Re: scan result

  • Resolved Ghostrider07

    (@ghostrider07)


    8 years, 7 months ago

    Hi,

    Have first time installed wordfence on one suspected wp site and post scanning received below result, need to know what is “supp2 infection”

    This file Appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file That matches a Known malicious file is: “@ $ GLOBALS [$ GLOBALS [ ‘md83e29df’] [43] $ GLOBALS [ ‘md83e29df’] [24] $ GLOBALS [ ‘md83e29df] [.. 96] “. The infection is kind: supp2 infection

    Thanks

    https://www.ads-software.com/plugins/wordfence/

Viewing 5 replies - 16 through 20 (of 20 total)

  • Demmetrius,
    your site is infected. You can try to catch the infection by expanding the scope of Wordfence scan. You do this on Wordfence options page under “Scans to include”.

    You also want to look at some of these links.

    Update – Still happening. Just had it run through 10 sites. Latest server software, latest Wordfence updated the day before. No idea why Wordfence isn’t able to stop backdoor installations.

    FTP, Mail are disabled on my server and only ssh login with keys. Long and difficult user/passwords on all sites.

    Hi grumblenz,
    there are a few different scenarios, for example

    1. You have a plugin installed that has a security hole that allows them in
    2. Your site is compromised via another site on the same server

    I would recommend that you check the last modified timestamp on the files when they change, then inspect the servers access logs to see if you can figure out how which plugins/themes may be involved in the compromise.

    There are 100 sites on the server. I’ve manually checked all the plugins against the ones listed as hacked but to no avail. That’s 1500-2000 plugins and themes. Why isn’t Wordfence protecting wp-admin, wp-includes folders?

    Shouldn’t these malware types (Supp2, kidslug etc.) be prevented by Wordfence scanning php uploads in real time?

    With this many sites, premium at $10 per month per site is not an option.

    Sites scan clean, then 1 hour later they are infected again. Endless loop. Simply not possible to uninstall all plugins on a trial and error basis.

    I thought we were protected from site to site hacking with Wordfence?

    Hi grumblenz,
    If you want to protect one site from being infected by other sites it needs to be in an isolated file system. If an infected file has permissions to edit other files, there is nothing any security software can do about that.

    As I already mentioned, you can check the modified timestamp and then investigate the servers access logs to see if you can find any matches. That may help figuring out where the entry point is, assuming the file mods are triggered from the outside. If they are triggered via cron, that’s going to be more tricky but could also be possible to detect via access logs.

    Best of luck with your site.

Viewing 5 replies - 16 through 20 (of 20 total)
  • The topic ‘Re: scan result’ is closed to new replies.