Title: Malicious(?) code in plugin-generated php files Last modified: February 24, 2020 --- # Malicious(?) code in plugin-generated php files * [al2357](https://wordpress.org/support/users/al2357/) * (@al2357) * [6 years, 3 months ago](https://wordpress.org/support/topic/malicious-code-in-plugin-generated-php-files/) * Hi, * I had some potentially malicious code in files like this(name changed): * wp-content/cache/supercache/www.example.org/meta-wp-cache-www.example.org12ef834fsaf32r23f43gsdf95. php * here is the sample: * `@eval($_GET[%27fuck%27]);&fuck=fputs(fopen(base64_decode(` * [@donncha](https://wordpress.org/support/users/donncha/) has written some time ago that these PHP files [are generated off the website.](https://wordpress.org/support/topic/malicious-files-found-by-wordfence-plugin/#post-10404101) What kind of requests are they generated from? Are they error logs generated from debugging tab – there is a link to non-existing php file with hashed name? * I looked into other files and database and they seem clean. Is it possible that the plugin has cached a malicious request? Viewing 2 replies - 1 through 2 (of 2 total) * Plugin Author [Donncha O Caoimh (a11n)](https://wordpress.org/support/users/donncha/) * (@donncha) * [6 years, 3 months ago](https://wordpress.org/support/topic/malicious-code-in-plugin-generated-php-files/#post-12472806) * They’re generated by people trying to exploit the software on your site. If you look in that meta file you should find the URL of the request. There should be, as you discovered, a corresponding PHP file with a hashed name that holds the content of the page but maybe the plugin has deleted that file as part of it’s garbage collection (but it should have deleted the meta file too, do you have some sort of scanning software installed to find these files?) * Yep, it’s very likely that the plugin has cached a malicious request. * Thread Starter [al2357](https://wordpress.org/support/users/al2357/) * (@al2357) * [6 years, 3 months ago](https://wordpress.org/support/topic/malicious-code-in-plugin-generated-php-files/#post-12472988) * Thanks for the explanation. I use Wordfence for scanning. * So this is a .php meta-file(wp-content/cache/supercache/www.example.org/meta- wp-cache-www.example.org12ef834fsaf32r23f43gsdf95.php) that can’t execute any code – because of `` in the first lane and hashed filename, and it contains JSON-encoded information about the request. * The malicious code that was found in this file is just a request saved in JSON– so the website was not compromised(these files were not edited by 3-rd party) and the code can’t be used. - This reply was modified 6 years, 3 months ago by [al2357](https://wordpress.org/support/users/al2357/). Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Malicious(?) code in plugin-generated php files’ is closed to new replies. * ![](https://ps.w.org/wp-super-cache/assets/icon-256x256.png?rev=3506220) * [WP Super Cache](https://wordpress.org/plugins/wp-super-cache/) * [Frequently Asked Questions](https://wordpress.org/plugins/wp-super-cache/#faq) * [Support Threads](https://wordpress.org/support/plugin/wp-super-cache/) * [Active Topics](https://wordpress.org/support/plugin/wp-super-cache/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wp-super-cache/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wp-super-cache/reviews/) ## Tags * [php files](https://wordpress.org/support/topic-tag/php-files/) * 2 replies * 2 participants * Last reply from: [al2357](https://wordpress.org/support/users/al2357/) * Last activity: [6 years, 3 months ago](https://wordpress.org/support/topic/malicious-code-in-plugin-generated-php-files/#post-12472988) * Status: not resolved