Files Modified

Hi paris3,

Hopefully you have worked this out by now, but I wanted to touch base with you and see what you have discovered.

The wflogs/config.php, error_log, and wflogs/attack-data.php are all files that change on a regular basis. Two of them are Wordfence related and the error_log is typically server created listing php errors and warnings. The two photos are more than likely harmless, but it is possible to have malicious and executable code inside image files.

What did Wordfence report as the file(s) associated with the backdoor? Is Wordfence reporting, or are you seeing, files that do not belong inside WordPress folders?

Thanks for the reply, wflandon. The file Wordfence reported as a backdoor appeared in a file related to the theme I was using. All of the photos that were listed as ‘modified’ seemed to be names of photos I’ve uploaded, but I never modified them, so that’s what I was confused about. Here is the a description of what happened a couple weekends ago:

Last weekend, the WordFence Security plugin I use found a a possibly malicious file during a scan. The file mentioned the name of the theme I’m using, so I checked with the developer of that theme and they told me the file wasn’t their code.

Then I contacted my hosting company to look into this and they told me my site wasn’t infected. Within an hour or so after this strange file appeared, I clicked the ‘delete file’ option on WordFence which messed up my theme.

I was worried my site was hacked because it looked bare, but my host said it was just a theme issue and activated the default WordPress 2015 theme. The hosting company told me how to do a malware scan with Sucuri Site Check. No issues appear in the scan and nothing else seems wrong with my site in appearance or in the dashboard. WordFence also shows no issues now.

I’ve only been using WordPress for a year and never had anything like this happen before. Since I deleted this possibly malicious file, does that mean my site is okay? The infection type was listed as “Backdoor:PHP/array_map”, so could this still somehow affect my site or even my computer? I’m afraid to back up my site now and make things worse. I’ve posted a copy of the message that showed up in that Wordfence scan, but if anyone could give some input if there’s something else I should be doing about this issue or not.

File appears to be malicious: wp-content/themes/wp_olsen5-v1.1.1/functions.php
Filename: wp-content/themes/wp_olsen5-v1.1.1/functions.php
File type: Not a core, theme or plugin file.
Issue first detected: 9 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “add_action(‘init’, create_function(”, implode(“\n”, array_map(“base64_decode”, unserialize(get_option”. The infection type is: Backdoor:PHP/array_map
———

At this point, Wordfence is not showing any issues with my site and I have not noticed any changes to the admin dashboard or to the appearance of the site. I’m still unsure about how to know for sure if my site is clean, or if there’s something hidden that I wouldn’t be aware of. I deleted that file listed as malicious and even deleted that entire theme and activated another one, but is doing Wordfence scans enough to find any issues?

I just got a Wordfence email with all these problems ??

File appears to be malicious: wp-content/plugins/jetpack/class.frame-nonce-preview.php
Filename: wp-content/plugins/jetpack/class.frame-nonce-preview.php
File type: Plugin
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval($qd23264[$lbef4fa8c[‘of4d4eaf7’][3”. The infection type is: Backdoor

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-content/plugins/mojo-marketplace-wp-plugin/tests/title.php
Filename: wp-content/plugins/mojo-marketplace-wp-plugin/tests/title.php
File type: Not a core, theme or plugin file.
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@$GLOBALS[$GLOBALS[‘db2524928’][95].$GLOBALS[‘db2524928’][32].$GLOBALS[‘db2524928’][78]”. The infection type is: supp2 infection

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-content/plugins/wordfence/lib/menu_whois.php
Filename: wp-content/plugins/wordfence/lib/menu_whois.php
File type: Plugin
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval($g889c997[$r2d67ab[‘v899ef’][24”. The infection type is: Backdoor

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-content/plugins/wordpress-seo/frontend/search70.php
Filename: wp-content/plugins/wordpress-seo/frontend/search70.php
File type: Not a core, theme or plugin file.
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@$GLOBALS[$GLOBALS[‘oe4bbc9’][26].$GLOBALS[‘oe4bbc9’][63].$GLOBALS[‘oe4bbc9’][69]”. The infection type is: supp2 infection

