Media file added reported but not found on the system?

Further to above I have the following on the log. Does the user ‘System’ means hackers in fact logged into the VPS and uploaded the files directly?

Warning system ::1 File modified wp-load.php (old size: 2714; new size: 2804)
Warning system ::1 New file added wp-content/themes/ajax/themes-config.php (size: 23838)
Warning system ::1 New file added wp-content/themes/ajax/index.php (size: 386)

When an event is marked with the username “system” and the IP address “::1” it means that an internal action was executed, in this case the report with a list of modified files is generated by the plugin itself from inside the website so there is no user interaction, that is why the plugin shows “system”.

Reading the alert that you received via email, you can see that a user account named “tester (Aimee)” was the one used to upload the “ajax.zip” file using the WordPress built-in media file upload form. Later the plugin scanned the project and found two new files inside a theme named “ajax” and a modification of a WordPress core file named “wp-load.php”.

If you go to these two URLs [1] [2] which point to the uploaded files you can see a black page with Chinese characters and a blank page respectively. The first page contains a form with a label that reads “Enter password” and the second text reads something like “Please be used for illegal purposes is not responsible for the consequences of!”.

With this information I would be worried, it is possible that someone got access to the mentioned user account and decided to upload a backdoor. I would definitely delete those two files and restore the original content of the “wp-load.php” file too.

Let me know if you need more information.

[1] https://tomboogie.net/wp/wp-content/themes/ajax/themes-config.php
[2] https://tomboogie.net/wp/wp-content/themes/ajax/index.php

Thank you for your continuing help.

I missed the malicious theme folder, which I have deleted.

However, I cannot find the file ‘ajax.zip’ anywhere. I have deleted the malicious admin user ‘tester (Aimee)’ along with all posts done by it. Will the media file upload be deleted as well as it is a post? If so, why is there a log for it on Sucuri, or am I missing another setting?

I have also recovered the modified WP core file.

Meanwhile, Sucuri reports lots of deleted post but there was only one Auto Save in the trash, which WP hasn’t recovered, possibly because it was an empty post? What are the other posts and where are the deletes?

Warning system 168.144.187.102 Post deleted; identifier: 712
Warning system 168.144.187.102 Post deleted; identifier: 711
Warning system 168.144.187.102 Post deleted; identifier: 710
Warning system 168.144.187.102 Post deleted; identifier: 709
Warning system 168.144.187.102 Post deleted; identifier: 708
Warning system 168.144.187.102 Post deleted; identifier: 707
Warning system 168.144.187.102 Post deleted; identifier: 706
Warning system 168.144.187.102 Post deleted; identifier: 705
Notice Aimee 117.22.67.35 Media file added; identifier: 712; name: ajax.zip; type:
Notice Aimee 117.22.67.35 User authentication succeeded: Aimee

Finally, those deletes seems to be done at the server as that IP is server’s IP, but my server log doesn’t show any unknown activity. Furthermore, if a file had been uploaded to locally access the DB Sucuri should have notified it, but it hasn’t.

This thread is becoming increasingly like I’m asking you to diagnose a hacking but I’m sure many people will benefit by reading my saga and hopefull protect their system better.

If your site does not use POST requests then you can block those momentarily.

https://github.com/szepeviktor/wordpress-plugin-construction/blob/master/shared-hosting-aid/Malware.md#prevent-post-requests

I’m not a programmer, hence I’m afrad the contents of the link is above my knowledge level.

Yes I can explain what is happening, I doubt people will benefit from this explanation because most of the time they just read the title so they generally do not get to read the comments that are at the end of the thread. I will try to elaborate this and give more information in an official article in the “Sucuri Knowledge Base” website [1].

Here are two things mixed in the same audit logs, so I will explain them separatetly. The first one is the upload of the “ajax.zip” file and consequently the injection of the (supposedly) malicious code. The second are the logs pointing to a deletion of some posts.

Upload of Malware

The scenario was like this: A malicious person got the credentials to access one of the user accounts registered in the website, he/she continued to check if the privileges of the account were sufficient to inject malicious code, then went to the “Media Library” page and uploaded a file named “ajax.zip”. It seems like the archive contained a valid theme and WordPress generally extracts the content of any compressed file related with a plugin/theme and then deletes the archive when the operation succeeds, this is why you did not find the “ajax.zip” file but only the PHP files under the /wp-content/themes/ajax/ directory.

Note that this is only an assumption, I do not really know who accessed your site nor his/her intentions because I do not have access to the logs to run a professional forensic audit.

Posts Deleted

The logs with the text “Post deleted; identifier: ###” are not malicious, at least not in this case. There could be three scenarios that will generate these logs. One is a manual deletion of a post or page, second is the auto deletion of the drafts if you configured WordPress to do this, and third is a deletion of a temporary post created by a plugin. The latter is the most common reason that I have seen in the wild.

I have found that many plugins that offer custom forms for a contact page, feedback, billing, etc create temporal entries in the “wp_posts” table before the data stored there is sent via email to someone else or until the entry expires or something like that.

This is why I decided to add a panel in the plugin’ settings page named “Ignore Alerts” which contains a list of custom post types that are mainly created by WordPress to manage different entries in the same database table, for people that do not know WordPress stores the posts and pages (among other things) in the same table and uses a column named “post_type” to distinguish between them. You can use the “Ignore Alerts” panel to force the plugin to not send email alerts about post deletion of custom post types.

Conclusion

You already deleted the suspicious PHP files that were injected, good. Now you have to check if there are new user accounts and delete them. Also go to the “Post-Hack” page and reset the password of the users that you do not trust, generate new WordPress secret key, and reset the plugins that are active. This will do the trick.

Optional

I also recommend you to check our Web Application Firewall – CloudProxy [2] [3] it has awesome features that you may want to use to protect your site against future attacks. Let me know if you need more information.

[1] https://kb.sucuri.net/
[2] https://cloudproxy.sucuri.net/
[3] https://sucuri.net/website-firewall/