I too, have this same URL output in the cache files of two or three sites.
/wfcache/www.passiontimes.hk_/~~~~_wfcache.html_gzip
/wfcache/www.passiontimes.hk_/~~~~_wfcache.html
similar conditions as the OP.
With research, I have found that passiontimes.hk has been under heavy attack by hackers groups. That might explain why this particular url is present, but it doesn’t explain how they are placing it. I also don’t know how it is being used and, frankly, leaves me a little concerned about a security hole in WF.
Would one of you give me your website address? You can email to tim [at] wordfence.com
Thanks
tim
For whatever it’s worth, the suspicious URL’s have not appeared since the day I provided my website address to Tim.
Thank you Tim!
ummm….thats because I fixed it…..yeah…..that’s the ticket “:)
Seriously, I’m glad its worked out.
tim
Ooops! The URL directory is back again at 6:49 this morning. They must have been on holiday.
There was some korean ddos going on for that site, which is a pro democracy site or something similar.
Here’s an article about it:
http://www.passiontimes.hk/article/11-16-2014/19657
What I would suggest is using the scanner to scan with the “scan images as executable” and “scan files outside your wordpress folder” enabled. This will take a while. Let it scan and address any issue you find. Remove unneeded plugins and themes and update those you use, along with the wordpress core.
Let me know what the scan finds.
tim
Thank you for your suggestions Tim. I have not seen the URL reappear today. The scan as you suggested found one very old perl script in cgi-bin with eval() and base64 in the same line. I deleted that unused file. It also found 2 other files with a similar pattern in an accounting package outside of WP that are part of the commercial distributuion.
WordPress, the theme, and all plugins are completely up-to-date. It’s all just one of those things that make you go hmmmmmmm?
Got a fresh one today: wp-content/wfcache/www.krug.com_
This url appears to be a French champagne company.
Can you enable Enable HIGH SENSITIVITY scanning. This may give false positives. You will want to do this off peak hours for your site and additional load on the server may be seen. Email me a list of what it finds to tim [at] wordfence.com and let me look. Make sure and reference this thread’s url and your username here.
tim
Hi Friends,
If i click this link https://enpersona360.com, it will redirect to https://enpersona360.com/wp-signup.php?new=enpersona360.com site.
what is the problem?
In my config file, extra codes were added for multisite.
/* Multisite */
define( ‘WP_ALLOW_MULTISITE’, true );
define(‘MULTISITE’, true);
define(‘SUBDOMAIN_INSTALL’, true);
define(‘DOMAIN_CURRENT_SITE’, ‘enpersona360.com’);
define(‘PATH_CURRENT_SITE’, ‘/’);
define(‘SITE_ID_CURRENT_SITE’, 1);
define(‘BLOG_ID_CURRENT_SITE’, 1);
please help me for this one…
Hi,
I’m having the wfcache problem on my website http://www.asgoodasgrass.co.uk/ , as there are folder directory structures in the same way as mentioned in the comments above. What’s the solution for this?
