Wordfence scan finds malicious file

  • Resolved brandsteve

    (@brandsteve)


    8 years, 3 months ago

    Got this today on one of my sites. When I logged in to check it out I found that the file was dated 2 years ago.

    If Wordfence has just been updated to catch this one – great. If not, then I am worried that someone can hack this site and backdate files.

    Is backdating something I need to worry about? Or has this problem just been hanging around a while and Wordfence now recognizes it.

    File appears to be malicious: wp-content/themes/streamline_20/footer_top.php

    Filename: wp-content/themes/streamline_20/footer_top.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 51 mins ago.
    Severity: Critical
    Status New

    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “$qoYaihr=”\x65\x76\x61l(\x62\x61\x73\x656\x34_\x64\x65\x63\x6fde(‘”; $ukttE=”JGRlYnVnX2\x31vZG\125\147PSBpc3N\154\x64\x43gkX1JF”. The infection type is: Backdoor:PHP/GRlY.

Viewing 1 replies (of 1 total)
  • Plugin Author WFMattR

    (@wfmattr)

    Hi,

    We’ve had detection for this malware for a while, so it is likely that it was just added to the site and the file date was set back. It is possible to set file dates back in the past by using the touch() function in PHP, and it can be done to hide modified files like this.

    We have a guide here to help clean hacked sites. Some of the more aggressive scan options may find additional files, and there are recommendations on updates, passwords, etc., which can help prevent reinfection:
    How to clean a hacked website

    -Matt R

Viewing 1 replies (of 1 total)
  • The topic ‘Wordfence scan finds malicious file’ is closed to new replies.