Hack of all my WP installs

  • Yesterday I was bombarded with emails from my Wordfence security plugin due to a hack. Here is the run down of what looks like happened:

    1. A new user called “Backup” was created from outside WordPress
    2. A folder called “wflogs” was created which contained the following files

    -.htaccess
    -attack-data.php
    -config.php
    -ips.php
    -rules.php
    -wafRules.rules

    all the files in the list contain mostly unintelligible strings of content except the wafRules.php which looks as though its searching for various versions of plugins or various types of files including .php files.

    3. The content of all .php files was edited to add a large string of code to the top.

    Every WordPress install I had was affected.
    Wordfence pulled this IP address info from the user called “Backup” who logged in:

    User IP: 54.206.41.134
    User hostname: ec2-54-206-41-134.ap-southeast-2.compute.amazonaws.com
    User location: Sydney, Australia

    I have deleted all the folders and files that were created by the user and am reupgrading my WP install to clear any affected files. I dont have much time to mess with it right now but if anyone has any tips let me know.

Viewing 4 replies - 1 through 4 (of 4 total)

  • Here’s a good place to start: My Site Was Hacked. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    • This reply was modified 7 years, 10 months ago by bdbrown.

    All of those files are a standard part of the WordFence plugin. The plugin generates those as caches or stores of data to keep the database a little bit more “clean”. You’d have to ask the pluigns authors about the whole architecture, but that’s why those files are there.

    As far as the new user, that sounds different. Do you have any backup pluigns installed, or any other 3rd party backup systems set up? Keep in mind that your host may also have automated backups running as well as anything that you have set up. Almost all of the backup plugins that I’ve seen let you backup to Amazon like that, so it’s not that hard to think that whatever plugin or system is doing it is doing the right thing and not something nefarious.

    Thread Starter nathan_buchanan

    (@nathan_buchanan)

    “All of those files are a standard part of the WordFence plugin.”

    I see that now. Thank you.

    The new user was created on the same day as all the strings were added to the top of every .php file. My host uses R1Soft for all its backups so I am not using any backup plugins.

    I was going to include the string that was inserted to the top of each page but its a bit long and I dont want to get in trouble for posting malicious code here.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Side note: @saskinman Per the Forum Welcome please start your own topic.

    https://www.ads-software.com/support/plugin/wordfence/#new-post

    Hijacking someone else’s is considered rude in these forums and disrespectful to the original person who posted their problem.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Hack of all my WP installs’ is closed to new replies.