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-content/plugins/wordpress-seo/wp-seo.php
Filename: wp-content/plugins/wordpress-seo/wp-seo.php
File type: Not a core, theme or plugin file.
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval($b5196aa[$j24c0b1c3[‘ye46ba088’][27”. The infection type is: Backdoor

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-content/wflogs/error.php
Filename: wp-content/wflogs/error.php
File type: Not a core, theme or plugin file.
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “$yjr=$_COOKIE; $xib=$yjr[jctc]; if($xib){ $pdzcp=$xib($yjr[pbaq]);$ustr=$xib($yjr[mxrs]);$voup=$pdzcp(“”,$ustr);$voup(“. The infection type is: G212 – variation 2

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-includes/Requests/Response/Headers.php
Filename: wp-includes/Requests/Response/Headers.php
File type: Core
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “eval($v329df96[$v107eb438[‘bfc8c64fc’][6”. The infection type is: Backdoor

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
File appears to be malicious: wp-includes/js/jquery/ui/dirs58.php
Filename: wp-includes/js/jquery/ui/dirs58.php
File type: Not a core, theme or plugin file.
Issue first detected: 15 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “@$GLOBALS[$GLOBALS[‘m7f2ce’][75].$GLOBALS[‘m7f2ce’][55].$GLOBALS[‘m7f2ce’][72]”. The infection type is: supp2 infection

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
WordPress core file modified: wp-includes/Requests/Response/Headers.php
Filename: wp-includes/Requests/Response/Headers.php
File type: Core
Issue first detected: 16 mins ago.
Severity: Critical
Status New
This WordPress core file has been modified and differs from the original file distributed with this version of WordPress.

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
Unknown file in WordPress core: wp-includes/js/jquery/ui/dirs58.php
Filename: wp-includes/js/jquery/ui/dirs58.php
File type: Core
Issue first detected: 16 mins ago.
Severity: Warning
Status New
This file is in a WordPress core location but is not distributed with this version of WordPress. This is usually due to it being left over from a previous WordPress update, but it may also have been added by another plugin or a malicious file added by an attacker.

Tools:View the file. Delete this file (can’t be undone).
Select for bulk delete
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
Modified plugin file: wp-content/plugins/wordfence/lib/menu_whois.php
Filename: wp-content/plugins/wordfence/lib/menu_whois.php
File type: Plugin
Issue first detected: 16 mins ago.
Severity: Warning
Status New
This file belongs to plugin “Wordfence Security” version “6.1.17” and has been modified from the file that is distributed by www.remarpro.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly. [See our FAQ on https://www.wordfence.com for more info]

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
Modified plugin file: wp-content/plugins/jetpack/class.frame-nonce-preview.php
Filename: wp-content/plugins/jetpack/class.frame-nonce-preview.php
File type: Plugin
Issue first detected: 16 mins ago.
Severity: Warning
Status New
This file belongs to plugin “Jetpack by WordPress.com” version “4.3.1” and has been modified from the file that is distributed by www.remarpro.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly. [See our FAQ on https://www.wordfence.com for more info]

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.
Modified plugin file: wp-content/plugins/analytics-counter/readme.txt
Filename: wp-content/plugins/analytics-counter/readme.txt
File type: Plugin
Issue first detected: 16 mins ago.
Severity: Warning
Status New
This file belongs to plugin “Google Analytics Counter Tracker” version “3.3.0” and has been modified from the file that is distributed by www.remarpro.com for this version. Please use the link to see how the file has changed. If you have modified this file yourself, you can safely ignore this warning. If you see a lot of changed files in a plugin that have been made by the author, then try uninstalling and reinstalling the plugin to force an upgrade. Doing this is a workaround for plugin authors who don’t manage their code correctly. [See our FAQ on https://www.wordfence.com for more info]

Tools:View the file. Restore the original version of this file. See how the file has changed.
Select for bulk repair
Resolve:I have fixed this issue Ignore until the file changes. Always ignore this file.

Hi paris3,

As you probably know by now, your site has been hacked and is compromised. At this point, the best thing to do is replace all core, plugin, and theme files with clean originals from the official repositories. There are a few guides on the WordPress forum on how to proceed and you can check this blog post out for some guidance.

If you need additional help, you can reach out to us at [email protected]. Also feel free to send compromised files to [email protected].