Repeated infections, Wordfence status is ” No security problems detected”

  • In the options panel of Wordfence “Scan posts for known dangerous URLs and suspicious content” is listed.
    This item is checked but the site is continuing to be hacked with code injections into all posts and other areas. Sucuri scanner identified the malware as MW:JS:GEN2?rogueads.unwanted_ads.1. I’ve had to close the website temporarily in the hope of not infecting users machines.

    I’ve sifted though the web folders myself, scanned the site with 3 security plugins including Wordfence, they all say it’s clean. It’s definitely not it’s a danger to any user that visits. What’s going on here?

Viewing 6 replies - 1 through 6 (of 6 total)

  • Hi, same here. See also this thread which I started a few days ago:

    https://www.ads-software.com/support/topic/mwjsgen2rogueads-unwanted_ads-1/

    Any advice that WordFence can offer would be greatly appreciated.

    I also have this problem and have been unable to fix. None of the security plugins I have tried detect and neither does WPSCAN throw up any red flags when run from command line. If I discover a solution I will post here on the www.ads-software.com forums.

    P.S. It is possible to remove the malicious scripts from the page/post content however after a few hours they reappear again.

    Thread Starter hafman

    (@hafman)

    I’ve found that the hacker used an old dev site (under a sub domain) to get at the databases in my case. They used/are using a MySQL search and replace tool placed in wp-content/upgrade folder to inject ad code into the database.

    Thankyou for the info hafman. I do not have any sub domains and nothing in my sites upgrade folder. I will try to find the MySQL search and replace tool.

    Also, not sure if this matters but hacked site is hosted using TSOHost.

    Has anyone found another source for this? My upgrade folder is empty too. How would I recognise the Search and Replace tool? And the host does seem to be the common factor here.

    Thread Starter hafman

    (@hafman)

    The folder disappeared after a short while. It seems this search-replace tool (a command line interface) has a ‘delete folder’command so it’s perfect for hackers!

    There must be a way in to directly inject code into your database. Change all your passwords, move stuff, make it tough for them. Try shifting to another host if you can as there might be a vulnerability with yours. They can be quite evasive about security.

    If you can, download the database and set up the site locally with MAMP or similar. Clean out the code carefully with the ‘Search & Replace’ wordpress plugin. Then move it to a reputable hosting company. Move towards having a clean data set to restore the site.

    Or pay Sucuri or Wordfence to do all this. It starts to become pure economics after a while!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Repeated infections, Wordfence status is ” No security problems detected”’ is closed to new replies.