Malicious Code wp-admin/admin-ajax.php

Hello,

I just received the following message from the WordFence plugin on one of my sites and I am not sure how to best investigate it. I have not seen that anyone has logged in or been able to access the files to change them. Is it that WordFence is overly sensitive or is there a real issue here?

Critical Problems:

* WordPress core file modified: wp-admin/admin-ajax.php
* This file appears to be malicious
* This file appears to be malicious
* This file appears to be malicious
* This file appears to be malicious
* This file may contain malicious executable code: /public_html/wp-includes/js/tinymce/plugins/wpautoresize/my-calendar-behaviors.php
* This file may contain malicious executable code: /public_html/wp-includes/css/class.wp-dependencies.php

  • Timothy Bowers

    Hey Steve,

    I don't use that plugin myself, but I do hear lots about it.

    You could first try replacing that with the default WP files there and running it again.

    Does it say much about the wpautoresize plugin and what code it might contain?

    You could remove that plugin for certainty and then consult with the author to get his thoughts.

    If I suspected anything could be hacked I'd certainly be looking to remove/replace them quickly to ensure the threat doesn't escalate.

    You'll also want to ensure everything is up to date if it isn't already.

    I'd be interested to see how you go Steve.

    Take care.