Base64 code in cache files

  • Resolved Woopress

    (@woopress)


    5 years, 8 months ago

    Hi,

    We had some malicious Google Ads injections on our webshop. Wordfence found a base64 code in 2 php files in the wp-content/cache/object/

    Couple of days before the ads injection, an unknown mail address tried to give himself permission to Google Search console. He even injected a html verification file into File manager. I deleted the html file and retrieved the mail address.

    However, the injections still happen. The two php files in cache/object/ with the base64 code keep coming back after deleting the file.

    Does anyone know how to fix this and prevent it from happening again?

    Thanks in advance

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello,
    Can you please share names of those 2 files?
    Also Can you please share your website URL?

    Thread Starter Woopress

    (@woopress)

    Hi Marko,

    Yes, names:
    wp-content/cache/object/394/aee/394aeeca40a3d6e8c421dc5b6e742e75.php
    wp-content/cache/object/33c/1b0/33c1b041b805f4327b458fdde7824acf.php

    Website: https://braincaps.nl

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello @woopress,

    W3 Total Cache does not use base64 encode for object cache.

    The objects are being encoded to be able to cache them, but not base64 encoded, though the output might look like base64 encoded for the WordFence plugin.
    It’s an interpretation of the code it finds, what you do with it is your own choice, and I think you can just ignore these 2 files.

    Thread Starter Woopress

    (@woopress)

    Hi Marko,

    Thanks for your reply.

    The thing is that when I log in into file manager and search for the php files and open them, I do find a base64 code (2 in each php file).

    See print screens:
    https://ibb.co/j4Jcjjn
    https://ibb.co/fHgh8Ps
    https://ibb.co/bzbfJfH

    Do you still think these files are harmless (since you said W3 does not use base64 codes).

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello,
    No, this is not added by W3 Total Cache. The cached object contains mentioned base64_decode.
    Also, are you using any other caching solution? Please check the image below:
    https://ibb.co/ZmQkwKY

    Thread Starter Woopress

    (@woopress)

    Thanks.

    Yes, we have another caching plugin installed. The website builder installed all the plugins, including W3 cache and Autoptimize (not sure why both tbh).

    So you think the base64 code in the cache file is not causing the injection? If not, any other tips how we can find the malicious code on the website?

    Plugin Contributor Marko Vasiljevic

    (@vmarko)

    Hello,
    I don’t think it has anything to do with it.
    You can disable Object caching and delete the cache/object folder and see if the issue persists.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Base64 code in cache files’ is closed to new replies.