theme-compat/404.php

Resolved TheSteveHimself
(@thestevehimself)

8 years, 7 months ago

Today I stumbled across a wp.php file in my wordpress root which redirected me to a french site.
Another file userr.php (the double-r at the end are intentional) was also found in the wordpress root folder.

A scan with wordfence identified the userr.php file as malicious. I deleted it as well as the wp.php with the redirect in it.

After a very short amount of time the wp.php file was back.
After some searching in my wordpress install I found a 404.php in the wp-includes/theme-compat folder.

Currently we are not sure how the 404.php made it to the server but the fact that the 404.php is not included in a default vanilla install of wordpress concerns me a little bit.

Why wasn’t this file detected by the scan? I ran the scan with the highest security settings as well. Only after I activated the false positive option I got an info about the 404.php

The contents of the file is basically a number of evals and base64_encoded strings which generate a file that looks like the userr.php without the comments…

In short:
– Why do i need to activate the false positive check if the wp-includes/theme-compat/404.php file is non existent in a vanilla wordpress installation. Should be easy to just inform a user on default settings that there is a file thats not standard.

I’ve uploaded the 404.php, the wp.php as well as the userr.php for your investigation.
https://dl.dropboxusercontent.com/u/7938470/WP-Hack.zip

I hope you can help me.

Best,
steve

https://wordpress.org/plugins/wordfence/

Viewing 8 replies - 1 through 8 (of 8 total)

Plugin Author WFMattR
(@wfmattr)

8 years, 7 months ago

Steve,

Thank you for the samples. I will send 404.php on to the developers and find out about why it is not found while in a WP core directory.

Can you tell me what theme and plugins you are using, and if all of them were up to date (along with WordPress itself) before this happened?

If you don’t want to post them here, you can email the list to me at mattr (at) wordfence.com (please also include a link to this post, if you send an email.)

We also have a guide on cleaning hacked sites, which may help you find additional files and/or the original source:
How do I clean my hacked site using Wordfence

-Matt R

Thread Starter TheSteveHimself
(@thestevehimself)

8 years, 7 months ago

Hi,

I use the following plugins on the site in question:

– Admin Post Navigation
– Advanced Custom Fields
– Advanced Custom Fields Viewer (disabled)
– Akismet
– Custom Post Type UI
– Enhanced Media Library
– Ewww Image Optimizer (disabled)
– Far Future Expiration Plugin (disabled)
– Hello Dolly
– Infinite WP – Client
– Maintenance Mode
– TinyMCE Advanced
– Toggle wpautop
– Wordfence Security
– WordPress Importer
– WP SuperCache
– WPFront User Role Editor

All of them were up2date. I migrated the site on the 31st of august and since then I think nothing released updates as far as I can remember. If one of the plugins did I must have installed it pretty quickly though ^^

Regarding Themes I only have the default ones as well as a theme I developed myself based on the WordPress Bootstrap Boilerplate. There isn’t really anything fancy going on in the theme as well. Nothing special other thana few custom templates.

Thanks for your tips regarding site cleanup but as of right now it seems that the problem is contained with the 3 files mentioned removed. We still see requests from france and belgium to the wp.php file but they all return with 404 so the file doesn’t come back at least.

Thanks!
Best,
steve

Thread Starter TheSteveHimself
(@thestevehimself)

8 years, 7 months ago

Ok I’ve just done another scan since another file (..php) made it to the root of my wordpress install and I am still not sure how it even got there.

Besides that that is again a spam file with a redirect in it.
I’ve uploaded an updated version of the ZIP File with all the files I “received” at https://dl.dropboxusercontent.com/u/7938470/WP-Hack.zip

The new file ..php also wasn’t found during the scan. I am scanning with all the scanning options turned on (even the false positive option) still not found.

What am I supposed to do here? I am getting the feeling, that I shouldn’t rely on the scan output at all since it simply doesn’t find shit. ..php is again definitly not a wordpress core file but resides in the root of the install? I thought that is one of the things that you say you cover (Comparing wordpress installs with vanilla wordpress installs on your server to find compromised stuff and all)

Please tell me why nothing is found with this scan.

Plugin Author WFMattR
(@wfmattr)

8 years, 7 months ago

Sorry to hear this is still causing trouble on your site. I’ve sent this to the team for additional help, and it may take a little longer to answer since this is not a typical issue.

Thread Starter TheSteveHimself
(@thestevehimself)

8 years, 7 months ago

Right now I’m just glad that one of the team working on this plugin actually reads this forum. Hope your devs can come up with a solution soon.

I am working closely with my webhoster as he found now, that a lot of wordpress installs on his server are infected.

There are always the same files involved (like the ones i’ve provided you)

This line bothers me almost the most in this whole situation.. ^^
“//password: enzo”….
f-ing enzo..

Best,

steve

Plugin Author Wordfence Security
(@mmaunder)

8 years, 7 months ago

Hi Steve,

We have the higher sensitivity scan options because they often yield false positives. It’s a compromise between reducing false positives and improving scan sensitivity.

I think at this point Wordfence has done it’s job and identified that you’ve been hacked somehow. You need to figure out how they got into your site, because it appears that you’re continually being reinfected.

Suggestions:

Your WP installation may be up-to-date, but check all other applications, especially old versions of WP lying around and anything else like phpmyadmin. Make sure they’re up-to-date. Change all passwords. Work with your hosting provider to try and identify the source of the infection and close that hole. Then the rest of the job is easy – you just need to remove the malicious files.

Thanks for sharing those samples with us. As Matt mentioned, we’re going to use them to improve our detection.

Regards,

Mark.

Thread Starter TheSteveHimself
(@thestevehimself)

8 years, 7 months ago

Hi,

thanks for the help so far.
It seems, that we found the culprit. It was a Joomla (no pun intended – lol) installation from 2012 which is neither maintained nor updated which opened up the way for enzo (i just call him that)

But I would just suggest, that these foreign files which aren’t part of a standard wordpress install at least show up as a warning or something like that.

In fact wordfence didn’t do its job for me since I only installed it after the fact to scan my wordpress install for any more malicious files only to go look for them myself after finding one so blatantly residing in the root of my install without wordfence even noticing. So this would be really nice if this feature really works as advertised.

Hope you can figure it out.

Best,
Steve

Plugin Author WFMattR
(@wfmattr)

8 years, 7 months ago

It’s good to hear that you tracked down the problem, with the older Joomla site. We will check out the options to see what can be done without making false-positives for other users who have more software than just WordPress installed for a single site (e.g., non-WP forum software, chat systems, custom code, etc.) Thanks for the feedback!

-Matt R

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘theme-compat/404.php’ is closed to new replies.