alert files wp-admin/css/colors/blue/php.ini

Resolved stostling8
(@stostling8)

2 years, 4 months ago

Hi I have had a high alert from worfence with 144 files this is one wp-admin/css/colors/blue/php.ini. Details say: This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker. 144 more similar files were found.

Any ideas as to where this comes from ?, I have seen in another topic that it may be due to ionos ( 1&1), but I have spoken to them and they claim it has nothing to do with them.
Thanks so much

The page I need help with: [log in to see the link]

Viewing 11 replies - 1 through 11 (of 11 total)

WFGerroald
(@wfgerald)

2 years, 4 months ago

Hey @stostling8,

When I’ve seen this in the past it was due to a hosting configuration. However, if you’d like to share some of the files in a pastebin.com we can review them to see if they’re malicious.

Please let me know if you’d like to share samples on the contents of the files.

Thanks,

Gerroald

wfdave
(@wfdave)

2 years, 4 months ago

Hi @stostling8,

If you believe these files are potentially malicious, please send them over to wftest@wordfence.com and we’d be happy to review them.

Dave

admincn
(@admincn)

2 years, 3 months ago

Hi @wfdave,

I received the same alert from wordfence. Thus, would be great if you can please share the outcome of your review.

Thanks

thewickedgrape
(@thewickedgrape)

2 years, 2 months ago

@stostling8 @wfdave
I would also love to know the outcome. My site is hosted on IONOS as well.

In the past (and I it’s still the same now), IONOS/1and1 did not have a way in the control panel to modify the php.ini file like some other hosting services.

If you want to increase something like “max_input_vars” in order for a theme to run properly, IONOS suggests adding a php.ini file to the wp-admin folder. I suspect this is why we are getting the warning.

Perception Creative Media
(@muckmidden)

2 years, 1 month ago

I have this same problem, and have contacted IONOS who say they did not put the files there.

I unable to see the other 148 files listed.

Has anyone found an answer to this?

Many thanks.
msmithng
(@msmithng)

2 years, 1 month ago
Also seeing this message on an IONOS hosted WP site.

Are there any updates?
- This reply was modified 2 years, 1 month ago by msmithng.
Perception Creative Media
(@muckmidden)

2 years, 1 month ago

IONOS didn’t think it was anything they have placed on the sites.
I’m trying to find out if it is a plugin I have used.

boardertech
(@boardertech)

2 years ago

I have this message as well on an Ionos hosted site.

Perception Creative Media
(@muckmidden)

2 years ago

I did a fresh click and build installation through IONOS and all of those files are present immediately after installation.
Stu
(@thirdeyedesign)

2 years ago
I have an alert for these files through WordPress Central on 6 sites hosted with 1and1.
No alerts on sites that are not hosted with them which makes me think it is absolutley down to them.

I did a fresh click and build installation through IONOS and all of those files are present immediately after installation.

This seems to clarify they are nothing to be concerned about.
I did look through the files and have not found anything malicious in there..
- This reply was modified 2 years ago by Stu.
akimbokm
(@akimbokm)

1 year, 10 months ago

I just took over a client website also hosted with Ionos, and my first WordFence scan came up with similar results (86 unknown files in the WordPress core).

A little more searching found this question/answer which I think might be the reason:
https://wordpress.org/support/topic/wordfence-scan-unknown-file/

Perhaps Ionos is not properly removing these configuration files.