autorestore/root-files/wp_auto_login… malicious or unsafe?

Home Forums BulletProof Security Pro autorestore/root-files/wp_auto_login… malicious or unsafe?

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • September 23, 2022 at 9:24 am #42134
    Norman
    Participant

    Wordfence is throwing a critical finding:

    File appears to be malicious or unsafe: wp-content/bps-backup/autorestore/root-files/wp_auto_login_50145f016ee973020effe39b55e1018b.php

    Is this a legitimate BPS file?

    Thanks!

    September 23, 2022 at 5:12 pm #42135
    AITpro Admin
    Keymaster

    That is not a BPS file.  That file was backed up from your WordPress root folder to the AutoRestore backup folder.  Check to see if the same file exists in your WordPress root folder.  If it exists then email it to me so I can take a look at it > info@ait-pro.com.  If you do not find that file in your WordPress root folder then do these steps to delete your old AutoRestore backup files and backup your new WordPress files.

    Go to the AutoRestore page.
    Turn AutoRestore Off.
    Click the 4 Delete Backup Files buttons under Root Files, wp-admin Files, wp-includes Files and wp-content Files.
    Click the 4 Backup Files buttons under Root Files, wp-admin Files, wp-includes Files and wp-content Files.
    Turn AutoRestore On.

    September 25, 2022 at 8:39 pm #42137
    Norman
    Participant

    Thank you very much.  It was not in the root folder and I followed your instructions.

    For the benefit of others, I will paste in the code from that odd file.  And check this thread on reddit:

    https://www.reddit.com/r/Wordpress/comments/p1zd5y/is_this_a_problem_have_i_been_hacked/

    Code:

    <?php // // Automatically login a single WordPress user upon arrival to main page. // function auto_login() { if (!is_user_logged_in()) { // Admin user_id $admins = get_users(array('role'=>'administrator'));
		$user_id = $admins[0]->ID;
		$user = get_user_by( 'ID', $user_id );
		if ( !$user ) {
			error_log("wp_auto_login: user_id==1 not found redirecting to admin_url");
			$redirect_page = admin_url();
			wp_redirect( $redirect_page );
			exit();
		}
		$loginusername = $user->user_login;
		wp_set_current_user($user_id, $loginusername);
		wp_set_auth_cookie($user_id);
		// Go to admin area
		$redirect_page = admin_url();
		error_log("wp_auto_login: trying to login user_id==1 loginusername=$loginusername to admin_url=$redirect_page");
		wp_redirect( $redirect_page );
		exit();
	}
}

// Initialize wordpress
define( 'WP_USE_THEMES', true );

$time_since_script_creation = time() - stat(__FILE__)['mtime'];

// Delete itself to make sure it is executed only once
unlink(__FILE__);

if ( ! isset( $wp_did_header ) ) {
	$wp_did_header = true;

	// Load the WordPress library.
	require_once( dirname( __FILE__ ) . '/wp-load.php' );

	// If the user is already logged in just redirect it to admin area
	if ( is_user_logged_in() ) {
		$redirect_page = admin_url();
		wp_redirect( $redirect_page );
		exit();
	}

	// Avalon auto-login
	// If script is older than 30 minutes, doesn't log in as admin
	if ($time_since_script_creation < 30 + 60) {
		auto_login();
	}

	// Set up the WordPress query
	wp();

	// Load the theme template
	require_once( ABSPATH . WPINC . '/template-loader.php' );
}
    September 25, 2022 at 9:12 pm #42138
    AITpro Admin
    Keymaster

    Thanks for posting the code.  Yep, the code is not malicious/hacker code.  I found another reddit post that also said that some web hosts automatically create this file for whatever reason.  So this file/code was a false positive detection by Wordfence.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.