Unknown File Changes

  • Resolved mbreaux13

    (@mbreaux13)


    5 years, 2 months ago

    I would like to know whether or not I’ve been hacked–there are no obvious changes to my actual site, but WordFence has suddenly picked up about 1000 files that are marked “Unknown File in WordPress core.” Some are widget files, and there are some with random names that I’m not sure if I should ignore or not.

    Here are just a few for example:

    wp-includes/widgets/class-wp-widget-search.php.1269948658
    wp-includes/widgets/class-wp-widget-tag-cloud.php.1269948658
    wp-includes/widgets/class-wp-widget-text.php.1269948658
    wp-includes/sodium_compat/namespaced/Core/ChaCha20/Ctx.php.1269948658
    wp-includes/sodium_compat/namespaced/Core/ChaCha20/IetfCtx.php.1269948658
    wp-includes/sodium_compat/namespaced/Core/ChaCha20.php.1269948658
    wp-includes/sodium_compat/namespaced/Core/Curve25519/Fe.php.1269948658
    wp-includes/sodium_compat/namespaced/Core/Curve25519/Ge/Cached.php.1269948658
    wp-includes/sodium_compat/namespaced/Core/HChaCha20.php.1269948658
    wp-includes/sodium_compat/namespaced/Core/HSalsa20.php.1269948658
    wp-includes/sodium_compat/namespaced/Core/Poly1305.php.1269948658
    wp-includes/sodium_compat/namespaced/Core/SipHash.php.1269948658
    wp-includes/sodium_compat/src/Core/BLAKE2b.php.1269948658
    wp-includes/taxonomy.php.1269948658
    wp-includes/template-loader.php.1269948658
    wp-includes/js/tinymce/skins/wordpress/images/gallery-2x.png.1269948658

    Should I be concerned and/or begin the process of cleaning up my site?

    Thanks.

Viewing 4 replies - 1 through 4 (of 4 total)

  • Hey @mbreaux13,

    Can you share who you’re hosting with?

    Can you share some of the files in a pastebin.com and we’ll review them to make sure they aren’t malicious?

    I’m not sure if there’s a reason to be concerned or not. Wordfence is flagging them as unknown due to the digits at the end of the file which changes their names. You might reach out to your host for their thoughts on how this could happen.

    Thanks,

    Gerroald

    Thread Starter mbreaux13

    (@mbreaux13)

    I’m using Dreamhost. Here it is: pastebin.com/2ui76S2c

    It seems like my site isn’t in any immediate danger, I am just surprised this many alerts have suddenly popped up. Not sure if I should investigate and remove them or just ignore. I have another site hosted by Dreamhost as well, and its scan isn’t showing anything wrong.

    Either way, I have backed up my site just in case I have to remove any of these files if anything goes wrong. Thanks for your help.

    Hey @mbreaux13,

    As long as you have a backup, I would go ahead and remove them. There isn’t any reason to have extra files, plugins, or themes on your site that you aren’t using.

    I would also speak with Dreamhost for their thoughts.

    Thanks,

    Gerroald

    Hi,

    In my case I had several websites that were hacked. I narrowed it down the a plugin called “Rich Reviews” by “Nuanced Media” – I traced this and more info can be found here: https://wpvulndb.com/vulnerabilities/9885

    Wordfence identifies infected files.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Unknown File Changes’ is closed to new replies.