Unknown file wp-admin/.rnd

  • Resolved Evolvingdoor

    (@evolvingdoor)


    4 years, 10 months ago

    I’ve been looking after a client’s site for 5+ years and Wordfence has been running on it since I took it over. (Awesome plugin–thank you for this!!) Today suddenly I got a noticed about an unknown file .rnd in the wp-admin directory. When I’ve googled about it, I’m seeing information dated up to 11 years ago! So it’s not something new that would have only recently started showing up.

    In the information I found, as well as the forum here, I see that it’s associated with OpenSSL. The person whose servers the site is on added an SSL certificate a couple of years ago, but he said he hasn’t changed anything recently (that might explain why this is happening all of a sudden). I do know that OpenSSL is not a plugin installed on the site (WordPress admin side).

    Other posts I found in this forum that asked about the .rnd file were marked resolved but it seems that was only because the original poster never followed up. I don’t know if the file has ever been I’m wondering why I’m only now seeing a report from Wordfence about this, since it seems the file has been known for over a decade.

    I’ve renamed the file for now and changed all passwords, to be safe.

    Can someone please help me understand what this is and why I’m only seeing a warning about this now? I don’t want to tell Wordfence to just ignore it if it could be a problem.

    Thanks in advance.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi @evolvingdoor,

    This is a generic file created by any plugin that uses phpseclib.

    Just as an example, the InfiniteWP Client plugin uses this to establish secure connections across sites.

    If you have Notepad++, you can search for .rnd within your entire wp-content/plugins/ directory. ( For example: https://i.imgur.com/9fVpFVo.png )

    That should help you pinpoint which plugin is responsible for creating that file.
    Nevertheless, I wouldn’t be worried about that file, it’s used in seed generation for SSL connections.

    Dave

    Hey @evolvingdoor,

    This file is used for encryption and is likely just fine. If you’d like to share the contents of it in a pastebin.com we can review it to make sure it isn’t malicious. As to why the scanner is just now picking it up, there was likely a change in your system. It may not have been your administrator that added the original SSL certificate, but perhaps of change in how it operates, been updated and etc.

    https://www.howtogeek.com/forum/topic/what-the-heck-is-an-rnd-file

    Either way, if you’d like to share it we can make sure it isn’t malicious.

    Thanks,

    Gerroald

    Hey @evolvingdoor,

    We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

    Please feel free to open another thread if you’re still having issues with Wordfence.

    Thanks,

    Gerroald

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Unknown file wp-admin/.rnd’ is closed to new replies.