Thread Starter
shawaj
(@shawaj)
Also, just to add a bit more detail, the text inside the file looked liked this:
#!/usr/bin/env php
#<?php /*
[mysqldump]
user={username}
password={password}
#*/?>
seems strange, remove this file as this is not a core file and mysql dump file wount have a username and password.
folow following article to make wordpress more secure and scan your website with sitecheck.sucuri.com
codex.ww.wp.xz.cn/Hardening_WordPress
Thread Starter
shawaj
(@shawaj)
Thanks – have run the site through sucuri sitechecker already and it hasn’t found anything suspicious.
Also, removed the file as soon as I saw it as I was worried.
I am very keen to work out the root cause of the file though, as I am worried the site in question might have been compromised.
Thanks
i’ll suggest to scan all files under virus/malware scanner.
change your wp-admin password/FTP passwords and keep file permissions as recommended https://codex.ww.wp.xz.cn/Changing_File_Permissions
also update all plugins/themes you have in your website
If you find a file in your root that doesn’t belong there, your site has been hacked. Do you or your hosting company have a full backup of your site? The fastest and most sure way to repair your site is to restore from a backup made before the hack.
Without a backup your only solution is to repair the site. Follow this guide.
When you’re done, you may want to implement some (if not all) of the recommended security measures.
Thread Starter
shawaj
(@shawaj)
Hi,
Do you have a recommended virus/malware scanner? I found someone else who had this problem and they were running sucuri security and that did not flag anything.
FTP and SSH are only accessible from my IP. All passwords changed.
Plugins and themes are all up to date, as is WP itself.
Thanks
Thread Starter
shawaj
(@shawaj)
@ wslade
I have many backups – I use vaultpress and I also take manual backups every couple of weeks.
The problem is this: I don’t know if a hack has even taken place, and even if I did, I do not know when it took place…so not sure what backup to restore.
Sucuri does scan files that are publicly acessible and not all files on server, for that you have to scan them via a malware scanner.
i can recommend http://virusscan.jotti.org/en & i have used it a lot of times. dont upload sensitive files like wp-config.php there though.
FTP and SSH are only accessible from my IP. All passwords changed.
this is good thing, but someone was still able to upload a file.i hope you have a Anti-Virus or something similar on ur system too.
you should download your database and get it scanned too ,also check if any of your plugins has a known issue.
The problem is this: I don’t know if a hack has even taken place, and even if I did, I do not know when it took place…so not sure what backup to restore.
did you noticed modification date next to the suspicious file? that would have been a clue and you could have scanned all files on server which were modifed in that week and after that.
Thread Starter
shawaj
(@shawaj)
Crisis over, it seems it was from VaultPress plugin:
> Could your plugin have made a file in the root of my wordpress install
> called wp-config-db.cnf.php ?
>
Yes — we use this file to pass MySQL credentials to your MySQL process during restores. If you’re concerned about it, you can delete it, and we’ll regenerate one when we attempt a restore.
Best,
Chris
Automattic | WordPress.com | VaultPress
