Injection Attack?

  • Hi guys
    First time poster here. A client has been having issues for weeks now with 500 errors happening at the same time every day. I have locked down everything I can think of but no success. Installed Wordfence, changed file permissions etc but this script inserts obfuscated code into wp-config and other files and brings the site down. The only thing I can see is a POST /?lhnpj=pdqy (the actual letters vary) in the server logs just before the site goes down. Anyone point me in the right direction with this?
    Thanks in advance

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Sounds like you haven’t yet found the back door.

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    If the attack is a POST request on the index.php page.

    Once you have cleaned up the site, if you cannot find the attack code being used, then the injected code will most likely be in that file. If not, then it could well be caused by a misconfigured webserver that is allowing directory traversal from another web repository.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Injection Attack?’ is closed to new replies.