security - What is pclzip.lib.php file that wordfence think it's a malicious code

admin管理员组

文章数量:1287593

I have checked original wordpress and this file isn't there but this file comes back every time I deleted it. Do you think it's a malicious script?

Path: /wp-admin/uploader/pclzip.lib.php Code:

I have checked original wordpress and this file isn't there but this file comes back every time I deleted it. Do you think it's a malicious script?

Path: /wp-admin/uploader/pclzip.lib.php Code: http://www.phpconcept/pclzip/pclzip-downloads

• security

Share Improve this question asked Sep 16, 2015 at 11:10 Erdem EceErdem Ece 13111 gold badge11 silver badge44 bronze badges 1

• 1 If you use „one click installer” you often find files like this in your wordpress installation. talk.plesk/threads/… – Daniel Sixl Commented Oct 3, 2017 at 11:26

Add a comment  | 

3 Answers 3

Sorted by: Reset to default 5

It isn't normal for extra files/folders to appear in WP core folder. The only location that is considered writable is under wp-content and easily writable is uploads, or whatever they are customized to.

If it appears malicious, behaves malicious, and security tool thinks its malicious — it's a safe guess that it is. It also might not be malicious itself, but used as part of malicious payload for utility purposes (open source! :).

Sounds like it is definitely malicious code masquerading as a legitimate file. In WordPress core the legitimate file lives as /wp-admin/includes/class-pclzip.php so there is no need for this to be there as a separate file, legitimate uses would just include this core file class and use that, not write it to a directory in wp-content without asking.

The only other option is it's being written there by a plugin or theme that uses it for uploads - but that is highly unlikely and a major security risk even in that case so any plugin/theme doing that should be ditched. Upload scripts like are the worst security hole as easiest to exploit. But the content of the file should give you more clues - it will probably look like junk code.

If it keeps coming back you may want to change the permissions on the /wp-content/uploader/ directory so it is not writeable. But that may or may not be enough, depending on the complexity of the script writing it. There is usually another file that is infected that is rewriting this file when it is not found.

Bottom line best to start researching how to clean up a hacked site ASAP. Start with a scan tool like maldetect and go from there. It may be safer and faster to go with a clean re-install of WordPress and all plugins and theme, and add more security plugins because the original vulnerability is still unknown.

According to this post, it looks that this file is a backup file. Are you using any plugin for backups, for example Backup Creator or WordPress Back up by BTE?

本文标签： securityWhat is pclziplibphp file that wordfence think it39s a malicious code