Wordfence taken over by something in a twentyfive folder

  • Resolved City Homestead

    (@cityhomestead)


    1 year, 6 months ago

    I started getting odd emails from my server on the 20th. On the 21st, whatever was happening took over Wordfence and shut it down. Next, it overwhelmed the server’s CPU and I lost access to my site.

    The only way I could gain access to go through cPanel and delete the Wordfence plugin folder. That gave me access to my site, but it didn’t stop the emails.

    One of the emails showed me that the CPU was being used up by a theme that was put on my site in a folder: twentyfive so I deleted it, but left it in the cPanel trash.

    Something is able to access the trash bin and continue executing a file named 1.mcm.x86_64.

    My server support team said something called Monocaffe Connections Manager is running processes and overloading the CPU.

    Inside the twentyfive folder within wp-content/themes it looks like a copy of the WordPress Twenty Twenty theme, and there is a file in the root of the theme named 1.mcm.x86_64.

    The only theme I use is Elementor, so I deleted the folder but whatever is preventing Wordfence from saving my site is still running from the trash bin!

    I can’t run Wordfence because it takes over the WF processes and shuts down WF.

    This is what one of the headers looks like in the many many emails that the server is sending out:

    Time: Mon May 22 10:00:55 2023 -0400
    Account: (my cPanel account name)
    Resource: Process Time
    Exceeded: 193262 > 1800 (seconds)
    Executable: /home/mysitefoldername/.trash/twentyfive/1.mcm.x86_64
    Command Line: [kworker/0:1]
    PID: 2878146 (Parent PID:2878146)
    Killed: No

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @cityhomestead, thanks for reaching out to us.

    Are you able to delete the folder from .trash using your hosting control panel or FTP, and if so, does it recreate itself in /wp-content/themes again later? It would be interesting to see if completely deleting the origin of the emails is enough to recover the site and enable Wordfence again.

    A site cleaning may be required if there’s some obfuscated code in other files or your database that returns this or leaves any remnants behind.

    Thanks,
    Peter.

    Thread Starter City Homestead

    (@cityhomestead)

    I emptied the trash just now and will report back what happens. I left the folder in the trash can because the hosting company was trying to figure out what processes the file was doing to overwork the CPU. They don’t know how the file is being executed because when they access the file, it shuts down its processes as if someone knows when the file is being accessed.

    Then it starts back up. Either someone programmed a smart file, or someone is physically managing the file remotely.

    I have not re-installed WordFence yet because what’s the point if someone was able to shut down the plugin? Maybe they will do it again.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @cityhomestead,

    Do you have any news on whether the problem cleared or returned?

    Peter.

    Hi!

    Wordfence scan found this file today.

    I have been fighting with malicious files for about 2 months, olmost everyday wordfence detects a file named csv.php and index.php with some strange code. I proceed to repair and delete this files almost daily just to keep my website running.

    Today after a week without problems, I found my website down, rested an old backup, and wordfence scan found /1.mcm.x86_64 and other malicious files: confcom.php, csv.php.

    I deleted them all and added them to the list “Immediately block IPs that access these URLs?“

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Wordfence taken over by something in a twentyfive folder’ is closed to new replies.