• Resolved chall3ng3r

    (@chall3ng3r)


    For the past few months been hit by a malware on cPnael based hosting. WF doesn’t remove the malware completely, with some malware files remain deep in folders which the malware then hits with http requests with empty user-agent. If the file is found it gets executed and malware is back.

    I’ve narrowed down lots of ways this malware is getting into my websites, one of them is this hunting with empty user-agent requests, and hundreds of them. WF does have limit for 404 blocking, but the malware first tries with http1.1, which gives 301, then tries with http2.0 which gives 404. So WF doesn’t block this offending IP.

    Kindly update the WAF to tackle these kind of malware installations.

    PS, I’m now moving my websites to host which gives each website separate user, so if one website gets infected, it doesn’t spread to other websites like in single user cPanel hosting.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support wfmargaret

    (@wfmargaret)

    Hi @chall3ng3r,

    Thanks for reaching out. We’re always happy to look into the feasibility of changing or adding features based on customer feedback, so I’ve linked this topic to the team for further discussion internally. Unfortunately I can’t provide progress reports or potential release schedules here on the forums.

    I’m glad to hear you’re isolating the websites, as that’s always a great step to take for security. You might also look into blocking empty user agents using .htaccess rules in the meantime.

    I recommend you also follow the checklist here: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Make sure to get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here: https://www.ads-software.com/download/releases/

    WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP,  WordPress admin users, and database. Make sure to do this.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.  

    If you are unable to clean this on your own there are paid services that will do it for you.? Wordfence offers one and there are others.? Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.?

    Thanks,
    Margaret

    Thread Starter chall3ng3r

    (@chall3ng3r)

    Thanks Margaret for your reply and recommendations.

    I’ve read most of the guides already as I found WF most user friendly and reliable malware scanning and WAF solution. However, sometimes it misses the files deep in folder tree, and I have to use Anti-Malware plugin for full scan. So, in combination these two root out all the files.

    This hunting requests for infected files with empty user-agent are currently handled with manual rules on the server config, but I hope WF adds this functionality so other users are protected against such attacks.

    Best regards.

    Plugin Support wfmargaret

    (@wfmargaret)

    Hi @chall3ng3r,

    Thank you for following up.

    Regarding the empty user-agent accesses, are you observing GET or POST requests? If the attacker is using POST requests with an empty referrer, please enable the following option: Wordfence > All Options > Brute Force Protection > Block IPs that send POST requests with blank User-Agent and Referer. While some legitimate services use empty user agents, enabling this option can help mitigate attacks that utilize POST requests.

    If you can, please send any malware that Wordfence didn’t detect to samples @ wordfence . com. Our team can then take a look. Remember to any passwords, keys, or salts from any files you send us, if applicable.

    Thanks,
    Margaret

    Thread Starter chall3ng3r

    (@chall3ng3r)

    Thanks for your reply and suggestion.

    The attacks is using GET requests. I have saved the malware files it generates, will send those to provided email.

    Plugin Support wfmargaret

    (@wfmargaret)

    Hi @chall3ng3r,

    Thank you for contributing to Wordfence security! We’ll follow up with you using the email you send.

    Thanks again,
    Margaret

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.