Once in a while weird php file created by itself

I tried clean re-installation of WordPress and re-install all other plugins. Still the same. However other websites that hosted under same hosting didn't have the issue. Need advice.

  • mbitcon
    • Problem solver

    Hi
    Can you give a few more specifics? What is the exact path of the created php file? What is the filename, what is its content?
    I don't want to scare you, but it could very well be that there is a security hole in one of the plugins or themes on your site and someone manages to create malicious PHP files through that security hole. Those are usually used to send spam from you web hosting - this is a serious thing. It hurts your website performance, the server reputation and can ultimately lead to your site being shut down by the hosting company. I once fought for more than a week to find the vulnerable Plugin on a customer's site to be able to stop that for good!

  • iamJayChong
    • Flash Drive

    Dear mbitcon and Predrag Dubajic ,

    Thank you for your very fast response. It was "spawned" at the file path this time:
    /bccciorg/public_html/wp-includes/js/tinymce/langs/oarlbefg.php

    I attach the php file here.

    Previously it was "spawned" different file names php and i hate to say it but i need to delete each one of it everytime Defender Pro found it.

  • Adam Czajczyk
    • Support Gorilla

    Hi iamJayChong

    If I was about to assume anything, I'd say that there's a chance that the site is actually infected: the location of the file along with the "weird" name and the fact that the file "appears magically" on the server, under different names, suggests that.

    Unfortunately the .php file cannot be attached here and it didn't came through so we cannot see its content. It would be best if you could create a .zip file out of it, upload to some file storage of yours (like Google Drive or Dropbox or similar) and share download link with us here. Alternatively, you could just copy its content and share it via service like pastebin.com

    Seeing the source code should help to confirm the "nature" of the file.

    Kind regards,
    Adam

  • mbitcon
    • Problem solver

    What you could do is have a look at your access log and filter for entries around the time of the creation of the weird files, look for access to php files and look for POST access. Those files are usually created by a vulnerable plugin or theme file, so there must be an access to the vulnerable files first in order to create a new file...
    Also have a look at deactivated plugins - as the plugins folder is public, their files are accessible from the outside if the attacker knows the path.
    In the case I am referring to, the vulnerability was in an old version of the Cherry framework plugin.
    The plugin had been updated to the latest version, so the vulnerability was fixed in the installed plugin. Unfortunately the corresponding theme came with a copy of the plugin in a subfolder for quicker plugin installation and this installation copy of course never gets updated with the regular plugin update mechanism...

  • iamJayChong
    • Flash Drive

    Dear Adam Czajczyk : , i'm so sorry for overlook the attachment didn't go through. Here's the "weird file created by itself" which i copied out:

    https://www.dropbox.com/s/5avzw8318b0xj5e/oarlbefg.php?dl=0

    Dear mbitcon : i had updated all plugins and theme to latest version; i even double check php myadmin on the user database to see any "hidden" user created but no luck.

    Thank you guys for the response and assistance so far :slight_smile:

  • mbitcon
    • Problem solver

    ah - and by the way, how much control do you have over the hosting server? It might make sense to have a look into the mail log of the server or have a look whether there is more outgoing traffic after the creation of the file - there is good chance that the file is used to relay spam mail from your server...

  • Adam Czajczyk
    • Support Gorilla

    Hi iamJayChong

    The file does look like some malicious code, indeed. I couldn't find this specific one anywhere but those codes do "morph" quite often so the most important part now would be to find out where does it come from and how it gets to the site, then clean the site up and try to secure site and server as much as possible.

    You said earlier that you did run Defender scan on site and head to remove the file each time Defender found it. However, checking locations of these files and looking into other files that Defender might possibly be finding could be helpful here.

    Would you mind enabling support access to the site then? I would like to ran Defender scan again and check what it points to. You can enable support access on "WPMU DEV -> Support" page in your site's back-end (just let me know here once it's done, please).

    Also, do you have backups of the site (preferably from before those files started to show up)?

    Best regards,
    Adam

  • mbitcon
    • Problem solver

    Depending on your CPANEL there is a section Bandwith somewhere, there should be a graph like the one I attached, have a look at the SMTP traffic. Usually wordpress only sends out very few emails, like notifications and stuff. If the traffic is going up here significantly, then something malicious is probably going on.

