Support » Fixing WordPress » Unusual error_log entries… Exploit Files trying to run?

  • Hi,

    I’m getting these really unusual error_logs that I assume are exploit files attempting to run, I’ve search for all of the locations but none of the files exist.

    My theme files appear to be fine, my plugins appear to be fine and Wordfence shows no issues either.

    I tried to use Exploit Scanner but there are hundreds of lines that use base64_decode and eval, I can’t notice anything that looks odd but I am not the author of the plugins so I am not sure really.

    The site appears to be running fine, no unusual/unknown files being loaded or anything so not sure what’s causing these errors you can see below.

    [04-Aug-2017 22:33:07 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/bb.php): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [04-Aug-2017 22:35:58 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/b.php): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [06-Aug-2017 01:44:20 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/2015/09/new_up.php): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [06-Aug-2017 06:30:00 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/uploads_.php): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [06-Aug-2017 06:36:29 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/pdo.inc.php): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [06-Aug-2017 08:11:03 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/wp-cods.php): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [06-Aug-2017 08:15:20 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/temp.php): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [08-Aug-2017 03:55:33 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/Marvins.php): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [09-Aug-2017 08:15:17 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/logo_img.php.suspected): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [09-Aug-2017 08:35:56 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/logo_img.php.suspected): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [09-Aug-2017 10:29:29 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/logo_img.php.suspected): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [09-Aug-2017 11:29:52 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/2015/09/new_up.php): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [09-Aug-2017 12:28:18 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/logo_img.php.suspected): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632
    [09-Aug-2017 12:28:22 UTC] PHP Warning:  mime_content_type(/home/MYHOSTUSERNAME/public_html/wp-content/uploads/logo_img.php.suspected): failed to open stream: No such file or directory in /home/MYHOSTUSERNAME/public_html/wp-content/plugins/wishlist-member/core/PluginMethods.php on line 7632

    For reference, the WishlistMember function that is running is shown below:

    Line 7632 = $mime = mime_content_type($filename);

    		/**
    		 * GetMimeType
    		 *
    		 * Retrieves the correct mime type of a file
    		 * This function is based on Chris Jean's recommendations:
    		 * http://chrisjean.com/2009/02/14/generating-mime-type-in-php-is-not-magic/
    		 *
    		 * @param string $filename path to file
    		 * @return string Mime type (or an empty string if it failed)
    		 */
    		function GetMimeType($filename) {
                            
                            if(file_exists($filename) ){
                                /* first, let's see if we can get the mime type using finfo functions */
                                if (function_exists('finfo_open') && function_exists('finfo_file') && function_exists('finfo_close')) {
    
                                        $finfo = finfo_open(FILEINFO_MIME);
                                        $mime = finfo_file($finfo, $filename);
                                        finfo_close($finfo);
                                        if (!empty($mime))
                                                return $mime;
                                }
                            }
    			
