plugins - Files being generated in multiple directories supposedly by WordPress (advanced_settings.php and common_config.php)

admin管理员组

文章数量:1295692

I have a few sites in a cPanel. A couple of them are WordPress. I changed to a new hosting provider and since then two files started being generated in multiple directories, even ones not from WordPress. The files are advanced_settings.php and common_config.php.

The system reports these files as malware, however, I opened them and they were empty. The hosting provider says this is the fault of WordPress, most likely due to some outdated plugin.

None of this ever happened in the hosts I used before for these sites. Actually, I never had this situation in any WordPress site before. I searched on Google and here, but I didn't find a single thing about this. I'm sharing this here hoping that someone has already had or read about this and can share some help.

I have a few sites in a cPanel. A couple of them are WordPress. I changed to a new hosting provider and since then two files started being generated in multiple directories, even ones not from WordPress. The files are advanced_settings.php and common_config.php.

The system reports these files as malware, however, I opened them and they were empty. The hosting provider says this is the fault of WordPress, most likely due to some outdated plugin.

None of this ever happened in the hosts I used before for these sites. Actually, I never had this situation in any WordPress site before. I searched on Google and here, but I didn't find a single thing about this. I'm sharing this here hoping that someone has already had or read about this and can share some help.

• plugins

Share Improve this question edited Feb 28, 2017 at 4:55 Dave Romsey 17.9k1111 gold badges5656 silver badges7070 bronze badges asked Feb 28, 2017 at 0:48 AlexAlex 13122 bronze badges 7

• If you can, search for these file names within your existing WordPress files. That may reveal where they are coming from. – Fayaz Commented Feb 28, 2017 at 4:38
• advanced_settings might be from WP Super Cache plugin. are you sure your hosting doesn't have some form of WordPress optimization/caching? are they both empty? Have you tried disabling all plugins from one of the sites? – The J Commented Feb 28, 2017 at 5:06
• @Fayaz I searched for these files in backups from before this happening and there isn't a single file of these two in any directory. There isn't actually anything relating the situation to WordPress. – Alex Commented Mar 1, 2017 at 0:04
• @TheJ Not using WP Super Cache at all. But have WP Fastest Cache in two sites. As far as I know, the hosting doesn't have any WordPress specific caching system. Both files are empty. – Alex Commented Mar 1, 2017 at 0:10
• I'm saying if these file names exist within the CODE of your WordPress files. If you can run shell command, the command will be like: grep -ri 'advanced_settings.php' . after you go to the WordPress installation directory. – Fayaz Commented Mar 1, 2017 at 0:11

 |  Show 2 more comments

1 Answer 1

Sorted by: Reset to default 1

These files are part of a PHP malware infection. We are in the process of cleaning up an ongoing infection that has a very similar behavior.

While this PHP malware also infects non WordPress as well, when it attacks a WordPress site, we are noticing some very consistent patterns:

• Two files ("advanced_settings.php" and "common_config.php") which both contain obfuscated code are placed in the wp-admin/css/colors/blue folder
• Additional obfuscated code is injected into the index.php file at the root of the WordPress installation
• Frequently, but not always, the index.php file located in wp-content/plugins and/or wp-content/themes has code inserted into it
• The wp-config.php file at the root of the WordPress installation typically has code injected into it
• A series of additional .php files are inserted at random places inside theme folders and plugin folders

and finally, the following additional files have been pretty consistently inserted into every WordPress installation:

wp-includes/Requests/Auth/include.php wp-includes/Requests/Exception/global.php wp-includes/Requests/Exception/include.php wp-includes/Requests/Exception/utf.php wp-includes/Requests/Proxy/sql.php wp-includes/Requests/Utility/defines.php wp-includes/SimplePie/Net/javascript.php wp-includes/js/imgareaselect/test11.php wp-includes/js/tinymce/plugins/diff21.php wp-includes/pomo/menu.php

These additional files are not part of the WordPress core, so simply uploading a fresh set of WordPress files that overwrite the ones installed on your web server will not get rid of them (although that will fix up some of the files that have code injected into them).

If you're seeing the 2 files you mentioned appearing randomly, look for some of the signs mentioned here. In particular, look for injected code in your index.php and wp-config.php files, as those will be executed any time someone visits your site or you as an admin user log in to your site.

In some of the WordPress sites that have been infected by this malware, we also have discovered the appearance of an additional WordPress user account with Administrative privileges.

In addition to removing the injected code and deleting the additional files, we're currently taking the step of removing the bogus user account (when it has been added), replacing the "Salts" in the wp-config.php files, invalidating all user account passwords, and changing the MySQL password for the database user.

There may be other steps we take, but that's what we're doing for now. I hope this is helpful!

本文标签：