Support » Fixing WordPress » pomo.php file from hack? deleting causes site fail

  • Resolved nakris

    (@nakris)


    I have a site that got hacked. I downloaded a fresh copy of wordpress and went through the hacked install, replacing any problem files with new copies.

    I found a file, pomo.php in the wp-includes folder of the hacked site that wasn’t even part of the normal install. So I deleted it. After deleting, the site wouldn’t load. Not the public or admin side.

    I saved a copy before deleting, so I added it back. Site’s fine.

    I looked in the file. Just a massive block of code – doesn’t look like wp stuff (to my untrained eye). I selected all, cut the entire contents of the file, and saved. Site loads fine. I see no problems.

    So apparently the file needs to be there, but doesn’t need to contain anything.

    I’m thinking I must have missed another infected file that references this, but not sure how to track it down.

    Any suggestions? Thanks in advance.

Viewing 8 replies - 1 through 8 (of 8 total)
  • Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Raufshake

    (@raufshake)

    Nakris,

    POMO folder is required for the website to load.
    It should contain 5 .php files.

    I would recommend, upload a fresh POMO folder in the wordpress wp includes directory and everything should be good.

    Also cross check .htaccess for suspicious codes.

    Rauf S

    the question was concerning pomo.php NOT the pomo folder.
    the pomo folder doesn’t even contain a file of that name.

    i have the same question. neither response was really helpful. i know the original question was posted 4 months ago. this popped up in my search results.

    however, comparing the hacked site i am attempting to repair to my own site which is not compromised, i find that my site does Not have a pomo.php. (of course it has a pomo folder.) that doesn’t necessarily mean anything but is worthy of noting.

    i’d be interested in how the person resolved their issue.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    The guide originally posted https://codex.wordpress.org/FAQ_My_site_was_hacked covers how to identify and clean all know hack types. Please follow the entire guide.

    Simply removing the symptom does not remove the vector (how it got there in the first place). Follow the guide for everything.

    yeah.
    i think most people have probably read that.

    anyway, the reason the site was crashing was because there was a reference to pomo.php in functions.php.
    that shouldn’t have been there. it was a result of the hack.

    once the reference was removed, the file could be safely deleted.
    i found the same chunks of ‘non-wordpress’ code scattered throughout a family of sites that i was enlisted to inspect. in all cases i was able to delete the code without harming the site.

    wordfence security plugin has proved really helpful in rooting out issues.

    there. specific feedback on a specific problem. now if anyone else googles like i did, they will find this solution here.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    Thank you for sharing your solution!

    I also have a site that is hacked. It also has installed pomo.php and a reference in functions.php.

    May I ask how you solved the problem of finding the security hole so I don’t get it again?

    I have installed WordFence, but the virus comes again. Also it installs the file .cache.php and ixwstat.php.

    Moderator James Huff

    (@macmanx)

    Volunteer Moderator

    The guide originally posted https://codex.wordpress.org/FAQ_My_site_was_hacked covers how to identify and clean all know hack types. Please follow the entire guide.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘pomo.php file from hack? deleting causes site fail’ is closed to new replies.