WordPress Development Asked by Erdem Ece on November 16, 2021
I have checked original wordpress and this file isn’t there but this file comes back every time I deleted it. Do you think it’s a malicious script?
Path: /wp-admin/uploader/pclzip.lib.php
Code: http://www.phpconcept.net/pclzip/pclzip-downloads
Sounds like it is definitely malicious code masquerading as a legitimate file. In WordPress core the legitimate file lives as /wp-admin/includes/class-pclzip.php
so there is no need for this to be there as a separate file, legitimate uses would just include this core file class and use that, not write it to a directory in wp-content
without asking.
The only other option is it's being written there by a plugin or theme that uses it for uploads - but that is highly unlikely and a major security risk even in that case so any plugin/theme doing that should be ditched. Upload scripts like are the worst security hole as easiest to exploit. But the content of the file should give you more clues - it will probably look like junk code.
If it keeps coming back you may want to change the permissions on the /wp-content/uploader/ directory so it is not writeable. But that may or may not be enough, depending on the complexity of the script writing it. There is usually another file that is infected that is rewriting this file when it is not found.
Bottom line best to start researching how to clean up a hacked site ASAP. Start with a scan tool like maldetect and go from there. It may be safer and faster to go with a clean re-install of WordPress and all plugins and theme, and add more security plugins because the original vulnerability is still unknown.
Answered by majick on November 16, 2021
According to this post, it looks that this file is a backup file. Are you using any plugin for backups, for example Backup Creator or WordPress Back up by BTE?
Answered by Krzysztof Grabania on November 16, 2021
It isn't normal for extra files/folders to appear in WP core folder. The only location that is considered writable is under wp-content
and easily writable is uploads
, or whatever they are customized to.
If it appears malicious, behaves malicious, and security tool thinks its malicious — it's a safe guess that it is. It also might not be malicious itself, but used as part of malicious payload for utility purposes (open source! :).
Answered by Rarst on November 16, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP