is class-wp-theme-edit.php a valid file?

  • is class-wp-theme-edit.php a valid wordpress file?
    I am showing a BACKDOOR in this file.
    I just downloaded a new zip of WP and it does NOT seem to include the file called class-wp-theme-edit.php

    Should I remove class-wp-theme-edit.php??

Viewing 7 replies - 1 through 7 (of 7 total)

  • I would delete it (make a backup first) and see what happens.

    squidly1

    (@squidly1)

    While I was deployed (and did not have access to my blogs to maintain them or update my installations), someone took advantage of my old installs – and thanks to some quirk/vulnerability with PHP uploaded the file you mentioned to some of my blogs. It *is* a bit of malware and it does allow an attacker a fair amount of control over your blog and possibly over your SQL database. Deleting it will not affect your blog. It’s not very sophisticated (so far as I can see atm), so deleting the file do nothing more than minimize control over your blog. But, you will need to update your installations to help minimize a successful re-exploitation.

    I am working on researching the limits of the infection and rooting out all the possible changes someone might have done to my accounts. Sadly, my attack occurred in mid and late October 2011 and my host logs only go back two months, so I am at a loss at tracing back who might have done it.

    You should know that there are are probably other files that have been uploaded as well – all of them are obfuscated files (.GIFs, .JPGs, other PHPs – and should have the same date as that initial class-wp-theme-edit.php file). None of the legit WordPress files are obfuscated (ie: have large sections of HEX encoding), they are pretty much clear text.

    Thread Starter theMezz

    (@themezz)

    I have detected Backdoor:PHP/Seqangle.A a few times in my class-wp-theme-edit.php file on both my installations of WordPress.

    I use strong passwords, keep WP up to date, removed un-used plug-in’s, and removed un-used themes.

    Questions

    1) What else can I do a sa preventative

    2) What is class-wp-theme-edit.php suppose do. I erased it, but that has to effect something at sometime.

    Thread Starter theMezz

    (@themezz)

    Does anyone know if that file belongs to wordpress?

    esmi

    (@esmi)

    What folder is that file in?

    Thread Starter theMezz

    (@themezz)

    wp-admin\includes\class-wp-theme-edit.php

    esmi

    (@esmi)

    It’s not in 3.3.1

    If it’s a hack file, then it definitely looks to be targeted at WP specifically. Can you send an email with the details to security [at] www.remarpro.com. Please include as much detail as you can.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘is class-wp-theme-edit.php a valid file?’ is closed to new replies.