    
    			/* next, let's try to retrieve the mime type from our array */
    			$mime_types = array(
    				'ai' => 'application/postscript',
    				'aif' => 'audio/x-aiff',
    				'aifc' => 'audio/x-aiff',
    				'aiff' => 'audio/x-aiff',
    				'asc' => 'text/plain',
    				'asf' => 'video/x-ms-asf',
    				'asx' => 'video/x-ms-asf',
    				'au' => 'audio/basic',
    				'avi' => 'video/x-msvideo',
    				'bcpio' => 'application/x-bcpio',
    				'bin' => 'application/octet-stream',
    				'bmp' => 'image/bmp',
    				'bz2' => 'application/x-bzip2',
    				'cdf' => 'application/x-netcdf',
    				'chrt' => 'application/x-kchart',
    				'class' => 'application/octet-stream',
    				'cpio' => 'application/x-cpio',
    				'cpt' => 'application/mac-compactpro',
    				'csh' => 'application/x-csh',
    				'css' => 'text/css',
    				'dcr' => 'application/x-director',
    				'dir' => 'application/x-director',
    				'djv' => 'image/vnd.djvu',
    				'djvu' => 'image/vnd.djvu',
    				'dll' => 'application/octet-stream',
    				'dms' => 'application/octet-stream',
    				'doc' => 'application/msword',
    				'dvi' => 'application/x-dvi',
    				'dxr' => 'application/x-director',
    				'eps' => 'application/postscript',
    				'etx' => 'text/x-setext',
    				'exe' => 'application/octet-stream',
    				'dmg' => 'application/octet-stream',
    				'msi' => 'application/octet-stream',
    				'ez' => 'application/andrew-inset',
    				'flv' => 'video/x-flv',
    				'gif' => 'image/gif',
    				'gtar' => 'application/x-gtar',
    				'gz' => 'application/x-gzip',
    				'hdf' => 'application/x-hdf',
    				'hqx' => 'application/mac-binhex40',
    				'htm' => 'text/html',
    				'html' => 'text/html',
    				'ice' => 'x-conference/x-cooltalk',
    				'ief' => 'image/ief',
    				'iges' => 'model/iges',
    				'igs' => 'model/iges',
    				'img' => 'application/octet-stream',
    				'iso' => 'application/octet-stream',
    				'jad' => 'text/vnd.sun.j2me.app-descriptor',
    				'jar' => 'application/x-java-archive',
    				'jnlp' => 'application/x-java-jnlp-file',
    				'jpe' => 'image/jpeg',
    				'jpeg' => 'image/jpeg',
    				'jpg' => 'image/jpeg',
    				'js' => 'application/x-javascript',
    				'kar' => 'audio/midi',
    				'kil' => 'application/x-killustrator',
    				'kpr' => 'application/x-kpresenter',
    				'kpt' => 'application/x-kpresenter',
    				'ksp' => 'application/x-kspread',
    				'kwd' => 'application/x-kword',
    				'kwt' => 'application/x-kword',
    				'latex' => 'application/x-latex',
    				'lha' => 'application/octet-stream',
    				'lzh' => 'application/octet-stream',
    				'm3u' => 'audio/x-mpegurl',
    				'man' => 'application/x-troff-man',
    				'me' => 'application/x-troff-me',
    				'mesh' => 'model/mesh',
    				'mid' => 'audio/midi',
    				'midi' => 'audio/midi',
    				'mif' => 'application/vnd.mif',
    				'mov' => 'video/quicktime',
    				'movie' => 'video/x-sgi-movie',
    				'mp2' => 'audio/mpeg',
    				'mp3' => 'audio/mpeg',
    				'mp4' => 'video/mp4',
    				'mpe' => 'video/mpeg',
    				'mpeg' => 'video/mpeg',
    				'mpg' => 'video/mpeg',
    				'mpga' => 'audio/mpeg',
    				'ms' => 'application/x-troff-ms',
    				'msh' => 'model/mesh',
    				'mxu' => 'video/vnd.mpegurl',
    				'nc' => 'application/x-netcdf',
    				'odb' => 'application/vnd.oasis.opendocument.database',
    				'odc' => 'application/vnd.oasis.opendocument.chart',
    				'odf' => 'application/vnd.oasis.opendocument.formula',
    				'odg' => 'application/vnd.oasis.opendocument.graphics',
    				'odi' => 'application/vnd.oasis.opendocument.image',
    				'odm' => 'application/vnd.oasis.opendocument.text-master',
    				'odp' => 'application/vnd.oasis.opendocument.presentation',
    				'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
    				'odt' => 'application/vnd.oasis.opendocument.text',
    				'oga' => 'audio/ogg',
    				'ogg' => 'application/ogg',
    				'ogv' => 'video/ogg',
    				'otg' => 'application/vnd.oasis.opendocument.graphics-template',
    				'oth' => 'application/vnd.oasis.opendocument.text-web',
    				'otp' => 'application/vnd.oasis.opendocument.presentation-template',
    				'ots' => 'application/vnd.oasis.opendocument.spreadsheet-template',
    				'ott' => 'application/vnd.oasis.opendocument.text-template',
    				'pbm' => 'image/x-portable-bitmap',
