URI_NOW.conf
-
Defender keeps identifying the following file that keeps being regenerated in our main WordPress directory:
URI_NOW.conf
Every time its deleted it regenerates itself with different URL’s. It must be some form of malware but I can’t seem to find any information about it. Is this something that by chance you’ve seen before?
Thank you,
Mike M.The page I need help with: [log in to see the link]
-
Hi @m1studios
Sorry to hear you are having this issue.
Could you please contact your hosting support to verify if this file is not from any hosting configuration that is forcing to regenerate?
Is the Defender warning any other code?
In case not, the best option is by running a plugin or theme test to find if this is being generated by an infected plugin.
– Take a Full Backup or copy the website to a staging website.
– Disable all plugins keeping only the WPMU DEV Defender,
– Remove the file, check if it is not generated, if so,
– Enable one by one until the file return, once finding the plugin reinstall it using a fresh copy.To find the complete flow:
https://premium.wpmudev.org/wp-content/uploads/2015/09/Support-Process-Support-Process.gifLet us know the result you got.
Best Regards
Patrick FreitasHello @m1studios ,
We haven’t heard from you for some time now, so it looks like you no longer need our assistance.
Please feel free to re-open this ticket if needed.
kind regards,
KasiaActually the file UNI_NOW.conf still keeps generating itself, no idea what plugin that something that’s created with this filename might relate too? Defender keeps deleting it and then it keeps coming back.
Mike Madigan
Hi @m1studios,
Could you please confirm if you contacted your hosting provider to verify if this is a file being generated by their server configuration? Also, what were the results when you ran the plugin conflict test as my peer suggested initially? This would allow us to check if there is a plugin or theme that is causing this file to be created.
Lastly, I would recommend checking the one of the main WP core files on your root folder like wp-config.php file to see if there is any define code related or your Apache server config file .htaccess file as well.
Best,
Jonathan SHello,
Unfortunately its not a file that’s generated by Dreamhost. We figured out that it relates to the wp-cron.php file… that seems to be what is generating it. As its referenced in the file its generating (and its not generating this file on our other hosted sites).
We’re not a website that needs scheduling for posts, so do you think disabling this would solve the issue?
Thank you,
Mike MadiganHi @m1studios
Actually the file UNI_NOW.conf still keeps generating itself, no idea what plugin that something that’s created with this filename might relate too? Defender keeps deleting it and then it keeps coming back.
Does it keep after disabling all plugins and switching to default theme as suggested on my first reply?
https://wordpress.org/support/topic/uri_now-conf/#post-13919734You can follow the test flow on this link:
https://premium.wpmudev.org/wp-content/uploads/2015/09/Support-Process-Support-Process.gifLet us know the result you got.
Best Regards
Patrick FreitasI’m seeing the same on a client’s site.
The contents of the file are:
https://www.domain.com/wp-admin/plugins.php?action=activate&plugin=seoupro%2Fseo-ultimate-pro.php&_wpnonce=9230e8a95e
also seeing a file by the same name in the root with the contents
http:///cgi/addon_GT.cgi?s=GT::WP::Finder::SiteData+%28drtothco%29+-+10.0.87.40+[Server%3b+/var/hp/common/lib/Server.pm%3b+1344%3b+%28eval%29]
Does that give you any clue?
Tried reinstalling WordPress core, didn’t see any change in behavior.
Still seeing this on a client’s site. Near as I can figure it writes the most recently visited URL to the file.
Plugins on the site are:
Akismet Anti-Spam
Black Studio TinyMCE Widget
CallRail Phone Call Tracking
Cincopa video and media plug-in
Classic Editor
Contact Form 7
Flamingo
GNU Terry Pratchett
Google XML Sitemaps
Header and Footer Scripts
Header Footer Code Manager
Insert Headers and Footers
iThemes Security Pro
ManageWP – Worker
Markup (JSON-LD) structured in schema.org
Master Slider
Nextend
Nextend Accordion Menu
Page Builder by SiteOrigin
Quick and Easy FAQs
Redirection for Contact Form 7
Responsive Menu
SEO Ultimate Pro
ShareThis
Simple 301 Redirects
UpdraftPlus – Backup/Restore
Widget CSS Classes
Wordfence Security
WP SEO Structured Data Schema
WP-PageNaviWhere do we overlap with the plugins on your site(s) with the same issue? Maybe we can narrow things down a bit. A number of the plugins above are used by many of our other clients (Akismet, Contact Form 7, Classic Editor, iThemes Security, Manage WP, Wordfence), so I can probably eliminate them but I’ve included them here just in case.
It doesn’t appear to be hurting anything, but it’s annoying that the files are created in an unexpected location.
This one is hosted on GoDaddy.
Hi @billc108
Sorry for the delay on this thread
We had some issues receiving notifications and we missed your first reply.
Per forum rule, could you please create a new thread and we can take a closer look?
So we don’t spam the original thread starter.
Best Regards
Patrick FreitasI’m actually looking for feedback from the original thread starter and subsequent posters on the subject.
Did they find the source of the files?
Are they still seeing the files regenerate? (I am…)
Do we have any plugins in common which might indicate where this is coming from?
So thanks for the suggestion but no, I do not wish to start a new thread.
Hi @billc108
Thank you for the information.
I am afraid we didn’t receive information about the case for a while, so we can’t confirm how it was solved.
But in case you change your mind about a thread, feel free to open one and we can take a closer look.
Best Regards
Patrick FreitasI was actually the original poster on this thread with this issue.
It actually has just gone away and I can’t for the life of me tell you what we did from our end to make it finally stop. I just kept going in and dleeting URI_NOW.conf every time it showed back up every couple of days, and now it’s finally stopped happening.
If it matters at all we’ve updated to WordPress 5.8 as well.
Sorry I couldn’t be more of help!
Mike MadiganBelated thanks for your reply, Mike.
I keep all the site software up to date with the latest releases (checked by scripts daily).
A scan report found the URI_NOW.conf file on the site in question this morning (9/7). So it’s still happening – though I’ve never seen any malicious activity related to its existence.
The site in question wouldn’t happen to be hosted with GoDaddy, would it?
Hmmm no our site is actually hosted by Dreamhost.
The problem eventually stopped for us after I just kept deleting it over and over, so maybe that will occur for you too.
- The topic ‘URI_NOW.conf’ is closed to new replies.