I have a few sites in a cPanel. A couple of them are WordPress. I changed to a new hosting provider and since then two files started being generated in multiple directories, even ones not from WordPress. The files are advanced_settings.php and common_config.php.
The system reports these files as malware, however, I opened them and they were empty. The hosting provider says this is the fault of WordPress, most likely due to some outdated plugin.
None of this ever happened in the hosts I used before for these sites. Actually, I never had this situation in any WordPress site before. I searched on Google and here, but I didn’t find a single thing about this. I’m sharing this here hoping that someone has already had or read about this and can share some help.
These files are part of a PHP malware infection. We are in the process of cleaning up an ongoing infection that has a very similar behavior.
While this PHP malware also infects non WordPress as well, when it attacks a WordPress site, we are noticing some very consistent patterns:
- Two files (“advanced_settings.php” and “common_config.php”) which both contain obfuscated code are placed in the
wp-admin/css/colors/blue folder
- Additional obfuscated code is injected into the index.php file at the root of the WordPress installation
- Frequently, but not always, the index.php file located in
wp-content/plugins and/or wp-content/themes has code inserted into it
- The wp-config.php file at the root of the WordPress installation typically has code injected into it
- A series of additional .php files are inserted at random places inside theme folders and plugin folders
and finally, the following additional files have been pretty consistently inserted into every WordPress installation:
wp-includes/Requests/Auth/include.php
wp-includes/Requests/Exception/global.php
wp-includes/Requests/Exception/include.php
wp-includes/Requests/Exception/utf.php
wp-includes/Requests/Proxy/sql.php
wp-includes/Requests/Utility/defines.php
wp-includes/SimplePie/Net/javascript.php
wp-includes/js/imgareaselect/test11.php
wp-includes/js/tinymce/plugins/diff21.php
wp-includes/pomo/menu.php
These additional files are not part of the WordPress core, so simply uploading a fresh set of WordPress files that overwrite the ones installed on your web server will not get rid of them (although that will fix up some of the files that have code injected into them).
If you’re seeing the 2 files you mentioned appearing randomly, look for some of the signs mentioned here. In particular, look for injected code in your index.php and wp-config.php files, as those will be executed any time someone visits your site or you as an admin user log in to your site.
In some of the WordPress sites that have been infected by this malware, we also have discovered the appearance of an additional WordPress user account with Administrative privileges.
In addition to removing the injected code and deleting the additional files, we’re currently taking the step of removing the bogus user account (when it has been added), replacing the “Salts” in the wp-config.php files, invalidating all user account passwords, and changing the MySQL password for the database user.
There may be other steps we take, but that’s what we’re doing for now. I hope this is helpful!
