wp-apps.php hack

You need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Funny but we paid $189 to Sucuri and they keep claiming to fix the problem but it keeps coming back to the very same site.

Also their scanners do not see any malware.

This is a pervasive issue that is coming from somewhere in the code. All themes using timthumb have been hardened

https://www.ads-software.com/support/topic/268083#post-1065779 3 years old

All others have tried except secret key in wp-config.php file

Hello, I’m having this same issue, and it’s coming back every month, please help!!

@mfleysher – if it keeps coming back, you’re not getting it completely cleaned up or some backdoor is being left open. Did you go through ALL of those articles listed above?

Perhaps you should consider paying someone to help you – Securi is quite well regarded or you can post a job listing here:

https://jobs.wordpress.net/

We really don’t recommend responding to any offers of help (paid or not) from people you don’t know from a public forum.

@mfleysher

How I was able to eliminate the problem once and for all, was to keep the files in the install folder. BUT I deleted all of the content in each file. So the hack cannot re-create the file since there already exists the same file it is trying to create.

Do this and it will go away.

BTW I performed all of the suggestions in the links above but none of them worked. And Sucuri might be well regarded but they did nothing to resolve this problem. NOTHING for $189 per year.

I ended up hardening all sites using Better WordPress Security or something like that and I have not had one problem since then.

@surfintica

Interesting solution. I will have to try that.

The WordFence plugin used to find and fix these, but it hasn’t detected these lately. The Surucci scan and plugin has never found these wp-apps and wp-count hacks.

Since this thread has not posted a link to the url (infected site) for others to review, can’t we all just use it a utter speculation (at best, or a point missed?)

@surfintica

I had the same infection three times, on three website protected by Better WordPress Security, while using all measures suggested by the web hoster and other services. I’m at my third ‘cleaning’ and restoring of the websites now, and going to adoptyour suggestion which seems very logical (thanks, btw!), I just added a 444 to them for better protection against rewriting or deletion, hope this helps too.

@everybody

The infection doesn’t just create the wp-count and wp-apps fake and infected files, it also modifies the theme’s footer (and header, sometimes) and infects some other WordPress system files, so a general update to the CMS, plugins and themes is always advisable in these cases. Hope this helps, please keep the thread update about your experiences if possibile, thanks!

I’m at my third ‘cleaning’ and restoring of the websites now

You’re not closing the door that the attacker is walking in via. It’s a often repeated set of links but here goes (again):

You need to start working your way through these resources:
https://codex.www.ads-software.com/FAQ_My_site_was_hacked
https://www.ads-software.com/support/topic/268083#post-1065779
https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Anything less will probably result in the hacker walking straight back into your site again.

Additional Resources:
Hardening WordPress
https://sitecheck.sucuri.net/scanner/
https://www.unmaskparasites.com/
https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

Hope this helps, please keep the thread update about your experiences if possibile, thanks!

No don’t do that. Really don’t.

Everyone’s installation is different. They’re on different hosts, with different versions of PHP, with different PHP configs, etc. Keeping all these “I’m hacked!” replies on one thread doesn’t do anything to address the problem that you are having.

If you keep getting hacked even after performing all the steps listed above then consider changing hosts. It’s the one thing that you may not be able to control and switching to another host may be your last and only option.

That or you’re not finding the means that the attacker made it into your system. If you don’t close the door on the attackers then it doesn’t matter what you do. They’ll just keep coming back.

@jan, just keeping posting those URLS doesn’t solve the problems, users need help in figuring out the specific issue, for example hints like these: https://www.krizalys.com/article/multi-wordpress-hack
I know everyone has a different server configuration and so on, but attacks like this have common issues and working together in finding them and helping each other to solve the problem is what the community needs, not just a list of URLs with generic advice about security. Sorry for being a little rude, but this is the truth, right now.

Really? How far did you get with those links? The link that you posted does not contain a proof-of-concept and doesn’t even explain how the exploit happened.

I know everyone has a different server configuration and so on

Exactly and that was the point of this paragraph.

Everyone’s installation is different. They’re on different hosts, with different versions of PHP, with different PHP configs, etc. Keeping all these “I’m hacked!” replies on one thread doesn’t do anything to address the problem that you are having.

Aside from you not successfully delousing your installation is this common to a VPS/dedicated server, a shared hosting on one server plan, using suPHP, nginx, Apache2, lighttpd, an exploit that was covered in the 3.5.2 security update, it is a plugin exploit, is it something inherent to a theme or theme provider framework?

See what I mean? Playing pile on the topic doesn’t help the original poster or anyone else for that matter.

Sorry for being a little rude, but this is the truth, right now.

Being rude within limits is acceptable. Arguing with forum moderators? Not really a good idea. And your “truth” really is not a solution either.

just keeping posting those URLS doesn’t solve the problems, users need help in figuring out the specific issue

Sorry, but all we can do is give advice. We are all volunteers here and if the advice we give is not to a standard you accept then you are welcome to use a paid service like Code Poet.

but attacks like this have common issues

Even if your issue was exactly the same as the original posters, piggy-backing off someone else’s support is not something we encourage here. Be polite and create your own thread to discuss your own issue.