Unknown Source Creates 3 SQL Tables for Each Blog

  • I have looked through many of the .php files and cannot find what creates the file that adds these “if” lines of code to my wp-config.php. The weird file name is also in the first sql table.

    require_once(ABSPATH . ‘wp-settings.php’);
    if(!function_exists(amt_cif)) { if(file_exists(ABSPATH.WPINC.’/ealdggieihpja.php’)) { require_once (ABSPATH.WPINC.’/ealdggieihpja.php’); } }
    if(!function_exists(amt_cif)) { if(file_exists(ABSPATH.WPINC.’/yffekmte.php’)) { require_once (ABSPATH.WPINC.’/yffekmte.php’); } }

    There is one of these lines for each blog.

    The file which this references is created in wp-includes. It is a large .php file with no identifying comments in it. That file creates 3 SQL tables in every blog
    wp4_blogname_opt
    wp4_blogname_post
    wp4_blogname_quest

    I only run six plugins and I can’t find anything in those.
    Can anyone explain what these might be and where they come from.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Looks like you might have been hacked.

    Can you see what the php files referred above might do?

    Have a look at https://ocaoimh.ie/exploit-scanner/ – it might help, but you will need some technical expertise.

    Thread Starter drboliek

    (@drboliek)

    Thanks, Exploit finds a lot of scary stuff.
    I am not a pro programmer by any means. I have coded a little in a lot of old stuff. Now I just figure things out as I go.

    Since I don’t read code well, I try to follow program execution logic. This led me through these steps which resoved the issue.
    1. I removed all of the “weirdname”.php files in wp-includes
    2. I removed the 20 or so “if” lines referencing the above files from the wp-config.php file
    3. I removed the three offending tables in each blogs sql database.
    4. I found some who said Jquery could be the hacked file. I reloaded the base wp-includes>JS folder.
    5. I went into site admin and entered the backend of each blog.
    6. Blog number 15 recreated the offending tables and inserted a line in the wp-config.php file. This blog’s theme was

      NewBMW-mag

    which I probably got from one of the free download repositories.
    6. After executing that blog it would recreate the tables in every blog which I accessed.
    7. I deleted the theme and reloaded wp-includes>JS again
    and now everthing is good.

    Thanks for your help. Hope this helps someone else.

    Suggest you go for a clean install.

    Remember to reconfigure such that you do not use any of your existing passwords.

    Also try to secure your wp-config.php, wp-* folders..

    and ur database. change the structure to a new one. and good luck.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Unknown Source Creates 3 SQL Tables for Each Blog’ is closed to new replies.