Title: malicious files uploaded Last modified: August 21, 2018 --- # malicious files uploaded * Resolved [n13design](https://wordpress.org/support/users/n13design/) * (@n13design) * [7 years, 10 months ago](https://wordpress.org/support/topic/malicious-files-uploaded/) * It appears that the security vulnerability in WM allowed for my site to get malicious files uploaded. I’ve disabled WM but I’m not sure what files are the ones I need to delete. * It seemed that some of the pages tried to take me to _[ redacted ]_ - This topic was modified 7 years, 10 months ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/). Viewing 7 replies - 1 through 7 (of 7 total) * [nboot8](https://wordpress.org/support/users/nboot8/) * (@nboot8) * [7 years, 10 months ago](https://wordpress.org/support/topic/malicious-files-uploaded/#post-10608706) * Same issue here… I have installed 2.0.25 version, but my latest DB version is 2.0.10 and the “updater” will not run – it just sits on “Get upgrades packages…” all day. Really frustrating after the amount of money I have sunk into this over the years. * Anyway, here is the file I found with the virus: * ~/public/wp-content/uploads/ultimatemember/temp/tfCE0YbNhMMHQw4IRZiada6vLS1J7XuCEDzohcq0/ stream_photo_12261104284b7316c107dd17323d5cb9_5b7ab0958bf57.php * Not sure what it would be for you, but you may just want to clear your whole temp directory. * The worst part is that this crazy instability introduced with the “move” to version 2 of the plug-in has resulted in pretty much an unusable front end for my clients. In this case, even after deleting the virus files, I have an issue that I cannot log in without disabling the plug-in, then re-enabling afterward – which basically means that no user can log in period. What a pain… * Good luck. * Plugin Support [Ultimate Member Support](https://wordpress.org/support/users/ultimatemembersupport/) * (@ultimatemembersupport) * [7 years, 10 months ago](https://wordpress.org/support/topic/malicious-files-uploaded/#post-10610260) * Hi [@n13design](https://wordpress.org/support/users/n13design/), * Please make sure that you have the latest 2.0.25 version installed on your site. Do the upgrade process under the Ultimate member section this will clear your temp folder. Please also check WordPress files using Wordfence security plugin. * [@nboot8](https://wordpress.org/support/users/nboot8/), I’m sorry to hear that you have issues with the latest version of the Ultimate member. If it is possible please submit a [new ticket on our website](https://ultimatemember.com/contact/sales/)( click on “I’ve read the pre-purchase FAQs & want to ask a question”) and describe your login issue so we can investigate what’s wrong on your end. * Regards. * Thread Starter [n13design](https://wordpress.org/support/users/n13design/) * (@n13design) * [7 years, 10 months ago](https://wordpress.org/support/topic/malicious-files-uploaded/#post-10610280) * [@ultimatemembersupport](https://wordpress.org/support/users/ultimatemembersupport/) I was able to update the UM plugin and confirmed the temp file folder is cleared. I appreciate the information about the Wordfence plugin. I know there’s a few other files that were added outside the temp folder that will require hunting down. Hopefully Wordfence will find them. * [nboot8](https://wordpress.org/support/users/nboot8/) * (@nboot8) * [7 years, 10 months ago](https://wordpress.org/support/topic/malicious-files-uploaded/#post-10610300) * You may want to look for files like these (which were also infected as a result, on our site). I’m not sure how specific they are to each domain (except of course the SiteOrigins infection is only if you run that plug-in). * ~/public/wp-content/uploads/siteorigin-widgets/hsnbm2ju9o.php * ~/public/7q0ny7bgmy.php * ~/public/wp-super_cache.php * …th1s_1s_a_4o4.html… * [idoenk](https://wordpress.org/support/users/idoenk/) * (@idoenk) * [7 years, 10 months ago](https://wordpress.org/support/topic/malicious-files-uploaded/#post-10610643) * One of prevention that might avoid this attack successfully infect all of your( index) files is to add .htaccess in /uploads and prevent non-asset files for being executed. * From what I remember, target wp files to infect were: /index.php /wp-admin/index. php /wp-content/index.php /wp-content/plugins/index.php /wp-content/themes/index. php /wp-content/themes//index.php /wp-content/themes//header. php * Notice chmod files also modified to 777, turn it back to 644. * Infected host will somehow include & load external asset files, and might redirect to lalaulala.. * I’ve experience this too, not sure how hotfix should be made, but uploaded payload suppose not to be effective to modify other files. * [https://stackoverflow.com/questions/8414840/prevent-upload-php-script-to-be-executed/8415600](https://stackoverflow.com/questions/8414840/prevent-upload-php-script-to-be-executed/8415600) - This reply was modified 7 years, 10 months ago by [idoenk](https://wordpress.org/support/users/idoenk/). - This reply was modified 7 years, 10 months ago by [idoenk](https://wordpress.org/support/users/idoenk/). - This reply was modified 7 years, 10 months ago by [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/). * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [7 years, 10 months ago](https://wordpress.org/support/topic/malicious-files-uploaded/#post-10610659) * Side note: I’ve redacted the name of the place being sent to. Why give bad people more air time? * [idoenk](https://wordpress.org/support/users/idoenk/) * (@idoenk) * [7 years, 10 months ago](https://wordpress.org/support/topic/malicious-files-uploaded/#post-10610691) * I think coz it ring a bell to other, that we facing the same issue., Why dont redacted name replaced with lil bit obfuscated but still pointing to something like [redacted] - This reply was modified 7 years, 10 months ago by [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/). - This reply was modified 7 years, 10 months ago by [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/). Viewing 7 replies - 1 through 7 (of 7 total) The topic ‘malicious files uploaded’ is closed to new replies. * ![](https://ps.w.org/ultimate-member/assets/icon-256x256.png?rev=3160947) * [Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin](https://wordpress.org/plugins/ultimate-member/) * [Frequently Asked Questions](https://wordpress.org/plugins/ultimate-member/#faq) * [Support Threads](https://wordpress.org/support/plugin/ultimate-member/) * [Active Topics](https://wordpress.org/support/plugin/ultimate-member/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/ultimate-member/unresolved/) * [Reviews](https://wordpress.org/support/plugin/ultimate-member/reviews/) ## Tags * [php](https://wordpress.org/support/topic-tag/php/) * 7 replies * 5 participants * Last reply from: [idoenk](https://wordpress.org/support/users/idoenk/) * Last activity: [7 years, 10 months ago](https://wordpress.org/support/topic/malicious-files-uploaded/#post-10610691) * Status: resolved