Mystery Files Being Added to Supercache Directory

I just discovered the same thing. Actually my hosting company did. Same here securi shows clean. I removed wp super cache from all my sites and those mystery files are gone. Kept having a problem with super cache going to dashboard everytime i deleted cache. I thought it was this recent update yesterday but i think it has been there awhile.

Generally speaking, the .html files are a relatively new thing to WP Super Cache to mitigate a issue where someone could guess a WPSC cache folder name and, if your server was set to allow indexes, see the list of files in that folder, and possibly find a private post that was cached, etc.

The folder name is determined by the HTTP_HOST header, which is sent by a client. If someone, say, started using themodernfirefighter.com and added an entry to a HOSTS file using your IP (mistyped, for example), then when your site loaded (if it was set as the default site for that IP address), WPSC may cache a file based on that domain.

The use of that header predates me, so I’ll ask Donncha for a bit of back history and see if there’s a better way for us to handle it.

Cheers!

I think that WP SuperCache got Infected With Malware.

I have many wordpress sites got the MW:JS:GEN2?web.js.malware.fake_jquery.001 code on it and WordFence shows the affected pages are under /wp-content/cache/supercache/

Is it WP Super Cache a must to use? Can I just simply delete it forever and don’t have to use it?

Oh by the way here’s another message I got:

“WP Super Cache Warning!
Your server is configured to show files and directories, which may expose sensitive data such as login cookies to attackers in the cache directories. That has been fixed by adding a file named index.html to each directory. If you use PHP or legacy caching, consider moving the location of the cache directory on the Advanced Settings page.
If you just installed WP Super Cache for the first time, you can dismiss this message. Otherwise, you should probably refresh the login cookies of all logged in WordPress users here by clicking the logout link below.
The logout link will log out all WordPress users on this site except you. Your authentication cookie will be updated, but you will not be logged out.”

What do you think?

Howdy!

I apologize for the delay—I was away a couple of weeks for the holiday. I haven’t seen that myself. If your site itself was impacted, the cache would include the same malware as well.

The message is indicating that your server allows anyone to go to a directory without an index file to see all files in a directory. WPSC mitigates that by adding the index.html files. Unless you use that server functionality, I’d suggest asking your hosting provider to assist in disabling it.

Cheers!

@brandon
As soon as I disabled your plugin and deleted all of its files, the problem went away. No more reports of mystery files since then.

However, I think it may be a compatibility issue between your plugin and my security plugin (iThemes Security Pro), since it’s the security plugin that does the change reporting and the issue cropped up after the last security plugin update. Whatever the case, I’m leaving your plugin off my sites for the time being—don’t want to risk the possibility that there really are foreign files being added to my sites.

Alrighty. Without diving in, could be false positives on the signature the tool is using to determine malware.

@brandon
But none of these files appeared to be malware: they were always index.html files. I understand an index.html can host a malicious script too, but malware injections are usually accomplished through .js or .php attacks, and injecting a lone, foreign index.html that doesn’t link into my actual site and can’t be reached from any page on my site isn’t a very effective means of spreading malware.

And the iThemes security report wasn’t listing potential invasions or infections, it simply always includes a list of files that have been added, modified or changed. So for example, when I deactivated and removed your plugin that report showed all the files for your plugin in the Deleted section. If I update a given plugin, the report shows all the plugin’s files in the Modified section.