Client site seems to be compromised with some dodgy files

  • kristinubute

    (@kristinubute)


    5 months ago

    Hi

    I love your plugin, have it for another client site also and has worked well. So I’ve installed it on another client site.

    Client site seems to be compromised with some dodgy files.

    Only seems mainly to be in the Storefront theme area which I have removed the files etc and rescanned with Wordfence.

    It is picking up a file that could possibly be edited, plugin.php and class-wp-hook.php both in the wp-includes directory of wordpress.

    All plugins are updated also and Storefront theme.

    I have already updated WordPress to the latest so I would have assumed those files would have been overwritten in the upgrade. I suppose unless they are DODGY files than they won’t be overwritten as they would be just added as extra file NOT being overwritten.

    Is there somewhere where I can upload just these particular files and just upload those files to be overwritten and/or COMPARE original wordpress files for 6.5.5. to what I have on client site to remove files that shouldnt’ be there?

    Wordfence seems to have picked up some dodgy files in Storefront on client site. Wordfence has picked up in storefront/assets/images/credits-cards/elastic-slider.php (I have sent a support ticket to Storefront also so I know what I can remove etc)>

    Wordfence seems to have picked up some dodgy files in Storefront on client site. Wordfence has picked up in storefront/assets/images/credits-cards/elastic-slider.php

    and storefront/asets/images/admin/welcome-screens/wpzhijdengl.php which I assume are dodgy files.

    ..storefront/assets/images/customizer/starter-content-products/hoodie-with-zipper.php (seems dodgy also).

    What about this one: storefront/assets/images/admin/welcome-screen/automattic.php ? Should that be there or dodgy ? Is there supposed to be an actual welcome-screen directory?

    Seems to be some additional php flies that shouldnt’ be there in those directories ..

    Can I just delete ALL files under the credit-cards directory, do I need them? I would rather delete if I can to remove the dodgy files,.

    If you could please advise HOW I can compare actual files from WordPress core to see which ones have been edited OR how to replace those particular files that have been edited?

    I know WordPress free version can do a scan and let me know which files could be compromised which is very helpful.

    Then I remove the dodgy plugin that keeps getting installed wpzhijdengl so a function or compromised file must be somewhere which keeps getting changed …

    I found this error log which would help to figure it out I think.

    Where can I get a copy of the file to replace class-wp-hook.php and plugin.php (maybe they are not supposed to be there OR have been edited) ? It has found my username in there (I have renamed it here to admin-new) which is obviously not my actual username but changed for purpose here.

    [28-Mar-2024 07:02:35 UTC] PHP Fatal error: Uncaught ArgumentCountError: Too few arguments to function wc_maybe_store_user_agent(), 1 passed in domain.com.au/wp-includes/class-wp-hook.php on line 307 and exactly 2 expected in domain.com.au/wp-content/plugins/woocommerce/includes/wc-user-functions.php:861 Stack trace: #0 domain.com.au/wp-includes/class-wp-hook.php(307): wc_maybe_store_user_agent(‘matigan’) #1 domain.com.au/wp-includes/class-wp-hook.php(331):

    WP_Hook->apply_filters(”, Array) #2 /domains.com.au/wp-includes/plugin.php(476): WP_Hook->do_action(Array) #3 domain.com.au/wp-content/themes/storefront/assets/images/admin/welcome-screen/wpzhijdengl.php(12): do_action(‘wp_login’, ‘matigan’) #4 {main} thrown in domain.com.au/wp-content/plugins/woocommerce/includes/wc-user-functions.php on line 861 [17-Jun-2024 02:01:17 UTC]

    PHP Fatal error: Uncaught ArgumentCountError: Too few arguments to function AAL_Hook_Users::hooks_wp_login(), 1 passed in domain.com.au/wp-includes/class-wp-hook.php on line 324 and exactly 2 expected in /domain.com.au/wp-content/plugins/aryo-activity-log/hooks/class-aal-hook-users.php:29 Stack trace: #0 domain.com.au/wp-includes/class-wp-hook.php(324):

    AAL_Hook_Users->hooks_wp_login(‘admin_new’) #1 domain.com.au/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters(”, Array) #2 domain.com.au/wp-includes/plugin.php(517): WP_Hook->do_action(Array) #3 domain.com.au/wp-content/themes/storefront/assets/images/admin/welcome-screen/wpzhijdengl.php(12): do_action(‘wp_login’, ‘admin-new’) #4 {main} thrown in domain.com.au/wp-content/plugins/aryo-activity-log/hooks/class-aal-hook-users.php on line 29

    So my question is WHAT can I DELETE that is not required to remove these dodgy people?

    Thanks

    Kristin

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @kristinubute,

    The original files of WordPress itself or themes/plugins available to install within WordPress are publicly available to anybody, including past versions, so you can check for valid paths/filenames or view their contents to compare them with your own. There are some that you’ve mentioned that are perfectly valid for Storefront, so Wordfence would only flag them if they shouldn’t be there at all, or their contents have been changed from the ones seen in the repository:

    https://themes.trac.www.ads-software.com/browser/storefront/
    https://www.ads-software.com/download/releases/

    We don’t have the resources to walk customers through entire site cleanings here on the forums but we have helpful guides and information. Site admins will find this helpful to try cleaning a site after an incident: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP,  WordPress admin users, and database. Make sure to do this.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful if you haven’t explored it already.

    If you are unable to clean the site on your own there are paid services that will do it for you.?Wordfence offers one, and there are others.?Regardless of whether you choose to clean it yourself or let someone else do it, we recommend that you make a full backup of the site beforehand. If the removal or cleaning of any files results in PHP or server errors, files may need reinstating manually from their originals, the backup copy, or reinstalling.

    I hope this helps you out!
    Peter.

    Thread Starter kristinubute

    (@kristinubute)

    HI

    I keep getting this now when trying to scan with Wordfence etc

    An error occurred

    Your browser sent an invalid security token to Wordfence. Please try reloading this page or signing out and in again.

    This is to VIEW LIVE TRAFFIC and to DO A SCAN.

    I’ve already signed in and out.

    Not sure what is going on now? Please advise urgently.

    Thanks

    Kristin

    Thread Starter kristinubute

    (@kristinubute)

    Bad security token. It may have been more than 12 hours since you reloaded the page you came from. Try reloading the page you came from. If that doesn’t work, please sign out and sign-in again.

    What does it want me to sign in and out of ? I’ve already signed in and out of the WordPress website.

    Not sure what is going on.

    Thread Starter kristinubute

    (@kristinubute)

    The last thing I did 7 hours ago, was re upload 2 files from an original WordPress 6.5.5 version to replace. All was still working on the website.

    Then I went out for 6 hours. Came back and having issues scanning in Wordfence and Live View now.

    HOW can I fix this urgently please?

    What security token is it talking about ? HOW and WHERE can I fix the token ?

    Bad security token. It may have been more than 12 hours since you reloaded the page you came from. Try reloading the page you came from. If that doesn’t work, please sign out and sign-in again.

    Thanks

    Kristin

    Thread Starter kristinubute

    (@kristinubute)

    Do I have to uninstall Wordfence to fix it?

    Thread Starter kristinubute

    (@kristinubute)

    I had also changed it to a high sensitivity scan before I left for work, I just remembered. Maybe that caused an issue ?

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.