Support » Fixing WordPress » Hacked with strange “core” files?

  • Resolved ben_griffith



    Today, I got a message by my provider that I am running out of space. When I checked my disk space, I noticed strange files with no extension, each of them had a size of about 78 MB and were called “core.18167” e.g.

    Let me mention that I have 2 WPs on my domain, a public one and a test blog. Although I always test themes in my test blog, my main blog had 4 of this core.xxxxx files and I saw 1 file in my test blog.

    When I went to google, I couldn’t found anything about this core thing.

    I had downloaded a template here from WP called Carrington Blog. I checked my FTP transfer and noticed that part of this themes is a “carrington-core” folder. I am not sure if there is a context.

    I was the only one who used the FTP this months.

    I had 2 weeks ago a pingback which I had created last year. Suddenly, I got the message that I had set that pingback. After checking my 404 pages, I noticed that this entry, which contains that pingback, was described as 404, although the page was still there.

    I save my weblog as xml file.

    Do you have any idea who put these core files into both weblog directories and can I use my XML file (which has still a normal size) to recover my weblog?

Viewing 15 replies - 1 through 15 (of 23 total)
  • I forgt to mention that I asked here regarding problems entering the dashboard last month. I noticed that I had to click 3, 4 times on “Site Admin” before I got the dasboard.

    When I re-uploaded the wp admin and the wp icludes folder, I noticed that Dreamweaver renews files, although they were on the server side. Normally, Dreamweaver only re-uploads if a file has changed or is missing.

    Grateful to each idea you have,


    Sounds like they’re Apache core dump files. If something goes wrong, Apache will create this sort of file so you can debug what went so badly wrong.

    You can probably find some people talking about similar issues, just Google “core dump” and wordpress. Should get you started! Best of luck.

    Those are core dump files created when software crashes. It might indicate a hack but it might also indicate a badly written plugin or theme, or some incompatible server software.

    However, the fact that Dreamweaver thinks it needs to replace files is suspicious. I don’t think I’ve never once used Dreamweaver but I imagine it tries to determine which files have changed in order to avoid un-needed bandwidth usage. Assuming that’s true, its a good bet that something is editing your files. That might be a problem, although if software is crashing it could conceivably corrupt files.

    Thanks to you both.

    I don’t use any plugin in my weblog.

    This core link seems to be my problem.

    But what does “software” mean? WordPress is a CMS and not software (or I am wrong?)

    I am using 2.7.1 since last year and had never had problems until about 4 or 6 weeks ago, when the dashboard problem began.

    For what its worth, you should upgrade WP. Version 2.7.1 is hackable.

    The old version might also be the source of the problem with the core files and Dreamweaver.

    WordPress is software. A Content Management System (CMS) is just a type of software.

    Hardware would be your PC or printer for example. Any programs, like Windows, WordPress, or your favourite game are all software.

    Might be worth asking your website host if they’ve got the latest versions of server software installed.

    songdogtech, I don’t think that 2.7.1 is more breakable than other versions. As far as I know if you want to hack a CMS then there is always a way.

    I found that link useful

    My provider has changed its PHP version and I can imagine that this causes problems with 2.7.1

    I will upload my weblog again and will test what happens.

    You can safely delete the core files. I’ve also had problems with core file dumps on 1 site recently. Funnily enough, after a dodgy PHP upgrade across multiple servers – some of which have now been rolled back. Upgraded WP and all plugins. Took down 1 or 2 plugins and not had a problem over the past week or so.

    I’m remain unconvinced that it’s a WP or plugin problem as identical sites on other servers with the same provider have had no such problems. My guess is that it’s a server config issue.

    Sorry, but saying “But what does “software” mean? WordPress is a CMS and not software (or I am wrong?)” means you don’t know what you’re talking about. If you’re going to run WP, be aware of what’s in the forums, among the threads being: Hack Warning for versions earlier than the newest. And yes, we can all be aware of undiscovered security issues with the latest version.

    Use <?php phpinfo(); ?> on your server to check the PHP config and see what security limitations your hosting compnay has set that may or may not affect WP.

    I don’t think that 2.7.1 is more breakable than other versions

    I have to quite respectfully disagree– very strongly. The longer software has been on the market the longer people have had to figure out how to break it and hence the longer software has been on the market the more flaws have been found and the more people know about those flaws and about how to exploit those flaws. With each update, among many other things, these flaws are removed. 2.7.1 is more vulnerable than 2.8.4.

    As far as I know if you want to hack a CMS then there is always a way.

    Probably true, but if you want to get into someone’s house or car there is always a way but somehow it seems weird to conclude that you should therefore just leave the door unlocked and post a big neon sign announcing that the door is unlocked.

    Hi all,

    I am really grateful to you for all your help, because I don’t know about a “core dumb file” problem. Now that I am aware of this, I will keep an eye on it. After uploading my weblog, I had 2 core files again. I also suspect that there is something up with the PHP version my provider is using.

    songdogtech: I appreciate your lesson regarding software. I wasn’t aware that everything is called software, even a folder with files which contain a couple of strings. I’m old fashioned and have a stronge association between computer, hardware, software and installation processes.

    apljdi: you are right, but all bad news regarding 2.8 didn’t convince me. Therefore I am still waiting.

    I also suspect that there is something up with the PHP version my provider is using.

    Why do you think this? What version are they using? How long has it been running? How long have you been running your installation on that PHP version? What about web-server and MySQL versions?

    I’ve had zero problems with 2.8 other than having to change, literally, a line of javascript and a couple of lines of CSS in a plugin.

    In my case, the problems started within days of a mass PHP upgrade when I noticed error logs containing:

    PHP Startup: mm_create(0, /tmp/session_mm_cgi-fcgi32168) failed, err mm:core: failed to open semaphore file (File exists) in Unknown on line 0

    The hosting provider’s have admitted that there’s a problem and even rolled a few of the servers back when their suggested fixes failed. The core dump problems were just the worst problem.

    Moderator cubecolour



    apljdi is right Ben, It isn’t safe to run WP v2.7.1 – There’s a vulnerability that leaves it open to a malicious worm. You really need to upgrade to the latest version asap.

    See this post on Lorelle’s site

    You won’t enjoy clearing up the mess if you get a visit from the worm.

    @apljdi and numeeja: I have been using 2.7.1 for months without problems. Suddenly, about 4 weeks ago, I have noticed dashboard problems. Yesteday, I get this out of space e-mail.
    Wordpress is a collection of source code, which workd fine for months. A version doesn’t change its behaviour, only the environment can change it.
    This core dumb files are obviously caused by servers in context to PHP, Apache (I am not an expert”).
    Regarding that worm what was warning for. I don’t trust Matt. I am not the only one who is asking “quo vadis, wordpress”.

    @esmi: I have written that to my provider last night! You are not the only one, I found many entries in google. My is the owner and only member of the company 😀 and he answered immediately and asked to leave these core files the next time and he will try to find a solution.

    Thanks for all your help.

Viewing 15 replies - 1 through 15 (of 23 total)
  • The topic ‘Hacked with strange “core” files?’ is closed to new replies.