    				'pdb' => 'chemical/x-pdb',
    				'pdf' => 'application/pdf',
    				'pgm' => 'image/x-portable-graymap',
    				'pgn' => 'application/x-chess-pgn',
    				'png' => 'image/png',
    				'pnm' => 'image/x-portable-anymap',
    				'ppm' => 'image/x-portable-pixmap',
    				'ppt' => 'application/vnd.ms-powerpoint',
    				'ps' => 'application/postscript',
    				'qt' => 'video/quicktime',
    				'ra' => 'audio/x-realaudio',
    				'ram' => 'audio/x-pn-realaudio',
    				'ras' => 'image/x-cmu-raster',
    				'rgb' => 'image/x-rgb',
    				'rm' => 'audio/x-pn-realaudio',
    				'roff' => 'application/x-troff',
    				'rpm' => 'application/x-rpm',
    				'rtf' => 'text/rtf',
    				'rtx' => 'text/richtext',
    				'sgm' => 'text/sgml',
    				'sgml' => 'text/sgml',
    				'sh' => 'application/x-sh',
    				'shar' => 'application/x-shar',
    				'silo' => 'model/mesh',
    				'sis' => 'application/vnd.symbian.install',
    				'sit' => 'application/x-stuffit',
    				'skd' => 'application/x-koan',
    				'skm' => 'application/x-koan',
    				'skp' => 'application/x-koan',
    				'skt' => 'application/x-koan',
    				'smi' => 'application/smil',
    				'smil' => 'application/smil',
    				'snd' => 'audio/basic',
    				'so' => 'application/octet-stream',
    				'spl' => 'application/x-futuresplash',
    				'src' => 'application/x-wais-source',
    				'stc' => 'application/vnd.sun.xml.calc.template',
    				'std' => 'application/vnd.sun.xml.draw.template',
    				'sti' => 'application/vnd.sun.xml.impress.template',
    				'stw' => 'application/vnd.sun.xml.writer.template',
    				'sv4cpio' => 'application/x-sv4cpio',
    				'sv4crc' => 'application/x-sv4crc',
    				'swf' => 'application/x-shockwave-flash',
    				'sxc' => 'application/vnd.sun.xml.calc',
    				'sxd' => 'application/vnd.sun.xml.draw',
    				'sxg' => 'application/vnd.sun.xml.writer.global',
    				'sxi' => 'application/vnd.sun.xml.impress',
    				'sxm' => 'application/vnd.sun.xml.math',
    				'sxw' => 'application/vnd.sun.xml.writer',
    				't' => 'application/x-troff',
    				'tar' => 'application/x-tar',
    				'tcl' => 'application/x-tcl',
    				'tex' => 'application/x-tex',
    				'texi' => 'application/x-texinfo',
    				'texinfo' => 'application/x-texinfo',
    				'tgz' => 'application/x-gzip',
    				'tif' => 'image/tiff',
    				'tiff' => 'image/tiff',
    				'torrent' => 'application/x-bittorrent',
    				'tr' => 'application/x-troff',
    				'tsv' => 'text/tab-separated-values',
    				'txt' => 'text/plain',
    				'ustar' => 'application/x-ustar',
    				'vcd' => 'application/x-cdlink',
    				'vrml' => 'model/vrml',
    				'wav' => 'audio/x-wav',
    				'wax' => 'audio/x-ms-wax',
    				'webm' => 'video/webm',
    				'wbmp' => 'image/vnd.wap.wbmp',
    				'wbxml' => 'application/vnd.wap.wbxml',
    				'wm' => 'video/x-ms-wm',
    				'wma' => 'audio/x-ms-wma',
    				'wml' => 'text/vnd.wap.wml',
    				'wmlc' => 'application/vnd.wap.wmlc',
    				'wmls' => 'text/vnd.wap.wmlscript',
    				'wmlsc' => 'application/vnd.wap.wmlscriptc',
    				'wmv' => 'video/x-ms-wmv',
    				'wmx' => 'video/x-ms-wmx',
    				'wrl' => 'model/vrml',
    				'wvx' => 'video/x-ms-wvx',
    				'xbm' => 'image/x-xbitmap',
    				'xht' => 'application/xhtml+xml',
    				'xhtml' => 'application/xhtml+xml',
    				'xls' => 'application/vnd.ms-excel',
    				'xml' => 'text/xml',
    				'xpm' => 'image/x-xpixmap',
    				'xsl' => 'text/xml',
    				'xwd' => 'image/x-xwindowdump',
    				'xyz' => 'chemical/x-xyz',
    				'zip' => 'application/zip',
    				'xlsx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
    				'xltx' => 'application/vnd.openxmlformats-officedocument.spreadsheetml.template',
    				'potx' => 'application/vnd.openxmlformats-officedocument.presentationml.template',
    				'ppsx' => 'application/vnd.openxmlformats-officedocument.presentationml.slideshow',
    				'pptx' => 'application/vnd.openxmlformats-officedocument.presentationml.presentation',
    				'sldx' => 'application/vnd.openxmlformats-officedocument.presentationml.slide',
    				'docx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
    				'dotx' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.template',
    				'xlam' => 'application/vnd.ms-excel.addin.macroEnabled.12',
    				'xlsb' => 'application/vnd.ms-excel.sheet.binary.macroEnabled.12'
    			);
    
