Re: scan result

Hello Ghostrider07,
what is the name of the file that’s infected?

Hi,

It doesn’t infect existing files but somehow new files get developed with random names such as press.php, lib.php, object.php etc and this gets generated in random folders and it has date stamp of year 2013.
When I open the file its encoded in base64 with all list of spam email ids, this triggers my smtp ddos based on rules defines and smtp IP gets blocked

Thanks

Hi,

Just to udpate further today i found new file session.php which went undetected by wordfence on initial scan i did, i got this file based on my php logs.
this file reads like below, the last line is basically encoded email id for spam and such there good numbers of list, support me to identify the root cause is it sql infection or any plugin culprit or what..
[ Malware code deleted, do not post that in these forums. ]

Hi I have seen the same behavior on clients sites, I am also looking for the root cause.
I have checked the creation date of those files and compared that with the access log of the server, but could not see any suspicious access. How is the creation of these files triggered in the first place? What can be done to prevent it?

I’ve found the same thing on one of my client’s installations.

I don’t know if it helps anyone, but here’s the decoded source of one of the files: https://gist.github.com/aesqe/f75634cf72c64da92bab905180e33d87

I’ve decoded it manually, but I think everything’s correct.

I have this infection as well and haven’t been able to squash it

Hello all,
when scanning for this type of issue, there are two things you can check for. One is that your scan includes a comparison of your WordPress core files with the WordPress repository. This setting is called “Scan core files against repository versions for changes”. You can also try to do a scan of ALL files on your hosting account, even those that are outside of your WordPress installation. This setting is called “Scan files outside your WordPress installation”. You can also try running a scan with the option “Enable HIGH SENSITIVITY scanning.” Note that this may give false positives.

All these settings are under “Scans to include” in Wordfence “Options” page. If it seems like no scan is picking up the malware you might want to manually inspect wp-config and all files belong to themes that are not in the WordPress repository. If you find something strange in there, you can copy the code and email it with a short description (where you found it etc) to [email protected].

Finally, if none of the above pan out you can check your whole account for any files you don’t recognize located in the root of your account or in wp-content folder.

Hi Wfasa,

currently my site looks clean and i was able to track something unusual with the help of wordfence and antimalware by golts, let me tell you that one backdoor script which wordfence didnt detected but was found by antimalware residing in woocommerce folder.

i have some old such malware files with snapshot of the path in which they are found, i am emailing you on [email protected] id for your reference, i am sure it will help you to improve the working of wordfence.

overall it works great and i hope now my site remains clean, its been 6th day today as no infection as of now.

Cheers

Hi,

I had sent the details on given email id post which ticket was generated, any further update on this ? though my site is clean but need to get root of this to avoid further issues as such and can be helpful as lot of them are facing such issue.

Thanks

Hi,

Is there any further update on this or any further development in plugin for such monitoring.

Thanks

I got the same incident. From around 20 wordpress sites, half show that behaviour !

Ghostrider07,
if the code you sent to @samples is code that Wordfence should and can, but is not currently protecting against it will be included in a future Wordfence version.

nicodemusy2k,
I would suggest you start looking at some resources for how to detect if you have been hacked and clean your site.

* FAQ My site was hacked
* How to clean a hacked WordPress site using Wordfence

Stepped through all .php files that showed the @ $ GLOBALS [$ GLOBALS [ stuff and deleted them manually. The root server is running debian wheezy with the latest sec updates, secured with ossec, checked with chkrootkit, rkhunter, unhide, showing no rootkits at all or processes that listen to any ports that would be an incident for a backdoor installed.

It seems that either a plugin is/was offering that incident or that it might was caused by the latest ImageMagick exploits maybe.

The most recent article about it I could found is related to the Hack.lu CTF 2014: Next Global Backdoor I have found, it seems that they use those .php files to sent out SPAM.

Since the .php files are deleted nothing new I see in logs and postfix has been idle since.

All source IPs that used to access those .php files have been blocked by the firewall by now and are added to the fail2ban jail filters as well.

Checking the next 30 days the incremental daily backup logs to see what files are changing and if anything occurs I will update my post.

Thanks for the quick reply.

Also found some interesting stuff in the apache access.log time-related to the incident related to the SimplePie stuff :

nn.nnn.nnn.nn – – [01/Jun/2016:12:15:24 -0500] “GET / HTTP/1.1” 200 37470 “-” “}__test|O:21:\”JDatabaseDriverMysqli\”:3:{s:2:\”fc\”;O:17:\”JSimplepieFactory\”:0:{}s:21:\”\\\disconnectHandlers\”;a:1:{i:0;a:2:{i:0;O:9:\”SimplePie\”:5
nn.nnn.nnn.nn – – [01/Jun/2016:12:15:27 -0500] “GET / HTTP/1.1” 200 37375 “-” “}__test|O:21:\”JDatabaseDriverMysqli\”:3:{s:2:\”fc\”;O:17:\”JSimplepieFactory\”:0:{}s:21:\”\\\disconnectHandlers\”;a:1:{i:0;a:2:{i:0;O:9:\”SimplePie\”:5
nn.nnn.nnn.nn – – [01/Jun/2016:12:15:29 -0500] “GET //sqlibak.php HTTP/1.1” 302 417 “https://www.googlebot.com/bot.html” “Mozilla/5.0 (compatible; Googlebot/2.1; +https://www.google.com/bot.html)”

nn.nnn.nnn.nn is a french blacklisted IP , could be related to joomla platform but simplepie cam be also found in wordpress

I’m exactly with the same issue, php files being generated randomly.

Any update ?