Thread Starter
biornt
(@biornt)
Security check tools cannot properly scan your site. So, I cannot say if the site was hacked. As you have identified the folder (plugins), why don’t you locate the plugin and remove it and see if the alien files are removed? If you cannot identify the specific plugins, you may make a list of your plugins, delete them all and reinstall them with freshly downloaded copies of them.
Thread Starter
biornt
(@biornt)
the site works just fine, no issues at all; my question was only if anyone had seen or heard of these files before in any form and if they know what they were or how they got there.
thanks for checking.
That file has nothing to do with WordPress core. The only ways it could got there is:
- via a theme
- via a plugin
- if someone added it “manually”
(3) suggests that your site/server may have been compromised, so I would strongly recommend that you read /FAQ_My_site_was_hacked and take appropriate action. Just because you’re not seeing any problems does not mean that your site isn’t hacked. To the best of my knowledge, the record around here for the length of time that a site owner had a hacked WordPress site without realising it is 4 years.
Thread Starter
biornt
(@biornt)
yeah, that was my thoughts too and all 3 are plausible. as for 1 and 2, the theme is just a child theme of twentyten and none of the plugins are anything “strange”, just commonly used plugins; the cart is woocommerce.
the 3rd could be a real possibility too as there has been a lot of hacked sites lately.
I will just delete the files and see if there are any issues. I will also set up another test site and install and uninstall each plugin one by one and see if any of them for any reason add those files to the site.
it is just strange because the site is fine, but then again, just because the site is fine does not mean it has not been hacked; the 4 year is not a record i want to beat 🙂
thanks,
I will just delete the files and see if there are any issues.
No! That’s not enough! If your site has been compromised, that’s like trying to cure a serious infection with a couple of pain killers. The real infection could still be present in multiple places. You really do need to ensure that the site is thoroughly de-loused. See:
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Thread Starter
biornt
(@biornt)
this is just a test site. the real site will be the new test site I mentioned above. it will be created from a clean install of everything. i am using this to compare files to see what happened.
I am just confused as to these files and the purpose (if any) of them (and how they got there).
i posted the question here because often wp hacks are of the same nature, meaning that several sites are often hacked the same way, so i was just curious if anyone else had seen these files (there could of course be more in other places).
these files stood out because they were in the actual plugins folder, so i guess my question still stands, if anyone else have seen these files added to their site(s) and if they do if they have any idea how they got there.
ahh, and I tried to search google for the files and i could not really find anything, just a bunch of joomla references (which the code in the jce.php has references too), so it is all a little confusing.
