Hi, does it mean it was hacked?
Wordfence found: Unknown file in WordPress core: wp-includes/.query.php
Content of the files is:
Yes, that is a very simple webshell which can evaluate / execute code from $_POST[‘a’], $_GET[‘a’], $_COOKIE[‘a’]. See also https://www.php.net/manual/en/reserved.variables.request.php and https://www.php.net/manual/en/function.eval.php (eval is evil). So yes, the website is compromised / hacked.
I tried new installation, new server. new url, fresh wordpress, same new popular premium theme “woodmart” from themeforest. Same plugins Classic editor, Safe SVG, Revslider etc.
Created couple pages and same file .query.php appeared in the next few minutes.
Then repeated the steps again one more time. (no file this time).
Well, you have to analyze how the attackers gained the access and how the files were created. Maybe revslider is outdated? Try searching in accesslog files and find out what exactly happened. The timestamps of the files can give you a hint.
Hi @mindas22, thanks for your question.
There can be multiple attack vectors when a site is targeted that range from outdated plugins with an unpatched vulnerability to an insecure account on WordPress or within your hosting environment (database, cPanel, FTP etc.) It has even been known for another infected site on a shared hosting server to infect other sites hosted there: https://www.wordfence.com/blog/2021/06/service-vulnerabilities-shared-hosting-symlink-security-issue-still-widely-exploited-on-unpatched-servers/
Besides all the routine WordPress admin, FTP, SSH, cPanel user passwords:
- Changing your MySQL password is critical. Make sure remote MySQL access from all connections is not enabled.
- Most critical may be changing wp-config.php to 600 permissions. This is preventative against the symlink vulnerability mentioned above that exposes that file to be read in default permissions, which allows direct access to the db from other infected sites on the server.
- Your default cPanel password should also be changed if you haven’t already. There’s a common account third-party billing panel out there called “WHMCS”, where the cPanel password is controlled from the account billing panel. Your host may be able to help with finding this if it’s not apparent whether it’s changed from within cPanel or that kind of external billing dashboard provided by your host.
You can find site cleaning details here:
If you still have a copy of the affected file, you can always send it to samples @ wordfence . com for us to analyze. Please note that when attaching a file, ensure that you remove any database access credentials or keys/salts before sending.
I had this happen to a site I host as well.
Within 10 minutes of setting up the new site, adding the DNS, and requesting a Let’s Encrypt Certificate, I had a foreign actor installing what appears to be fake WP plugin that then transitioned to this .query.php script and was eventually used to DDOS another hosting provider.
Excerpt from the logs:
185.59.x.x - - [11/Mar/2022:17:05:38 -0500] "GET /wp-admin/install.php HTTP/1.1" 200 13230 185.59.x.x - - [11/Mar/2022:17:05:38 -0500] "POST /wp-admin/install.php?step=2 HTTP/1.1" 200 5001 185.59.x.x - - [11/Mar/2022:17:05:40 -0500] "POST /wp-login.php HTTP/1.1" 302 - 185.59.x.x - - [11/Mar/2022:17:05:41 -0500] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 26161 185.59.x.x - - [11/Mar/2022:17:05:51 -0500] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 17775 185.59.x.x - - [11/Mar/2022:17:05:52 -0500] "GET /wp-content/plugins/contact-form-maker/contact-form-maker.php?a=0&b=5768720944787703971 HTTP/1.1" 200 - 185.59.x.x - - [11/Mar/2022:17:05:52 -0500] "POST /wp-includes/.query.php HTTP/1.1" 200 9
Hi, I confirmed. 3 sites, new installation ready. Before complete installation, LE cert. requested. After hacked.
I think because scan of new cert. in http://www.crt.sh.
We had exactly the same issue. Brand new site on dev server. Google indexing disabled.
Everything installed from official repos on latest versions.
2 days after website install file wp-includes/.query.php starts DDoS attack from our server.
So far we have no idea now website got infected.
I can see only pattern is same plugin Safe SVG so far.
Ours got hit before we set a password on the installer. Logs provided above. Compare to your logs if they’re still around.
Please take a look at this thread:
It seems, that bots are checking when new domain is requesting SSL certificate and instantly attack domain. In case you have WordPress uploaded, but not installed yet – they use install and upload script.
- You must be logged in to reply to this topic.