    			$ext = explode('.', $filename);
    			$ext = strtolower(array_pop($ext));
    			if (!empty($mime_types[$ext]))
    				return $mime_types[$ext];
    
    			/*
    			 * last, we try to retrieve it using mime_content_type
    			 * Why is this last??? Because it's unreliable...
    			 */
    
    			if (function_exists('mime_content_type')) {
    				$mime = mime_content_type($filename);
    				if (!empty($mime))
    					return $mime;
    			}
    
    			/* still nothing? we return an empty string */
    			return '';
    		}
Viewing 2 replies - 1 through 2 (of 2 total)
  • Hello, Hyflex, & welcome. You should not have any php files at all in your uploads folder. Zip. 0. Zilch. Please check your uploads folder for any Php files & delete them promptly.

    Were I you, I’d check the following options in Wordfence & run another scan. Note that this is an exception, & you can feel free to turn some of these off once you’ve finished scanning, &/or cleaned the site as needed. Most are not checked by default.

    *Scan theme files against repository versions for changes
    *Scan plugin files against repository versions for changes
    *Scan wp-admin and wp-includes for files not bundled with WordPress
    *Scan for admin users created outside of WordPress
    *Scan files outside your WordPress installation
    *Scan images, binary, and other files as if they were executable

    Most plugins, etc, do not use base64, so if you’re seeing some, that may be suspicious.

    Please, in future, enclose your code in , as in:

    line 1
    line 2
    line 3

    Thank you.

    You also don’t provide a site url, which may have proved helpful in diagnosing the problem.

    Hi,

    I’ve already mentioned that none of these files exist. There also aren’t any php files in my uploads folder which is why it’s confusing.

    Base64 is locatedin numerous core files, it’s also located in many trusted and respected plugins/themes such as:

    Adminer
    W3 Total Cache
    WishlistMember
    Avada Theme
    Wishlist Social
    Wishlist Smartnav
    Wishlist Login
    Wordfence
    Duplicator
    WP Security Audit Log
    Yoast SEO
    AutoOptimize
    JSON API
    Simple Press Forums
    Contact Form 7
    Fast Secure Contact Form

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Unusual error_log entries… Exploit Files trying to run?’ is closed to new replies.