Support » Fixing WordPress » link-template.php.suspected

  • Hi,

    My site died two times and it showed two lines of code related to “link-template.php”. So I went to the cpanel -> wp-includes and saw that the file “link-template.php” had been renamed to “link-template.php.suspected”. I just want to know how this renaming happened. Is it because of a specific plugin?
    But yes, the site become live after renaming “link-template.php.suspected” to “link-template.php”.

    Thanks

Viewing 15 replies - 1 through 15 (of 26 total)
  • Joe

    (@joewa1980)

    That topic is for some reason marked as ‘Resolved’, however, input from more people experiencing this would benefit the entire community. There are lots of useful commands in that thread. Observing the next 24hrs will be interesting following removing the malicious code.

    Thanks Joe. I agree that it was resolved somewhat premature.
    I had intended to post more of what I found. Once I stopped my Sendmail, I looked in the message queue and found 1000’s of message sitting there waiting to spool. /var/spool/ on my machine. I cleared them all out. I cleared the logs, then restarted the service. It seems that it stopped sending. Previously, sendmail was busy working away. I looked through my root a little closer and found a “files” folder. Inside was a bunch of php files. I also found a zip file in the root of my site. I am locking this down now.

    The commands in the previous post did yield quite a few files. I ran the following command to locate any other files that were renamed.
    find [path to my site] -name '*.supsected'

    I’m still waiting to see if it stopped the problem. Since the file renaming seemed to happen at random times.

    I’ll keep you posted.

    My efforts were not successful. After getting Sendmail service running again, the message queues started filling up with more bad emails. I stopped it, but now need to figure out where they are coming from.

    I’m having same issue the last 3-4 days. I found the link-template.php.suspected file and have deleted it but it comes back. I takes my site down or it takes down my login or just pages. I’ve run a Wordscan and deleted a few malicious things but it still comes back. I’ve changed my FTP and WP passwords. No solutions yet.

    me either keeps coming back, does anyone have a long term solution for this?

    I spent the entire day working on this, and ended up no-where. I tried the eGrep cmds listed in the other thread and no luck. I went back down a few minutes ago. I’ve shut down the sendmail, so no bad emails are going out right now. I removed the files in the root of my app and still nothing. Since the occurrence seems almost timed, I checked my CRON jobs to see if anything was coming up there, and all looked okay. I reviewed my .htaccess and nothing other than standard stuff. I’m at a loss for what to try. We’ve installed a some of the standard security tools such as Wordfence, iThemeSecurity and a few others. Those are all the things that I’ve tried.

    I don’t understand how this issue has been marked as resolved on the main page. I tried to rename the file to another-name.php and did the replace link-template.php with another-name.php in wp settings too, but still the problem is there… now it shows another-name.php.suspected… I think we all have Yoast SEO in common…. is that the issue?

    This is what our hosting service Hostgator had to say…
    “After investigating, we found that the user ‘******’ contained a malicious file that had been evading detection by our automated tools and therefore remained on the account able to send out spam emails. At this time I have gone ahead and manually deleted the following malicious file:

    /home/*****/public_html/wp-content/cache.bk/supercache/………………………………………………………………/ajax72.php

    Currently we are going through and removing the remaining spam emails in the server’s mail queue. Please standby…..”

    Please notify if you have any solutions.
    Thanks

    a couple of other things I have done.

    Deleted transient entries out of wp_otions tables with

    DELETE FROM wp_options WHERE option_name LIKE (
    ‘%\_transient\_%’

    Also with wordfence gone into options and selected to scan plugins, themes and additional files.

    So far have gone down twice, every wp site on my vps

    It’s hard to tell if this is related or not, but Devin mentioned how this hack seems to be targeting mail. I confirmed that my install was also abusing mail. I was able to catch these emails in my logs and can see that it’s being sent from a file named plugin.php. I searched my install and only found three files with this name. Unfortunately it looks like these are standard wordpress files. I’m going to download a fresh copy and compare to what I’ve got now.

    The three files that turned up for me are:
    ./wp-includes/plugin.php
    ./wp-admin/includes/plugin.php
    ./wp-content/plugins/woocommerce-dynamic-pricing-exclusions/plugin.php

    Maybe that will provide someone else a lead.

    Same problem here, does anyone (WordPress) know if this is a WordPress problem or…?

    How is the file being renamed, ie, what is actually renaming it?

    I wonder if the only way to resolve this is to downgrade until WordPress says something?

    Joe

    (@joewa1980)

    gavinwatson: it’s the code within those malicious files, or the malicious code in modified files that have potentially been dormant until now (following finding their way in previously) that are renaming files and causing other effects. Just addressing the renamed files is like putting some make-up over a bruise. You need to find the files containing the malicious code and eradicate it. Command lines for doing precisely this are in the link in the 2nd post of this thread. Good luck! It has been 24hrs for me and all 8 sites are still alive thus far…

    Moderator Andrew Nevins

    (@anevins)

    Unless you know what you’re looking for, you cannot do a string search and replace for a backdoor that hackers have left in.

    Sorry guys there is no easy solution, you have to grit your teeth and work through the resources Tara gave you:

    https://wordpress.org/support/topic/link-templatephpsuspected?replies=60#post-7039860

    Update Day 3: I worked on this late into the night. I had an idea just before I ran out of gas. I removed file permissions to rename that file in hopes of causing the offending code to pop an error and show me who it is. So far today my site is still up, and I am now hunting through the logs to see if I can locate the bad code. As one person said, this is just a bandage not a fix. I also found some interesting POST code in my logs, that I’m evaluating. I’m getting external “POSTS” that are calling wp_cron.php, which is a scheduling or job tool.

Viewing 15 replies - 1 through 15 (of 26 total)
  • The topic ‘link-template.php.suspected’ is closed to new replies.