.htaccess hacked by a malware not discovered by Wordfence

  • Resolved schumyalonsohamilton

    (@schumyalonsohamilton)


    4 years ago

    Goodmorning,
    the server provider informed me that Wordfence didn’t found a malware active from here:
    hxxps://excellenceclass[.]it/anteprima/digver/netnet/039242398138/payment.php

    It modify the .htaccess file by injecting in this code:
    <FilesMatch “^”>
    deny from all
    </FilesMatch><br>

    Also, I’ve noted the change the write/reade/execute permissions and I can’t easily replace the .htaccess without the help od the service provider because all it seems blocked.

    Now, they change the code and the site works, but anyway the infected file
    hxxps://excellenceclass[.]it/anteprima/digver/netnet/039242398138/payment.php
    it’s not revealed by Wordfence.

    Their suggestion to proceed is the following:
    – indicate an IP from which you will proceed with the intervention in order to enable access exclusively from it (you can visit https://www.serverplan.com/ip to see your connection IP)
    – remove or remediate the indicated files from malicious code
    hxxps: // excellenceclass [.] it / preview / digver / netnet / 039242398138 / payment.php [46.30.245.121]
    – proceed with updating the CMS and all its contents (themes and plugins) to the latest versions available online
    – change the admin password of the CMS (if present)

    if you have not done so, proceed to clean up the malicious file and let us know.
    ———-

    So, any automated way to remove this worm/malware thanks to Wordfence instead my manual action?…

    Thanks SO much,
    best,
    Lewis

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @schumyalonsohamilton, a fellow F1 fan I see? I’m sorry to see you’ve had these troubles.

    I’m going to provide you with detailed site cleaning instructions to make sure your site is fully cleaned, but to assist with why Wordfence might have missed this threat, could you please send a copy of the offending file(s), such as payment.php to samples @ wordfence . com? This will help us look into the script more closely and help protect our customers in future.

    Make sure to follow the checklist here:
    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
    Make sure and get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here:
    https://www.ads-software.com/download/releases/
    WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure and do this.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

    If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    Thanks,

    Peter.

    Plugin Support WFAdam

    (@wfadam)

    Hello @schumyalonsohamilton and thanks for reaching out to us!

    It sounds like you may need to clean the site or at least follow the checklist here:
    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
    Make sure and get all your plugins and themes updated and update WordPress core too. If you are on an older branch (WordPress 4.x etc) because you wanted to wait before installing the latest version because of Gutenberg or a custom theme compatibility you still need the latest update in that version. Those can be found here:
    https://www.ads-software.com/download/releases/
    WordPress sometimes patches their older releases if they find a vulnerability so make sure to update your version if needed. We, of course, recommend that you update to the latest version.

    As a rule, any time I think someone’s site has been compromised I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure and do this.

    Additionally you might find the WordPress Malware Removal section in our free Learning Center helpful.

    If you are unable to clean this on your own there are paid services that will do it for you. Wordfence offers one and there are others. Regardless if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    Let me know if you have any questions!

    Thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘.htaccess hacked by a malware not discovered by Wordfence’ is closed to new replies.