Wordence find backdoor in my website

  • Resolved carole05

    (@carole05)


    4 years, 8 months ago

    Hello,

    Sorry for my english i’m french but this forum is the only with can help to resolve a problem.

    My website have been a lot of attack there is more than 6 month. Now, i use wordfence and this plugin help me a lot. Recently when i looking for the analyse the plugin find “backdoor” in my website. I make a copy of this code and i hope that someone here can tell me more about this. is it dangerous? What can i do?

    Thank you for your help.

    Filename: wp-includes/compat-functions.php
    File Type: Not a core, theme, or plugin file from www.remarpro.com.

    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: <?php\x09$p=$_COOKIE;(count($p)==23

    The issue type is: Suspicious:PHP/cookie.count.8285
    Description: Suspicious code often found in malware

    Filename: wp-admin/includes/comment-edit.php
    File Type: Not a core, theme, or plugin file from www.remarpro.com.
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: if($_POST[‘opt’] == ‘chmod’){\x0aif(isset($_POST[‘perm’])){\x0aif(chmod(

    The issue type is: Backdoor:PHP/Generic.153
    Description: A malicious file uploader known as Generic

    wp-config.php
    File Type: WordPress Configuration File
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: include_once(ABSPATH . ‘/wp-includes/init.php’

    The issue type is: Backdoor:PHP/rogueinclude.6167
    Description: Malicious include of a file disguised as core

    This is your main configuration file and cannot be deleted. It must be cleaned manually.

    Filename: wp-includes/init.php
    File Type: Not a core, theme, or plugin file from www.remarpro.com.
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: array(‘function’,’variable’,’document’,’cache’,’create’,’load’);\x0d\x0a\x09\x09$markers=array(\x0d\x0a\x09\x09\x09\x09$labels[4],\x0d\x0a\x09\x09\x09\x09$labels[0]\x0d\x0a\x09\x09);\x0d\x0a\x09\x09$factoryName=join(‘_’, $markers);\x0d\x0a\x09\x09$param=’$’;\x0d\x0a\x09\x09$param.=’mime’;\x0d\x0a\x09\x09$pa…

    The issue type is: Backdoor:PHP/joindictfunction.6820
    Description: Include at the beginning of the wordrpess index – often used by malware, occasionally benign

Viewing 8 replies - 1 through 8 (of 8 total)

  • These look like malware infections.

    These files are important to clean up, as they can often be used to reinfect a website.

    The report can be helpful to clean the files, if you have a web developer who knows how to perform this.

    We offer site cleaning services if you need assistance with cleaning the site.

    https://www.wordfence.com/wordfence-site-cleanings/

    Greg

    • This reply was modified 4 years, 8 months ago by wfgreg.
    • This reply was modified 4 years, 8 months ago by wfgreg. Reason: added name
    Thread Starter carole05

    (@carole05)

    Thank you for your answer. Wordfence propose me to delete the file. Can I do that?

    Thank for the link.

    wp-config.php

    The issue type is: Backdoor:PHP/rogueinclude.6167

    “This is your main configuration file and cannot be deleted. It must be cleaned manually”

    This means the file should not be deleted.

    If you have someone familiar with how, they can clean the file manually. But do not delete that file.

    Thread Starter carole05

    (@carole05)

    Thank you very much. Yes i know someone who can help me with this. In your opinion is-it important? Because, i have a lot website and just one which have this type of problem. It’s regular and i don’t understand why.

    A single infected website can be used to infect all the other websites in the same hosting account unless special protections are in place. Even if the website is the only one on the account, it can be infected and controlled by others until it is cleaned.

    I would have your contact help you in cleaning these files.

    To protect websites, use up-to-date plugins and themes, good passwords, and avoid installing obscure plugins and scripts. It could be an old plugin or theme.

    This may help you protect websites in the future.

    https://www.wordfence.com/learn/how-to-harden-wordpress-sites/

    Thread Starter carole05

    (@carole05)

    Thank you for your help. I cleaning the website this morning and the analyze inform me that there are no trace of this code. But we always find problems.

    First, wordfence find 3 file and write me this message :
    init.php
    compat-functions.php
    comment-edit.php

    ” This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker.”

    Secondly, i find problems with images :
    tinymce/skins/wordpress/images/animation_d1.gif
    This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans.

    It does sound like those files may have issues, which may need attention from your contact as well. It depends on what the exact scanner results say – sometimes they just highlight suspicious or unusual files, othertimes the scanners identify probable malicious content.

    Whenever you are performing cleans, we recommend keeping backups of your site in case anything happens.

    Wordfence does have Site Cleaning services, and it does sound like your site is having ongoing malware attacks. I would recommend looking at the services I sent:

    https://www.wordfence.com/wordfence-site-cleanings/

    Be aware, I do work for Wordfence, so the recommendation is coming from an employee.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Wordence find backdoor in my website’ is closed to new replies.