Support » Fixing WordPress » Malicious files added to the wp-content folder

  • Hi everyone,

    I’m dealing with a hacked website; files were added to the wp-content folder such as
    wp-RLkgL.php and wp-seo-IPxJ.php.
    It’s not just limited to these files, a lot of wp core files have been changed as well. This has started since jan. 16th and I’m quite curious to know where it came from.

    Therefore I’d like to know if anyone else experienced this as well? Is anyone familiar with this type of hack? Any type of information is much appreciated.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Steve Stern (sterndata)

    (@sterndata)

    Forum Moderator & Support Team Volunteer

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Thread Starter mireillesan

    (@mireillesan)

    Hi Steve,

    No worries, I’m past that moment of being in panic. 😉
    I also pretty much gone through a whole set of security improvements.

    Wordfence isn’t my cup of tea. It didn’t really do anything to protect my website, so I’ve moved on to something better: WP Cerber. I’m content with this plugin but we’ll see what the future holds.

    That being said, I want to know more about this leak and looking for someone who recognize this type of hack or has been in a similar situation.

    A site I created was hacked much like yours, odd .php files etc.
    – I got the creation dates+times of the rogue files and directories.
    – I went to the access logs and looked at what has happening at these times, I also have a journal file of user logins, this let me put together the full story.

    The bottom line was that an administrator account was hacked using a user + password scanner.
    The hackers uploaded their own plugin, the plugin was highly obscured using lots of base64 and rot13 functions, what it did was an “eval” on whatever [POST] parameters passed to their plugin loaded file. Since POST data is not logged I have no clue what they did. Of course I could see which files they were accessing.
    I disabled the hacked admin user login, renamed their plugin directory, took the website offline by renaming the website root directory.
    Rebuilt the website, scanned the database for weird stuff and reloaded it.
    Months later I still get hundreds of login attempts a day that trip lockouts.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Malicious files added to the wp-content folder’ is closed to new replies.