File appears to be malicious or unsafe

Hi,

This file is not part of this plugin, so it could have been added in many ways, but it’s of course not part of the plugin at all ??

Maybe you should try to share more information about it, and also ask Wordfence how this file is being added (since they know it, they probably have some information).

What information would be helpful?

Hello

I’ve noticed the same malicious file on my site dropped on the 19th before WordFence flagged as malicious. Definitely malicious but I cant seem to work out how it got dropped, I hope its not a vulnerability in WordPress core files.

Anyway information that could be helpful if you are willing to share is what theme and plugins have you got running, as there might be a vulnerability in one of these plugins.

Thanks

I also think that Wordfence might have more information about this, so maybe it would be good to look at the information related to this malware, or maybe simply ask them.

I am personally using all my plugins, and didn’t get that issue (but I am not using many plugins except my own).

I’ve since removed the file using wordfence.

The problem with wordfence if I’m not mistaken is they won’t give you any info unless you pay and that is rather expensive.

@gothboy @tigroumeow, would you be able to share what exact plugins you have running and themes you are using on your sites?

WordFence/WordPress probably have investigated and know how it happened, there will be a vulnerability somewhere, just trying to pinpoint if its a theme or some plugin.

Just keep an eye when a update comes out, till then we are all vulnerable. WordFence detected it now as the file hash was different from the first one I discovered which wasn’t detected by WordFence so our sites can get compromised again

I just had a similar randomly named php file flagged as this Backdoor by Wordfence and have since deleted it after saving as a text file in case needed for investigation.
I have no idea how it got there but I had just restored this site from a multisite to a single site using Duplicator. The original site is gone so I can’t check if it was in the original. I don’t think Wordfence was running on the original site but it was up date with all its installed plugins/themes.

Filename: wp-content/plugins/fb6a67f0.php
File Type: Not a core, theme, or plugin file from www.remarpro.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: chr(ord($bIzRMB[$i])-1);\x0d\x0a } return $bIzRMB;\x0d\x0a}\x0d\x0aeval(WkKig(“NZznjuxakp0foJ/iQugf3SAEeodRS2DSe5P0giDQJslMes+Bnl37YGbun1uoqlNVySR3RKz1rfjrrz//1ftQbO04/BUYu/Bp/vF3oUuX+J9/+/e//vYfH/7r87RD/cu26h95tlYU…

The issue type is: Backdoor:PHP/nbmj.3900
Description: A backdoor known as nbmj

I will advise the plugins when I get time. I managed to delete the file on many sites using Wordfence. My site that are critical to me have paid Sucuri on them and I haven’t had any issues. I guess you get what you pay for as I’m using the free Wordfence.

Thankfully after deleting the file it hasn’t re appeared but I’m keep a close watch on things.

The theme I’m using is Blackoot Lite