Hi,
my site was victim of a mailpoet related attack in 2014 (July I think). After a clean-up and the installation of the ithemes security plugin (and a few other security actions) there was no trouble since then.
Until this morning, at least. I got the following message from the wordfence plugin:
——snip——–
File appears to be malicious: wp-content/uploads/wysija/themes/mailp/index.php
Filename: wp-content/uploads/wysija/themes/mailp/index.php
File Type: Not a core, theme or plugin file.
Issue First Detected: 3 hours 7 mins ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “<?php $cookey = “some cryptic string”; preg_replace(some hex char)”. The infection type is: Backdoor:PHP/cookey.
——snap——–
Now my questions:
1. Is this attack known? I googled a lot but could not find any hints.
2. The file has a date in 2014, about the time of the above mentioned attack to my site. As I did not do a fresh reinstall back in 2014, it could well be that Wordfence found remains of the old attack.
3. Can I savely delete the file without causing harm to my install?
Thanks for your help.
Joachim