Support » Fixing WordPress » Malicious File in Update?

  • This morning I noticed that my WordPress installation had been automatically updated to version 4.7.3. Later when I checked my email, I had a notice from my web host that their routine scanning had detected a malicious file at:
    ~Blog/wp-admin/includes/credits.php

    Is there a way to check this file out? Was this file part of the upgrade to 4.7.3?

    Not sure which way to head at this point.

    Thanks,
    -Jack

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    The credits.php file in my installation is 4744 bytes long. What’s the size of yours?

    The credits.php file is reported as 14,676 bytes. It is dated as Dec. 20 (year not shown).

    Should I overwrite this file with one the size you’ve shown? If so, I’ll try to find the file in a backup.

    Thanks,
    -Jack

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    Take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thanks, Steve.

    A few minutes ago I received another email from my web hosting firm. Included was a list of about 5o files which they had changed permissions on to restrict access to them. The stated reason was that they appear to have been uploaded by others. Since my WordPress site had just been automatically updated, that would make sense. The question at this point is whether the site was hacked, or if this upgrade triggered a false alarm.

    It looks like I have a lot of work to do to make sure things are in order.

    -Jack

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    Install WordFence and run a scan of your site (after checking all of the scan options).

    Aaaarrrrrgh! I’m afraid that I’m too late. I can’t even get into my website now….a number of permission errors and a fatal error.

    I have the gut feeling that I’m going to have to reinstall everything from scratch now 🙁

    -Jack

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    I think you’re hacked. Follow the instructions above and you probably won’t lose any data.

    I’ve reinstalled everything from scratch, and the site seems to be working properly. Changed every password I could find. Tomorrow I’ll start looking at some plug-ins to help harden the site.

    Thanks for your suggestions.

    -Jack

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Malicious File in Update?’ is closed to new replies.