Weird file that may be a hack

  • susantau

    (@susantau)


    8 years, 8 months ago

    While installing SSL on a WordPress website today, I came across a file in the root of the WordPress directory for this site (https://docscapes.org/[redacted])which really concerns me. I asked my host who did not know if the file is a hack but scanned the site and found no result indicating hacking, but he suggested investigating further. Therefore, I am sharing this with the WordPress community so that this can be identified as a hack IF it is.

    the file name is maybe 32 meaningless characters followed by .php

    please go to this link at pastebin to look at the code that is inside this file:
    [redacted]
    Does this look like a hack to you?

    Thank you for your insights,
    Susan

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    8 years, 8 months ago

    Yes, you’ve been hacked.

    Take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter susantau

    (@susantau)

    8 years, 8 months ago

    ok, wow. Thank you for this info.

    One interesting thing, that file has vanished from the WordPress root directory since I posted this earlier today.

    I will proceed to follow the reommended security measures and hope that it is possible to clean the site.

    Thread Starter susantau

    (@susantau)

    8 years, 8 months ago

    I have one more question. Judging from the file i posted yesterday, can you tell me what type of vulnerability/hacking I am experiencing? Like, for example, code injection? Thanks, I am feeling a little overwhelmed and any bit of solid info is like gold.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    8 years, 8 months ago

    It was some sort of back door.

    Install WordFence and scan your site. That file was the least of your problems (probably).

    Thread Starter susantau

    (@susantau)

    8 years, 8 months ago

    Steve, Thank you thank you thank you! ! ! I’m in the process of learning how to use WordFence and it looks absolutely terrific!! I’ll report back here in a day or three to let you, and any interested thread readers, how this goes.
    Susan

    Thread Starter susantau

    (@susantau)

    8 years, 7 months ago

    As promised, I am back to report on the health of my site (docscapes.org), which was the subject of the above thread.

    Here are the steps I have and continue to take (in addition to removing the malicious code described above):
    -I installed Wordfence, which scans the site daily.
    -I added SSL to the site.
    -I keep an eye on crawl errors in Google Search Console.
    -Today I also scanned the site with the free GravityScan (gravityscan.com).

    All results are positive! I am hoping to be out of the woods.

    I also removed a plugin Simple Share Buttons Adder that was inserting a slew of external urls.

    Finally, I followed other recommendations provided at http://codex.wordpress.org/Hardening_WordPress.

    Thank you again to Steve (@sterndata) for tipping me off to Wordfence. I have installed it on all 11 of my WordPress sites. 🙂

    • This reply was modified 8 years, 7 months ago by susantau.
    • This reply was modified 8 years, 7 months ago by susantau.
    • This reply was modified 8 years, 7 months ago by susantau.
    • This reply was modified 8 years, 7 months ago by susantau.
    • This reply was modified 8 years, 7 months ago by susantau.
    • This reply was modified 8 years, 7 months ago by susantau.
Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Weird file that may be a hack’ is closed to new replies.