Decoded a suspicious file

  • Resolved Simon Carne

    (@scarne)


    4 years, 3 months ago

    Wordfence notified me that a suspicious file (ending .png) had been added to the uploads folder of my site.
    I have removed the site and passed a subsequent High Sensitivity scan, but as a result of the investigations I describe below) I am concerned that the file had created, and then removed, additional files.
    The investigations I have carried out are as follows:
    Contents of the png file
    I opened the so-called png file with a text reader and found the following:

    ‰PNG
IHDR   "      s?-d   tEXtSoftware 
<?php
$data = urldecode[SNIP]

    As you can see, the second and third lines up from the bottom suggest that a file has been created and removed …. but it gets worse!
    I decoded the long string of text and found that it contained the following:

    [SNIP]

    I would welcome any help in establishing whether there may be problems. I cannot see anything untoward on my site and, as mentioned above, I removed the file and carried out a High Sensitivity Wordfence scan which found nothing further.

Viewing 4 replies - 1 through 4 (of 4 total)
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Decoded a suspicious file’ is closed to new replies.