wp-admin.php probably hacking

  • christiancannata

    (@christiancannata)


    7 years ago

    Hi guys, every night some files in my wordpress folders are modified with 4 code rows on the top of the files, and an original file is copied as (example: admin-ajax.php.backup)

    The code is here:

    <?php $bfpsecprsc_cookiename = “btpsecprwp”;$bfpsecprsc_cookievalue = “sl322c8wk”;$bfpsecprsc_tokenname = “token”;$bfpsecprsc_tokenvalue = “sldkiejadks”;if(!isset($_COOKIE[$bfpsecprsc_cookiename])){if($_GET[$bfpsecprsc_tokenname]==$bfpsecprsc_tokenvalue){setcookie($bfpsecprsc_cookiename, $bfpsecprsc_cookievalue, time() + 432000);header(“Location: https://&#8221; . $_SERVER[‘SERVER_NAME’] . $_SERVER[‘SCRIPT_NAME’] . “?” . str_replace($bfpsecprsc_tokenname . “=” . $bfpsecprsc_tokenvalue . “&”, “”, $_SERVER[‘QUERY_STRING’]));return;}header(“HTTP/1.0 404 Not Found”);$bfpsecprsc_redirecturl = “https://&#8221; . $_SERVER[‘SERVER_NAME’] . $_SERVER[‘SCRIPT_NAME’] . “?” . $bfpsecprsc_tokenname . “=” . $bfpsecprsc_tokenvalue . “&” . $_SERVER[‘QUERY_STRING’];$bfpsecprsc_redirecthtml = “<!DOCTYPE HTML PUBLIC \”-//IETF//DTD HTML 2.0//EN\”>\n<html>\n<head>\n<title>…</title>\n<meta http-equiv=\”refresh\” content=\”2;url=” . $bfpsecprsc_redirecturl . “\”></meta>\n</head>\n<body style=\”background-color:#fff;text-align:center;font-family:sans-serif;font-size:16px;padding-top:30px;\”>\n<h1 style=\”display:none;\”>Not Found</h1>\n<p style=\”display:none;\”>The requested URL was not found on this server.</p><p style=\”font-size:20px;margin-bottom:15px;\”>Caricamento in corso…</p><p>Se la pagina non viene caricata entro pochi secondi, assicurati di avere i cookies abilitati, quindi prova a ricaricare la pagina.</p>\n</body>\n</html>”;echo ($bfpsecprsc_redirecthtml);return;} ?>

    I have Sucuri Plugin, Backdoor scanner and antimalware, setted permission only read and no write but every night at 2:00 are modified, can someone help me?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Rajan Vijayan

    (@rajanit2000)

    Hi @christiancannat.,

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    I have Sucuri Plugin, Backdoor scanner and antimalware, setted permission only read and no write

    Doesn’t matter, you are already hacked. Security plugins do not fix hacked websites.

    Thread Starter christiancannata

    (@christiancannata)

    Well, I’ve restore all hacked files, protected my wp-admin folder via .htaccess, changed my admin password and disabled wp-cron.php (every night at 2:00 my website is hacked!)

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    Something must be wrong in the chain of security measures and my bet is on the “restore all hacked files” bit. That sounds like it didn’t take you long to do. If it’s easy to resolve then you’re probably still hacked.

    This is a thorough document that will take a long time to read. Get a fresh cup of coffee and double-check you’ve gone through everything: https://codex.www.ads-software.com/FAQ_My_site_was_hacked

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.d

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘wp-admin.php probably hacking’ is closed to new replies.

Tags