Files being added to one of my sites

Please can you tell me, whether the same file names are replicated everytime and tell me about your security permissions for wp-includes and wp-admin

I don’t know if those image filenames are the same every time, but the other files being added are named like: wp-ajax-gadget.php, https.php, query.js.php, zipper-class.php, class-wp-theme-edit.php etc. They aren’t always put in the same directory though. My permissions on wp-admin and wp-includes are 755.

For me the file names are either the same or very similar each time. Like timeuser, they are not always in the same place. My permissions are the same – 755.

I am asking about the folder permissions for the following:

wp-includes
wp-includes/images
wp-includes/js
and all sub-directories

wp-content
wp-content/plugins

Additionally, confirm that you have timthumb.php.If you are not sure, go to any webpage with images being re-sized and so on, and view the page source is there ‘?timthumb.php’ somewhere in the image links, still if you are not sure about it, send me a link to any of your pages.

Please RS, if you have the defender logs, tell me what was the name of the first file changed.

Am extremely sorry for asking you this, but proper troubleshooting requires it, before making any decisions.Closing it will be beneficiary to all.
Regards.

All my directories should be 755. I set them using the command on the hardening wordpress page in the codex.

Here is a list of files with mod times from the latest incident…

-rwxr-xr-x 54K Mar 5 13:07 /wp-content/plugins/all-in-one-seo-pack/zipper-class.php
-rwxr-xr-x 66K Mar 5 13:08 /wp-content/plugins/audio-player/wp-ajax-gadget.php
-rwxr-xr-x 12K Mar 5 13:07 /wp-admin/css/edit-form-header.php
-rwxr-xr-x 8.5K Mar 5 13:07 /wp-admin/user/options-meta.php
-rwxr-xr-x 66K Mar 5 13:08 /wp-admin/includes/class-wp-theme-edit.php
-rwxr-xr-x 12K Mar 5 13:07 /wp-includes/theme-compat/class-https.php
-rwxr-xr-x 54K Mar 5 13:08 /wp-includes/js/crop/query.js.php
-rwxr-xr-x 965 Mar 5 13:09 /wp-includes/images/pub825.jpg
-rwxr-xr-x 966 Mar 5 13:09 /wp-includes/images/pub400.doc
-rwxr-xr-x 8.5K Mar 5 13:10 /wp-includes/images/list923.tar
-rwxr-xr-x 7.1K Mar 5 13:11 /wp-includes/images/nix724.doc
-rwxr-xr-x 1.4K Mar 5 13:08 /wp-includes/images/nix924.doc
-rwxr-xr-x 744 Mar 5 13:10 /wp-includes/images/nix20.doc
-rwxr-xr-x 960 Mar 5 13:09 /wp-includes/images/pub57.jpg
-rwxr-xr-x 1.2K Mar 5 13:10 /wp-includes/images/sched903.tar
-rwxr-xr-x 1.1K Mar 5 13:09 /wp-includes/images/sched206.gif
-rwxr-xr-x 800 Mar 5 13:11 /wp-includes/images/nix901.jpg
-rwxr-xr-x 7.0K Mar 5 13:11 /wp-includes/images/pub704.doc
-rwxr-xr-x 1.3K Mar 5 13:11 /wp-includes/images/sched558.gif
-rwxr-xr-x 8.4K Mar 5 13:10 /wp-includes/images/list539.tar
-rwxr-xr-x 1.1K Mar 5 13:10 /wp-includes/images/sched215.tar
-rwxr-xr-x 5.7K Mar 5 13:10 /wp-includes/images/list555.tar
-rwxr-xr-x 5.6K Mar 5 13:10 /wp-includes/images/nix220.doc
-rwxr-xr-x 1.2K Mar 5 13:09 /wp-includes/images/list642.gif
-rwxr-xr-x 8.6K Mar 5 13:10 /wp-includes/images/list235.tar
-rwxr-xr-x 1.3K Mar 5 13:11 /wp-includes/images/list563.tar
-rwxr-xr-x 1002 Mar 5 13:09 /wp-includes/images/sched102.gif
-rwxr-xr-x 739 Mar 5 13:11 /wp-includes/images/pub129.jpg
-rwxr-xr-x 1.7K Mar 5 13:09 /wp-includes/images/list411.tar
-rwxr-xr-x 6.2K Mar 5 13:09 /wp-includes/images/nix605.jpg
-rwxr-xr-x 1.1K Mar 5 13:09 /wp-includes/images/nix221.jpg
-rwxr-xr-x 1.1K Mar 5 13:09 /wp-includes/images/list723.tar
-rwxr-xr-x 7.4K Mar 5 13:10 /wp-includes/images/sched23.tar
-rwxr-xr-x 12K Mar 5 13:07 /wp-includes/https.php

Oh, and I don’t have timthumb.php on my site anywhere.

All of the directories you asked about have 755 permissions. Also, as far as I can tell, I do not have timthumb.php

The logs from WP Defender did not have anything related to these files with the exception of telling me that the filesystem had changed when I deleted them. Since I could get that info from WP File Monitor (as well as when files were added), I dropped WP Defender from my site.

We need to do the following:

1-Could you please send me a link to any of your published posts with images.
2- There is a common plugin or theme ,we need to reach out for, so kindly, list your activated plugins list, and we will shorten the list to commonly used plugins, by cross-matching.

Here is the blog in question: https://jewelsbranch.com/blog

Here is the list of active plugins:

Advanced Most Recent Posts
Akismet
All in One SEO Pack
Audio player
Exclude Pages from Navigation
Exploit Scanner
FD Feedburner Plugin
FV WordPress Flowplayer
Google XML Sitemaps
Simple Facebook Connect
Sociable
Ultimate Google Analytics
WordPress Importer
WP Super Cache

Nice website.
OK, its getting narrower, one of the remaining possibilities are AJAX handlers, and their back door is “.htaccess” vulnerability, so to make a decision on this, refer to the code and rewrite rules below, IT SHOULD SOMEWHERE be in your .htacess file, if not then this is the back door and we will be checking all AJAX handlers.

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

BEGIN WordPress

Those rules are not in our .htaccess

Well we know now how did the backdoor open. These Rewrite rules blocks the wp-includes files from being accessed by any malicious user. Adding those to your .htaccess will be the last step to do, because this kind of hack targets your traffic dense pages and they don’t reveal any shown symptoms on your website but they target your page ranking. Anyway, we will do it together and concrete the backdoor.But before we do that, we must catch those who got in first.

The first thing, we want to check for now is the plugins folder, please select “show hidden files” whether you are using ftp or cpanel, and start with the ‘Akismet’ folder, look for .akisment.cache.php, .akismet.db.php, and so on, note the period at the beginning of the file name. Repeat this will every plug-in folder.

There are no hidden files anywhere in our plugins folder.

Not only hidden files, any files start with a . “period”

There are no files that start with a “.” anywhere in plugins or any of it’s subfolders.