TransWikia.com

What is pclzip.lib.php file that wordfence think it's a malicious code

WordPress Development Asked by Erdem Ece on November 16, 2021

I have checked original wordpress and this file isn’t there but this file comes back every time I deleted it. Do you think it’s a malicious script?

Path: /wp-admin/uploader/pclzip.lib.php
Code: http://www.phpconcept.net/pclzip/pclzip-downloads

3 Answers

Sounds like it is definitely malicious code masquerading as a legitimate file. In WordPress core the legitimate file lives as /wp-admin/includes/class-pclzip.php so there is no need for this to be there as a separate file, legitimate uses would just include this core file class and use that, not write it to a directory in wp-content without asking.

The only other option is it's being written there by a plugin or theme that uses it for uploads - but that is highly unlikely and a major security risk even in that case so any plugin/theme doing that should be ditched. Upload scripts like are the worst security hole as easiest to exploit. But the content of the file should give you more clues - it will probably look like junk code.

If it keeps coming back you may want to change the permissions on the /wp-content/uploader/ directory so it is not writeable. But that may or may not be enough, depending on the complexity of the script writing it. There is usually another file that is infected that is rewriting this file when it is not found.

Bottom line best to start researching how to clean up a hacked site ASAP. Start with a scan tool like maldetect and go from there. It may be safer and faster to go with a clean re-install of WordPress and all plugins and theme, and add more security plugins because the original vulnerability is still unknown.

Answered by majick on November 16, 2021

According to this post, it looks that this file is a backup file. Are you using any plugin for backups, for example Backup Creator or WordPress Back up by BTE?

Answered by Krzysztof Grabania on November 16, 2021

It isn't normal for extra files/folders to appear in WP core folder. The only location that is considered writable is under wp-content and easily writable is uploads, or whatever they are customized to.

If it appears malicious, behaves malicious, and security tool thinks its malicious — it's a safe guess that it is. It also might not be malicious itself, but used as part of malicious payload for utility purposes (open source! :).

Answered by Rarst on November 16, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP