Hi @cliffg1821, thanks for reaching out to us.
There’s not a huge amount of information out there on these files, but according to a WordPress.org moderator these files should not be created by WordPress or any plugin. In addition to checking .htaccess for redirects to that folder as suggested in their post, it sounds like you may need to clean the site or at least follow the checklist here:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
Make sure to get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here:
https://wordpress.org/download/releases/
WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.
As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this.
Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.
If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.
Thanks,
Peter.
Thanks Peter. Some work to do.
Cliff
OK, I have deleted the entire /wp-includes/.sys/ directories and those errors have gone away and the site is still functional.
We have changed all passwords except the database, I need to look out how to do that.
I still have two errors:
Filename: wp-includes/class-wp-list-css.php
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: $ao($oa(“$LocalNameStr”)
The issue type is: Suspicious:PHP/doublevarfnb64.6913
Description: Suspicious code pattern often indicating malware
and
Filename: wp-includes/class-wp-list-css.php
File Type: Core
Details: This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker.
I had previously re-installed the up to date WP (5.9), also all plugins are up to date. One plug-in is abandoned and I need to check if I can just remove it, not sure where it’s used, but the above two errors don’t look to be related.
I would have expected the re-install to overwrite those two files, so assumign they have in fact been overwritten, I wonder if they are false positives, though they don’t flag up on two other sites I run.
Any thoughts? Thanks in advance
UPDATE
I have compared to my other WP sites and this file wp-includes/class-wp-list-css.php is not on the others, and appears to be a hangover from a previous version, also explains why still there after a re-install. I saved it first, in case, then deleted it and site is still functional. 🙂
Thanks for the help. Site scanning a lot cleaner now.
Hi @cliffg1821,
Sorry to catch up after a few updates. It’s great to see you’ve taken the steps and your site is on the mend! I believe you’re also correct with the leftover files from a previous version – which we don’t always see but can happen. As long as there were no adverse effect with the removal it’s absolutely fine to do this.
Feel free to open up a new topic if you have any further Wordfence questions in future.
Thanks again,
Peter.
