Unknown file in WordPress core

Hi guys

I have two suspicious files captured by Defender. I wonder if you can check them out and let me know if I need to act please?

One is
info.php
and the other
error.log

Typically I have been ignoring error logs. I'm less confident about info.php though.

Any advice?

Many thanks
Paul

  • Rupok

    Hi Paul,

    Thanks for asking. error.log file should not be created in the root directory of your site. But if your php is configured in that way, then this can happen. Still, I can tell you better about this after checking the content of that file.

    And regarding the info.php file, again I could tell you better if I could see the content of that file.

    Can you please download those two files from your server on your computer, zip them, and attach that zip file with your reply here?

    As it's not standard to have any extra php file in the root directory of your WordPress installation, Defender is giving you that warning. After downloading those two files on your computer, can you please delete those two from your server and check if your site runs perfectly? If yes, then we are good. If your site breaks, then upload those files back to your server and send us those files in the way I requested above.

    I'm looking forward to hearing from you and resolving this issue as soon as possible.

    Have a nice day. Cheers!
    Rupok

  • Paul

    I'll try and upload the files without zipping them(update: not working either)

    I've deleted both files and the site is working for the moment.

    Looking into this it seems that info.php is sometimes used as an exploit. Last weekend my site went down for a day and my integrations were broken. Error logs suggested cUrl errors. The problem mysteriously vanished the next day.

    Here's a link to the ticket for that problem:
    https://premium.wpmudev.org/forums/topic/urgent-marketpress-broken-at-final-link-to-checkout#post-1230495

    Here's a link to a info.php exploit from a couple of years ago:
    http://wordpress.stackexchange.com/questions/167383/how-to-fight-this-wp-info-php-exploit

    I've set defender to scan the domain every day and files every 6 hours.

    Could someone give this all the once over with a view to establishing this is not a hack?

    Thanks for your help.
    Paul

  • Rupok

    Hi Paul,

    I'll try and upload the files without zipping them(update: not working either)

    Can you please upload the zip file to any popular file sharing service site like Dropbox, Google Drive etc. and share the download link of that zip file here?

    An exploit can come in any name. As you are scanning your site with Defender, and probably fixed all shown issues (I assume you did), I think your site is safer than before. To know what things you should be taking care of for making your site more secure, you can check this blog article: https://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/

    I believe, these will help. Please let us know if you have any further query. We will be glad to help.

    Have a nice day. Cheers!
    Rupok

  • Paul

    Hi Rupok

    Brilliant thanks. Here's a link to the files
    https://www.dropbox.com/s/tu661e4h65mwuqc/sitefiles.zip?dl=0

    Now, checking the other sites in the installation I notice that http://www.paulgreenacoustic.co.uk is giving Defender warnings. See attached screen shot. These correspond to error logs on cPanel (see below)

    Earlier when I tried to Fix Issues Defender froze. It is allowing it now for some reason. I will leave this for a moment so you can have a look. It also is suggesting the php version is out of date (I have instructed Defender to ignore this for the moment). Php has been updated on the server and is not showing as an issue on the other three sites.

    Hopefully these issues are related and will help you triangulate an opinion.

    Support access is granted in case you need to have a look around.

