Rogue file in Wordpress ?

[chrisbourn]

 

I have a file which appears to not belong in a WordPress installation and shows as a critical error in Wordfence scan

When I remove it it breaks the site

The file is located in:

wp-includes/js/tinymce/skins/lightgray/pas1.php

 

The file text is below.

Could any one offer any insight (apologies I do not know php but it looks as if most of this 'code' maybe does not belong ?)

Thank you

[redacted]

Edited April 21, 2020 by requinix
removed code

[requinix]

Apparently some bad people have finally realized how to make obfuscated scripts in a way that can't be decoded by just anyone.

It's more than 99.9% likely that's malicious.

Assume that your website and any databases have been compromised. Take down your website, restore everything from backups, update WordPress and all your plugins, then bring the site back up. Also notify your web hosting company that your site was compromised so they can make sure their own systems weren't affected.

Edited April 24, 2020 by requinix
*can't be decoded

[gizmola]

The other thing this tells you is that the permissions on your wordpress install are overly permissive.  This is an unfortunate issue with wordpress in general in that it is certainly easier to allow it to have write permissions to be able to update wordpress through the admin console, but really those directories should be read but not write.  Any small mistake in any of the components of wordpress, and you get these type of exploits.  Once a cracker can get an exploit script to be written to the tree and included, it typically has the same permissions as the effective webserver user, and as requinix stated, at that point they probably also have the ability to get into your database.  That's another mistake that people make with database users.  Your wordpress should only have a user created in order to run wordpress, that only has permissions for the wordpress database, but all too often people do stupid things like using the mysql root user or a user that is shared across applications and multiple databases.

[chrisbourn]

Thank you for the update.

I have cleaned up the website, but this one file seems to make the site stop working when I edit  / remove what appears to be the offending code. (Although it does appear to belong in the directory)

I will have another look at this in more detail and try to figure it out

 

Thanks again

[gizmola]

You need to get the original files from source and replace that file if it pre-existed, not just edit it.  The name seems odd to me.  If it did pre-exist then you need to replace it, but otherwise it should be deleted.  This is a big reason why you need an off server backup of the filesystem and database (I use dropbox), especially for a package like wordpress.  Any popular application like wordpress is a target for crackers, as there are so many potential sites out there they can exploit using worms.

As Requinix already advised, there could be a lot of issues with your server at this point that go beyond wordpress.  They want to use wordpress to get enough access to install a rootkit where ultimately they have complete root access to your server.  Often this is done to make your server a node on their botnet they can control to do things like send spam, launch DDoS attacks, store files on darkweb servers, and all sorts of other things many of which are criminal in nature.  

You really have to be concerned as to how badly your server has been modified.  A rootkit replaces many of the essential operating system files -- things like the login program, ps, ls, ssh_d etc.  Are you competent enough as a sysadmin to be able to determine the overall state of your server?