The website is repeatedly attacked by hackers

  • Since 7.11 I have been fighting repeated attacks on our website
    I installed the free version of the Wordfence plugin, which helped me remove some vulnerabilities, but the attacks continued. The scan found 48 new findings, 39 critical and 9 high severity.
    Some parts of the findings were categorized as backdoor PHP/a1b2.15070.
    I cleaned the site, no findings were detected.
    I have Eset antivirus installed on my laptop, which is still blocking me from communicating with https://hudbaaslovo.cz.


    On the morning of 16.11. new findings appeared
    Critical issues:

    • File appears to be suspicious or dangerous: wp-includes/blocks/legacy-widget/.e733b7df.css
    • File appears to be suspicious or unsafe: wp-includes/load.php
    • File appears to be suspicious or unsafe: index.php

    Problems of high severity:

    • Unknown file in WordPress core: wp-includes/blocks/legacy-widget/.e733b7df.css
    • Modified WordPress core file: index.php
    • Modified WordPress core file: wp-includes/load.php

    All findings have been removed or corrected.

    This morning (18.11.) scan detected 31 findings in which several backdoors were identified.
    PHP/lfi.11719
    PHP/SerializeIt.A.13398
    PHP/commented.13352
    PHP/RCE.obfuscated.11616
    PHP/commented.13385

    Can you advise me how to proceed to get rid of similar attacks? No unwanted activity is visible in activite.log.

    Thank you

    Lubo?

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @lubos55, sorry to see you’ve been having trouble with malicious code on your site.

    When you refer to 7.11 as the time you started noticing problems, and then 16.11 and 18.11, are those intended to be Wordfence versions or am I missing a detail? It may be 7.11.6 and 8.0.1 you’re referring to, but either way I don’t think the version of Wordfence would be as important to detecting new malware as the malware signatures, firewall rules etc. These would be updated regularly regardless of the latest version of the plugin at the time.

    It’s highly likely from your description that your site is affected to the point where your first clean may have not removed every detail, allowing the malicious code to be regenerated.

    Unfortunately we can’t follow a site cleaning through step-by-step here on the forums, but we do have some excellent resources, an internal point of contact, and general advice that can assist you. You should try the following checklist if you didn’t with your original clean:
    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    You might find the WordPress Malware Removal section in our free?Learning Center?helpful for this too.

    Make sure all of your plugins and themes are up-to-date and that WordPress core is on the latest version. As a rule, any time someone thinks their site has been compromized, we tell them to?update the passwords for their hosting control panel, FTP, WordPress admin users, and database?in order to cover the key access points where somebody could change or upload things on your site. Make sure to do this!

    Check for administrative users you don’t recognize in WordPress > Users > All Users, just in case there is anything suspicious there. Delete any that you know shouldn’t have this kind of access.

    If you (or Wordfence) finds files/code that are suspicious, but you’re unsure of the next steps, you can send files/code to?samples @ wordfence . com.?If you do, just make sure to?remove any database credentials or keys/salts?in any files you do send over. Our team could help identifying real threats from false-positives and advise on steps that may need to be taken from there.

    If you’re unable to clean the site without assistance, we do offer paid services. Site cleaning services are available from other sources too. Please contact?presales @ wordfence . com?if you’d like to discuss things further as we can’t go into detail here on the forums.

    Whether you choose to follow our guides yourself, or let someone else take a look, we recommend that you always?make a?full backup of the site beforehand.

    Many thanks,
    Peter.

    Thread Starter lubos55

    (@lubos55)

    Thanks for the advice. I applied some of them before I wrote this post. I also checked users and plugins. For plugins, I have a problem with the “Meta pixel for WordPress” plugin not being active. There could be a connection to the attack, but it can’t be uninstalled. Would you have any advice on how to get rid of this plugin? Can I cancel it via FTP access?

    I am not able to search for suspicious files myself. I rely on Scan Wordfence and with its help I have been able to clean the site so far. I am surprised, however, that new findings of suspicious files appear after some time. In part, these are indeed new files in terms of Scan. My explanation is that these are new vulnerabilities that correspond to new signatures. However, I can’t explain that even files that I patched hours/days ago have been changed.

    To explain. The numbers I have given in the text represent the date. For 7.11. (November 7) I forgot ‘.’.

    Lubo?

    @lubos55 Unfortunately, Some website security scanners as well as some antivirus products are still reporting live malware on your website. I’ve tested it and still see redirecting to livedashboard and other malicious websites.

    Thread Starter lubos55

    (@lubos55)

    I am not aware of any active redirects outside of hudbaaslovo.cz. However, I am aware of a problem related to another attack that took place at the end of August. At that time, our site was exploited for apparently illegal Casino related games. The site was cleaned by a specialized company. To this day, however, there are attempts to contact the defunct site.
    Google Search Console shows me that we have 1,464 pages that are not indexed and have a status of (Not Found 404 )
    Examples:
    https://hudbaaslovo.cz/2024/08/21/guru-casino-bonus-bez-vkladu-50-free-spins/
    https://hudbaaslovo.cz/2024/08/21/automaty-honey-honey-honey-online-zdarma/
    https://hudbaaslovo.cz/2024/08/21/automaty-floating-dragon-hold-and-spin-online-zdarma/

    As for the redirects, it’s the same cause. Someone has saved a non-existent page in their bookmarks and is trying to contact the non-existent page. There are 44 of these cases. I have checked these pages individually to see if there are any active redirects left. The result of my check is that there are no redirects outside of hudbaaslovo.cz.
    Examples:
    https://hudbaaslovo.cz/?p=4165
    https://hudbaaslovo.cz/?p=3770

    Thank you about advise

    Lubo?

    Thread Starter lubos55

    (@lubos55)

    I looked at the audit log for the last month and there is not a single event. Does that mean the hacker cleaned up after himself?

    Lubo?

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.