How to find the source of a potentially malicious file?

  • Resolved Simon Barnett

    (@simbasounds)


    8 years, 3 months ago

    A file keeps re-appearing in the root of a site I maintain:
    settings_backup-gsmhotqmkyui0pikmt3ovg9n2krek7kr.php

    It is generated possibly on a daily basis.
    The last time was 11:56 (GMT +2:00)

    The content of the file has encrypted data. I’m developer, not a security specialist so I can’t say for sure whether it’s definitely malicious or something generated by a plugin.

    Sucuri plugin notices that a file has been added, but doesn’t flag it as malicious after a malware scan. A WordFence scan doesn’t notice it at all.

    Does this look malicious?
    How can I trace what is generating it?

    [removed, please don’t post potential malware here]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Thread Starter Simon Barnett

    (@simbasounds)

    I did a search for the term “settings_backup” using String Locator plugin and it seems the file is being generated by BackupBuddy. The string is located at:
    /wp-content/plugins/backupbuddy/classes/housekeeping.php

    // TODO: Added Aug 8, 2016. Remove this section after a while.
		// Begin removal of botches storage location.
		$existing_backups = glob( ABSPATH . 'settings_backup-*.php' );
		if ( ! is_array( $existing_backups ) ) {
			$existing_backups = array();
		}
		foreach( $existing_backups as $existing_backup ) {
			@unlink( $existing_backup );
		}
		// End removal.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    One of the other mods here ran that code through a decoder and it seems to be an array of data from backup buddy. So, if the file is being recreated, check the schedule on which backupbuddy is run. If it turns out to be backupbuddy, then you might want to check with their support to see why that file is there and if it’s a Good Thing.

    Thread Starter Simon Barnett

    (@simbasounds)

    Thanks Steve.. posted that as you were posting your response. I’m pretty sure now that it is BackupBuddy. I’m going to contact iThemes now to make sure, but that line is present in a fresh copy of the latest version. Will update here if there’s anything more to add after that. Otherwise thanks again!

    Hi, Simon, did you get any info from iThemes on what’s causing the file to appear? I encountered the same thing on a site I’m working on, which is how I found this thread. I’m glad to hear it’s not malicious, but I’d like to stop it from being created. Thanks.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Please go here for backupbuddy support:

    https://members.ithemes.com/panel/helpdesk.php

    Thread Starter Simon Barnett

    (@simbasounds)

    I decided not to contact them. Once I knew it was from BackupBuddy it was a much lower priority than finding the actual exploit on the server.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘How to find the source of a potentially malicious file?’ is closed to new replies.

Tags