These files are part of a PHP malware infection. We are in the process of cleaning up an ongoing infection that has a very similar behavior.
While this PHP malware also infects non WordPress as well, when it attacks a WordPress site, we are noticing some very consistent patterns:
- Two files (“advanced_settings.php” and “common_config.php”) which both contain obfuscated code are placed in the
wp-admin/css/colors/bluefolder - Additional obfuscated code is injected into the index.php file at the root of the WordPress installation
- Frequently, but not always, the index.php file located in
wp-content/pluginsand/orwp-content/themeshas code inserted into it - The wp-config.php file at the root of the WordPress installation typically has code injected into it
- A series of additional .php files are inserted at random places inside theme folders and plugin folders
and finally, the following additional files have been pretty consistently inserted into every WordPress installation:
wp-includes/Requests/Auth/include.php
wp-includes/Requests/Exception/global.php
wp-includes/Requests/Exception/include.php
wp-includes/Requests/Exception/utf.php
wp-includes/Requests/Proxy/sql.php
wp-includes/Requests/Utility/defines.php
wp-includes/SimplePie/Net/javascript.php
wp-includes/js/imgareaselect/test11.php
wp-includes/js/tinymce/plugins/diff21.php
wp-includes/pomo/menu.php
These additional files are not part of the WordPress core, so simply uploading a fresh set of WordPress files that overwrite the ones installed on your web server will not get rid of them (although that will fix up some of the files that have code injected into them).
If you’re seeing the 2 files you mentioned appearing randomly, look for some of the signs mentioned here. In particular, look for injected code in your index.php and wp-config.php files, as those will be executed any time someone visits your site or you as an admin user log in to your site.
In some of the WordPress sites that have been infected by this malware, we also have discovered the appearance of an additional WordPress user account with Administrative privileges.
In addition to removing the injected code and deleting the additional files, we’re currently taking the step of removing the bogus user account (when it has been added), replacing the “Salts” in the wp-config.php files, invalidating all user account passwords, and changing the MySQL password for the database user.
There may be other steps we take, but that’s what we’re doing for now. I hope this is helpful!