>500 Unknown files suddenly reported

  • Resolved JKEngineer

    (@jkengineer)


    4 years, 7 months ago

    During an extended problem solving session by my shared hosting webhost, WordFence reported >500 “Unknown file in WordPress core” labeled as High Severity problems.

    These are files like:
    wp-admin/authorize-application.php
    wp-admin/images/about-header-about.svg
    wp-admin/images/about-header-credits.svg
    wp-admin/images/about-header-freedoms.svg
    wp-admin/images/about-header-privacy.svg
    wp-admin/images/freedom-1.svg
    wp-admin/images/freedom-2.svg
    wp-admin/images/freedom-3.svg
    wp-admin/images/freedom-4.svg
    wp-admin/images/privacy.svg
    wp-admin/includes/class-wp-application-passwords-list-table.php
    wp-admin/js/application-passwords.js
    wp-admin/js/application-passwords.min.js
    wp-admin/js/auth-app.js
    wp-admin/js/auth-app.min.js
    wp-admin/widgets-form-blocks.php
    wp-admin/widgets-form.php
    wp-includes/block-editor.php
    wp-includes/block-patterns/query-grid-posts.php
    wp-includes/block-patterns/query-large-title-posts.php
    wp-includes/block-patterns/query-medium-posts.php
    wp-includes/block-patterns/query-offset-posts.php
    wp-includes/block-patterns/query-small-posts.php
    wp-includes/block-patterns/query-standard-posts.php
    wp-includes/block-patterns/social-links-shared-background-color.php
    wp-includes/block-supports/align.php
    wp-includes/block-supports/border.php
    wp-includes/block-supports/colors.php
    wp-includes/block-supports/custom-classname.php
    wp-includes/block-supports/duotone.php
    wp-includes/block-supports/elements.php
    wp-includes/block-supports/generated-classname.php
    wp-includes/block-supports/layout.php
    wp-includes/block-supports/spacing.php
    wp-includes/block-supports/typography.php

    The majority of them are in the wp-includes diretory. I looked at the dates on a few of them in file manager and they are not new. I’m seeing dates for July 2021, for example.

    During the problem solving work by the host, they downgraded the WP version to 5.5.6 from 5.8.1. I have not yet restored the latest version.

    Are these part of an attack? Are they due to the downgrade – perhaps files from the previously installed 5.8.1 that WordFence does not recognize as being correct for 5.5.6? Should I upgrade WP and see if the issue goes away?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Thread Starter JKEngineer

    (@jkengineer)

    4 years, 7 months ago

    Follow up.
    I compared file manager contents for a few of the files with another site on another host with WP 5.8.1 installed. Files with the same names were there, but with different time stamps. Contents of a couple looked similar.

    I opted to go ahead and update the problem site against the possibility that WordFence was getting mixed signals regarding what the installed WP version was or something similar.

    After updating, I reran the WordFence scan. No file problems were reported.

    This seems to be, at worst, a WordFence issue of some sort.

    Plugin Support wfphil

    (@wfphil)

    4 years, 7 months ago

    Hi @jkengineer

    I am not sure whether you got the scan results before or after your host downgraded the WordPress version. This looks like either an incomplete downgrade or upgrade of WordPress and you had files present in your WordPress filesystem for more than one version of WordPress.

    Thread Starter JKEngineer

    (@jkengineer)

    4 years, 7 months ago

    The scan results were from after the host downgraded the WP version. Scared the living daylights out of me. 😉

    After I upgraded back to 5.8.1, I manually initiated a new scan. The only item reported was skipped paths. No files were flagged.

    If you feel the 500+ files flagged were because of inconsistent versions, I’ll accept that.

    Thanks

    Plugin Support wfphil

    (@wfphil)

    4 years, 7 months ago

    Hi @jkengineer

    Thank you for the update.

    Every time that I have seen this it is because of a failed WordPress version upgrade or an incorrect version downgrade after checking the listed files against the two versions of WordPress involved.

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘>500 Unknown files suddenly reported’ is closed to new replies.