Today, I received a warning from Alibaba Cloud Security Center. A file scan reveals that wp-admin/network/theme-browse.php is likely a backdoor on one of the sites that I hosted. This article intends to record the findings and actions.
Immediately, I jump into confirming WordPress core’s integrity and confirm that these files should not exist:
$ wp core verify-checksums
Warning: File should not exist: wp-admin/network/test-file.php
Warning: File should not exist: wp-admin/network/manage-span.php
Warning: File should not exist: wp-admin/network/save-plugin.php
Warning: File should not exist: wp-admin/network/theme-browse.php
Success: WordPress installation verifies against checksums.
I can confirm that theme-browse.php is 100% malicious and points to a currently unavailable domain:
$switch="http://ink***ure.com/wp-includes/SimplePie/theme-captures.php?pl=2";
Action taken to reinstall all core files within wp-admin:
wp core download --force
Postmortem:
stat -c 'Path=%n
Modify=%y
Change=%z
Birth=%w
Owner=%U:%G
Perm=%a' theme-browse.php
Path=theme-browse.php
Modify=2016-03-29 14:45:30.000000000 +0900
Change=2026-01-30 12:21:27.858473359 +0900
Birth=2023-11-05 01:30:41.978928785 +0900
This shows that the file was inserted back in 2023, while the attacker backdated it to look like an old 2016 file. Further checks of my legacy backup files show that these files did exist as far back as at least 2020. Therefore, the 2016 timestamp may be correct, and the hosted site was likely exploited long before it was moved to my managed environment.