What were the contents of the file?
Malware scans are typically signature based, if this was a new string of malicious code it might not have been picked up.
Thread Starter
nilar
(@nilar)
Well … I don’t know the content of the files as my PC even refused to edit them. I mean I’m not speaking about lines of code injected in already existing files. I’m speaking about completely new files and, apart from the content of these files, I expected from wordfence a comparative scan able to detect strange named php files on a core folder of the wordpress installation, in particular on a css folder where php files shouldn’t be at all.
Ok, in this case, if you are seeing files in wp-includes that shouldn’t be there then you should remove them.
To better determine what files should and should not be present you can use this trick in Filezilla:
http://blog.sucuri.net/2012/11/website-malware-removal-ftp-tips-tricks.html
Have a fresh copy of WordPress on the left and browse your site files on the right and then press Ctrl+O – the green/white files match and the yellow files will be out of place.
As for Wordfence finding .PHP files with strange names, I am not sure if this is something Wordfence does. Random/strange filenames is only a proxy indicator for malware, though, and does not always indicate an infection (take, for instance, cache files which tend to have very random and strange names)
Thread Starter
nilar
(@nilar)
The trick is awesome … you changed my life. Really 🙂
As for Wordfence, probably you are right. I gave it as granted that it performed a comparison scan on core folders that, unless you are a very reckless webmaster, shouldn’t change. But maybe not.
Anyway Wordfence is fantastic in the real time alerting system. Recently got 2 hackers while they were hacking thanks to this. Remarkable 🙂
Yeah, it’s a very handy tool 🙂
There’s really no reason to have any out-of-place files in wp-includes – In infected sites I find most often they are spam related files.
If you’re not sure about a certain file feel free to pastebin here and I can take a look.
