license.php malware?

  • Resolved mpals

    (@mpalsgaard)


    11 years, 4 months ago

    HI,
    I recently discovered a malware infection on one of my sites. After cleaning it up, using Wordfence plugin to scan for changed files, I noticed a file in the root dir called license.php.
    The beginning of the file looks like this:

    <?php if(!isset($GLOBALS[“\x61\156\x75\156\x61”])) { $ua=strtolower($_SERVER[“\x48\124\x54\120\x5f\125\x53\105\x52\137\x4

    And so it continues.

    Anyone knows if this is malware?

Viewing 6 replies - 1 through 6 (of 6 total)
  • kmessinger

    (@kmessinger)

    11 years, 4 months ago

    It doesn’t look right to me, You do have a license.txt file and maybe the file comes from a plugin.

    URL please.

    You do need to upgrade ASAP.

    Thread Starter mpals

    (@mpalsgaard)

    11 years, 4 months ago

    Thanks!

    The url is: teedawn.dk

    I’ve just updated to 4.1.

    I also discovered 3 admin users, but one is blank and one is invisible. I guess I can delete the blank one, but how do I remove the invisible one???

    kmessinger

    (@kmessinger)

    11 years, 4 months ago

    You need to manually remove this invisible admin from your wp_users table by using phpMyadmin or whatever database management tools your hosting provider offers.

    Thread Starter mpals

    (@mpalsgaard)

    11 years, 4 months ago

    Thanks, I will do that.

    Regarding the license.php – should I rename it to start with and then delete if the site looks normal or just delete it right away?

    catacaustic

    (@catacaustic)

    11 years, 4 months ago

    Delete it. It’s not part of the WordPress file system. The hackers hav enamed it licence.php becuase it looks like the standard licence.txt file that is included.

    Thread Starter mpals

    (@mpalsgaard)

    11 years, 4 months ago

    Thanks, I’ll delete it!

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘license.php malware?’ is closed to new replies.