    Thanks very much
    Paul

    2017-03-21 15:39:05.962 [INFO] [77.72.0.162:37776] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]
    2017-03-21 15:39:05.930 [INFO] [77.72.0.162:37774] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]
    2017-03-21 15:39:05.866 [INFO] [77.72.0.162:37772] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]
    2017-03-21 15:39:05.803 [INFO] [77.72.0.162:37770] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]
    2017-03-21 15:39:05.740 [INFO] [77.72.0.162:37768] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]
    2017-03-21 15:39:05.707 [INFO] [77.72.0.162:37766] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/404.shtml]
    2017-03-21 15:39:05.707 [INFO] [77.72.0.162:37766] Index file is not available in [/home/druidcou/public_html/paulgreenacoustic.co.uk/wp-includes/]
    2017-03-21 15:33:06.401 [INFO] [156.202.66.161:57042] File not found [/home/druidcou/public_html/ceg.wales/403.shtml]
    2017-03-21 15:29:48.102 [INFO] [77.153.187.112:54443] File not found [/home/druidcou/public_html/ceg.wales/403.shtml]
    2017-03-21 15:16:05.520 [INFO] [77.72.0.162:58338] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]
    2017-03-21 15:16:05.456 [INFO] [77.72.0.162:58336] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]
    2017-03-21 15:16:05.392 [INFO] [77.72.0.162:58334] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]
    2017-03-21 15:16:05.360 [INFO] [77.72.0.162:58332] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]
    2017-03-21 15:16:05.297 [INFO] [77.72.0.162:58330] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]
    2017-03-21 15:16:05.052 [INFO] [77.72.0.162:58328] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/404.shtml]
    2017-03-21 15:16:05.051 [INFO] [77.72.0.162:58328] Index file is not available in [/home/druidcou/public_html/paulgreenacoustic.co.uk/wp-includes/]
    2017-03-21 14:58:41.030 [INFO] [112.203.109.114:59482] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]
    2017-03-21 14:42:42.455 [INFO] [41.191.204.79:2352] File not found [/home/druidcou/public_html/serasongs.com/403.shtml]
    2017-03-21 14:42:08.342 [INFO] [197.237.42.222:56033] File not found [/home/druidcou/public_html/paulgreenacoustic.co.uk/403.shtml]

  • Nithin

    Hi Paul,

    Hope you are doing good today. :slight_smile:

    Here's a link to the files
    https://www.dropbox.com/s/tu661e4h65mwuqc/sitefiles.zip?dl=0

    Thank you for sharing these files, I checked the files what you have mentioned, and the files are clean. info.php contains the following code, which outputs the information about your PHP, this might have been created while troubleshooting, you can delete the file, and it won't hamper your websites performance.

    <?php
    
    // Show all information, defaults to INFO_ALL
    phpinfo();
    
    ?>

    Earlier when I tried to Fix Issues Defender froze. It is allowing it now for some reason. I will leave this for a moment so you can have a look. It also is suggesting the php version is out of date (I have instructed Defender to ignore this for the moment). Php has been updated on the server and is not showing as an issue on the other three sites.Earlier when I tried to Fix Issues Defender froze. It is allowing it now for some reason.

    You just have to ignore the mentioned files, no need to fix it. You can delete error_log file if you want, ignoring the other files would be good in this case.


    It seems like you are running on PHP 5.5.38, are you sure that PHP is updated in this website? You can copy the info.php file, that you had provided in the above reply, into the root directory of your website, and calling the file will show the PHP version your website is currently running.
    paulgreenacoustic.co.uk/info.php

    I hope this helps. Please let us know how that goes, have a nice day. :slight_smile:

    Best Regards,
    Nithin

  • Paul

    Hi Nithin

    The
    This really is a bit weird. This site, paulgreenacoustic is running on the same installation as three other sites. It is a subdomain of the main sire, thedruidsbrew. All the other sites have the correct php version.

    How can this be correct?

    I have tried deleting and reloading dashboard and defender but this hasn't worked. I now cannot configure defender properly.

    Note, the files linked in dropbox are from the primary domain thedruidsbrew. The php issue is showing on the subdomain paulgreenacoustic.

    I have a ticket open with the service provider but they haven't got back to me.

    Looking at the backend of paulgreenacoustic I can see that the dashboard isn't fully functional. I don't know if this is a result or the effect of a php report in Defender.

    Thanks again
    Paul

  • Rupok

    Hi Paul,

    If you want your site to use the server default PHP version for any specific site, then go to the root directory of that site and open the .htaccess file. Then remove the following lines from that .htaccess file and save:

    <IfModule mime_module>
    AddType application/x-httpd-ea-php55 .php .php5 .phtml
    </IfModule>

    That will make that site use the server default PHP version.

    Please let us know if you have any further query. We will be glad to help.

    Have a nice day. Cheers!
    Rupok

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.