Title: dotquery's Replies | WordPress.org

---

# dotquery

  [  ](https://wordpress.org/support/users/dotquery/)

 *   [Profile](https://wordpress.org/support/users/dotquery/)
 *   [Topics Started](https://wordpress.org/support/users/dotquery/topics/)
 *   [Replies Created](https://wordpress.org/support/users/dotquery/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/dotquery/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/dotquery/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/dotquery/engagements/)
 *   [Favorites](https://wordpress.org/support/users/dotquery/favorites/)

 Search replies:

## Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)

 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] Unknown file in WordPress core: wp-includes/.query.php](https://wordpress.org/support/topic/unknown-file-in-wordpress-core-wp-includes-query-php/)
 *  [dotquery](https://wordpress.org/support/users/dotquery/)
 * (@dotquery)
 * [4 years, 2 months ago](https://wordpress.org/support/topic/unknown-file-in-wordpress-core-wp-includes-query-php/#post-15540123)
 * Ours got hit before we set a password on the installer. Logs provided above. 
   Compare to your logs if they’re still around.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] Unknown file in WordPress core: wp-includes/.query.php](https://wordpress.org/support/topic/unknown-file-in-wordpress-core-wp-includes-query-php/)
 *  [dotquery](https://wordpress.org/support/users/dotquery/)
 * (@dotquery)
 * [4 years, 2 months ago](https://wordpress.org/support/topic/unknown-file-in-wordpress-core-wp-includes-query-php/#post-15530081)
 * I had this happen to a site I host as well.
 * Within 10 minutes of setting up the new site, adding the DNS, and requesting 
   a Let’s Encrypt Certificate, I had a foreign actor installing what appears to
   be fake WP plugin that then transitioned to this .query.php script and was eventually
   used to DDOS another hosting provider.
 * Excerpt from the logs:
 *     ```
       185.59.x.x - - [11/Mar/2022:17:05:38 -0500] "GET /wp-admin/install.php HTTP/1.1" 200 13230
       185.59.x.x - - [11/Mar/2022:17:05:38 -0500] "POST /wp-admin/install.php?step=2 HTTP/1.1" 200 5001
       185.59.x.x - - [11/Mar/2022:17:05:40 -0500] "POST /wp-login.php HTTP/1.1" 302 -
       185.59.x.x - - [11/Mar/2022:17:05:41 -0500] "GET /wp-admin/plugin-install.php?tab=upload HTTP/1.1" 200 26161
       185.59.x.x - - [11/Mar/2022:17:05:51 -0500] "POST /wp-admin/update.php?action=upload-plugin HTTP/1.1" 200 17775
       185.59.x.x - - [11/Mar/2022:17:05:52 -0500] "GET /wp-content/plugins/contact-form-maker/contact-form-maker.php?a=0&b=5768720944787703971 HTTP/1.1" 200 -
       185.59.x.x - - [11/Mar/2022:17:05:52 -0500] "POST /wp-includes/.query.php HTTP/1.1" 200 9
       ```
   

Viewing 2 replies - 1 through 2 (of 2 total)