, junk all gone.

Well done nutting it out, thanks. And you were right, just one huge long line of junk after a bunch of white space. These guys do get pretty inventive don’t they?

Hi @peter1,

Thank you for the feedback. I’m glad this “mystery” has now been solved!

(And yes indeed, they do get pretty inventive, so let’s keep them in check!)