  • iamJayChong
    • Flash Drive

    Adam Czajczyk : Thanks again. Yes, i had enabled the support access, for the website of "bccci.org.my".

    I had also run a backup just now. However, the said incident had happened quite some time and i don't think restoring back to few months back backup is ideal for me. Hope you understand.

    Let me know if you need FTP access or other credential.

  • Adam Czajczyk
    • Support Gorilla

    Hi iamJayChong

    Thanks for enabling access.

    I run both Defender's and Wordfence scans on site and they currently didn't bring any results, claiming that "site is clean". I'm not sure when did you remove those files last time but it looks like that didn't got back so far.

    I think that at this point there these things would be the best course of action

    1. follow mbitcon advice on checking logs, that might actually help you identify when/how the code got there
    2. take some additional precautions apart of having Defender and Wordfence active on site:

    - change all passwords: for your admin account(s) on site, FTP accounts, if possible also server management panel password (tho sometimes its not possible without contacting the host)

    - override WP core files with clean ones:

    * download the exact WP version that you're using and extract them to your local drive
    * connect to server via FTP
    * upload entire /wp-admin and /wp-includes folder overriding those of your current install, as well as files from root except the ".htaccess" and "wp-config.php" file (please note: be extremely cautious while doing this as if you override .htaccess and wp-config.php or wp-content folder you might actually destroy your install).

    - check your cPanel/WHM (or if necessary get in touch with your host) to see if you can switch to a newer PHP version; currently the site is running on 5.6.38 which is already quite old; switching to 7.x (e..g 7.2.x if available) should not only give a site some slight performance boost and improve stability but also increase security too.

    - after that let's wait and see if those files will be coming back; if you notice they did come back, make sure again that support access is still active and let me know here before deleting them, please.

    Best regards,
    Adam

  • iamJayChong
    • Flash Drive

    Dear Adam Czajczyk , thank you so much for all the suggestions and assistance.

    Yes, i had cleaned it before i published it. Will take the steps as per your suggestion:

    1) change all passwords
    2) update wordpress with clean install via FTP

    3) One quick question. How to switch PHP version from 5.6.38 to higher version especially 7.x? Why some websites sometimes can switch without any error but some website after switch it will totally white screen?

  • mbitcon
    • Problem solver

    In Panel there is a "Software" section which an entry "Choose PHP version" ...

    The reason why some websites are fine and others are not when switching to PHP7 is that not only Wordpress has to be compatible (which it is since a very long time) but also all plugins and themes have to use PHP 7 compatible code. Most themes and plugins are up to date, so usually nothing to worry. If you are using plugins that are not compatible the plugin author has slept for the last two years :wink:

  • Predrag Dubajic
    • Support

    Hi iamJayChong,

    I believe that mbitcon explain it nicely and I just want to add that if you do get a white screen after upgrading PHP you should try enabling debug log on your site and then refresh the site so it will write the errors in log and that should tell you what file exactly is giving you the error so you can get in touch with plugin/theme developer about that.
    You can enable debug log in your wp-config.php file (located in root WP folder) by replacing define('WP_DEBUG', false); with this code:

    // Enable WP_DEBUG mode
    define('WP_DEBUG', true);
    
    // Enable Debug logging to the /wp-content/debug.log file
    define('WP_DEBUG_LOG', true);
    
    // Disable display of errors and warnings
    define('WP_DEBUG_DISPLAY', false);
    @ini_set( 'log_errors', 1 );
    @ini_set( 'display_errors', 0 );

    And the errors should be stored in debug.log file inside your wp-content folder.

    Best regards,
    Predrag

  • mbitcon
    • Problem solver

    Hi Predrag

    What is the difference between using the php ini_set command and doing it the wordpress style?
    define('WP_DEBUG', true);
    define('WP_DEBUG_LOG', true);
    define('WP_DEBUG_DISPLAY', false);

    BTW, if I need to use this I'll comment the original line and add those three additional lines. When I am done I switch, commenting the three lines and uncommenting the original line. Gives a smooth workflow :wink:

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.