WordFence flags: “f649 infection.” Easiest fix?

  • Never had this as a problem. New client, the first thing I do is install Wordfence on his current site. Give it a Scan twice with Wordfence and it flags an “f649 infection.”

    The Warnings:
    File appears to be malicious: wp-includes/class.wp.php
    Unknown file in WordPress core: wp-includes/class.wp.php

    Easiest fix?

    Thanks!

    • This topic was modified 7 years, 9 months ago by dgee.
Viewing 6 replies - 1 through 6 (of 6 total)

  • I’m not with WF support, just a long time user, but you can get more info here >>
    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Also more info on f649 (also known as Darkleech) here: https://blog.sucuri.net/2015/03/pseudo-darkleech-server-root-infection.html

    Make sure you install theme(s), plugin(s) and add on(s) from verified distributor.

    I solved similar problem by doing this just now :

    1. Rename class.wp.php to class.wp.phpXXX from ftp client. (Mine renamed to “class.wp.php.”)
    2. Refresh any page of your wordpress site from browser, error will appear, and new file “class.wp.php” (smaller size than original) created automatically.
    3. I open the new class.wp.php, it contains encoded script. Via ftp client i renamed again to “class.wp.php..”
    4. Upload original file of wordpress zip file. Open in archive software, find class.wp.php then drag and drop directly to server via ftp client.
    5. Scanning using wordfence, the result are both file end with “.” and “..” still suspected, and the original class.wp.php is clean. Then delete two suspected class.wp.php ( class.wp.php. and class.wp.php.. ) using wordfence or ftp.
    6. Scanning using wordfence give me clean result.

    Hope its help.

    • This reply was modified 7 years, 9 months ago by afumado.
    Thread Starter dgee

    (@daryleg)

    Thanks afumado and bluebearmedia. I’ll work on your suggestions in the morning.

    Hello I have this kind of issue. Dgee, how is it now? afumado’s solution is working fine?

    Hi @daryleg and @aceshow
    In the default WordPress installation, there is no “class.wp.php” under “wp-includes” directory, but there is “class-wp.php”, so it’s recommended to delete this non-core file “class.wp.php” and follow the link suggested by bluebearmedia along with these tips regarding “How to Harden Your WordPress Site From Attacks“.

    Thanks.

    My mistake. It’s true, there is no class.wp.php under wp-includes directory. Just delete it, include file wp-cd.php if it is there. Also take a look on your function.php, post.php, *.css, sometimes they inject this file too.

    My domain infected again, few days after my clean up. I tried to figure it out.

    1. Change my ftp password. If you have many ftp accounts active, change them all too.
    2. Double check all of wordpress installations on your hosting account if you use shared hosting. One infected wordpress on the same hosting user account, may infect other wordpress installation.
    3. Double check all of your other web application installed on your hosting account. ie joomla or other cms/web apps. I guess their script can generate injection to wordpress using other infected cms. Correct me if i’m wrong.

    Since then, everything still fine.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘WordFence flags: “f649 infection.” Easiest fix?’ is closed to new replies.

Tags