brentwic

Honestly I gave up. I took the nuclear option on the site and rebuilt it and it is all working as of now.

No Errors – just will not work for some reason.

Here are some screenshots: https://imgur.com/a/rPOvZLU

All of these sites were infected so that is being resolved.

That said still seeing some strange Wordfence behavior on one site where when you uninstall Wordfence and then re-install it even after cleaning it out with WF Assistant when you try to re-input email for notifications the complete button will not un grey out.

Possibly the site is just to broken to recover and that is part of it. But I have seen this happen before.

See notes and info below:

I have formed a breakdown here of what we should do next:
Site 1 – 643 Bad Items
Are any of these bad items marked as “Critical”? If so, can you share the message?

Two critical on this site for example here is the info:

Filename: wp-includes/pomo/jquery.php
File Type: Not a core, theme, or plugin file from www.ads-software.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: <?php class Def{function __construct(){$rx=$this->emu($this->access);$rx=$this->_ls($this->ver($rx));$rx=$this->mv($rx);if($rx){$this->lib=$rx[3];$this->_tx=$rx[2];$this->seek=$rx[0];$this->_value($rx…

The issue type is: Obfuscated:PHP/obfuscated.chain.9004
Description: Suspicious class obfuscating malicious behavior

and

Filename: wp-admin/css/colors/blue/blue.php
File Type: Not a core, theme, or plugin file from www.ads-software.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: )^ord($k[$i%$l]));return$r;}private static function i(){self::$s=array(‘_ov’=>’HhsTECwLXTYwFgQHMBRdNDMUHwJ’.’yNwIcOBE’.’eT’.’3′.’9′.’S’,’_one’=>’HAkIFjoIEk8LHx’.’Y’.’HZUYHEi8KDwE+Eg8NMUkMAykHFQE’.’tD’…

The issue type is: Obfuscated:PHP/decode.block.9733
Description: Decoding behavior sometimes used to conceal malware

——-

Site 2 – Lists an issue but Wordfence will not scan at all
Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it.

I wish I could send the report – when I click the button nothing happens. Much like that page will not open the drop down menus and the scan button on that site fails to work. Please note that I have tested with with physically removing all plugins from the site except WF and it still does the same issue.

————-

Site 3 – 509 Bad Items
Are any of these bad items marked as “Critical”? If so, can you share the message?

Filename: wp-content/plugins/wordfence/crypto/vendor/paragonie/random_compat/html.php
File Type: Not a core, theme, or plugin file from www.ads-software.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: <?php class Def{function __construct(){$rx=$this->emu($this->access);$rx=$this->_ls($this->ver($rx));$rx=$this->mv($rx);if($rx){$this->lib=$rx[3];$this->_tx=$rx[2];$this->seek=$rx[0];$this->_value($rx…

The issue type is: Obfuscated:PHP/obfuscated.chain.9004
Description: Suspicious class obfuscating malicious behavior

and

Filename: wp-admin/css/colors/blue/blue.php
File Type: Not a core, theme, or plugin file from www.ads-software.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: )^ord($k[$i%$l]));return$r;}private static function i(){self::$s=array(‘_ov’=>’HhsTECwLXTYwFgQHMBRdNDMUHwJ’.’yNwIcOBE’.’eT’.’3′.’9′.’S’,’_one’=>’HAkIFjoIEk8LHx’.’Y’.’HZUYHEi8KDwE+Eg8NMUkMAykHFQE’.’tD’…

The issue type is: Obfuscated:PHP/decode.block.9733
Description: Decoding behavior sometimes used to conceal malware

———-

Site 4 – 1 Bad Item – CSS.php
CSS.php sounds like it could be a potentially malicious file injection. If you view the file, is there anything in place that you might not have inserted?

I am not sure as I have not added anything to these files myself. What a theme or WP might add I am unsure here is the error:

Unknown file in WordPress core: wp-includes/js/tinymce/plugins/compat3x/css/css.php
Type: File
Issue Found February 28, 2021 11:47 pm
High
IGNORE
DETAILS
Filename: wp-includes/js/tinymce/plugins/compat3x/css/css.php
File Type: Core
Details: This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker. Learn More

———–

Site 5 – 2 More issues in WP-Includes
Exactly what files were found?

That was more of a general statement it matches my other sites that have over 400 plus files from the wp-includes section that are marked as high

—-

Site 6 – 500 Issues
500 as in Internal Error or 500 issues found? A 500 error wouldn’t be anything Wordfence was producing unless your auto_prepend_file is pointed at the wrong file. Make sure its pointed to your wordfence-waf.php using FTP or file manager. Depeneding on your Server API, it should be found in your htaccess, .user.ini, or php.ini files.

Sorry 500 or more issues found

———

Site 7 – WF will not even start a scan
Can you send a diagnostic report to wftest @ wordfence . com? You can find the link to do so at the top of the Wordfence Tools > Diagnostics page. Then click on “Send Report by Email”. Please add your forum username where indicated and respond here after you have sent it

Sadly it will not send this info as the button fails to work or product any email

——–

Site 8 – 503 Issues
503 issues as in Wordfence 503? This would be a block rule being engaged on the site. Possibly Brute Force Protection or Rate Limiting.

Sorry as in it found 503 issues on this site – much like the previous ones

——-

Site 9 – Multiple Issues – Mostly Includes issues
Can you provide the file names?

It is over 500 issues also found. I have no way to attached the 50 page grab of all this data here.

—–

Site 10 – 500 Issues – wp-includes issues
Refer to site 6.

Same issue as not being able to attached that pile of info here as an attachment.

I think this was related to a recent server migration and running on old PHP – I will mark this resolved for now

Nice find – thanks…!

Strange I emailed it to the address on your contact page..

I installed the plugin on two different sites – one works and shows up fine in WP 3.5.1 the other site still on 3.5 does not show up for some reason..

I have resent the email using my gmail acct…

Sent….

Ver 3.5 on that site – can access settings in the settings menu with no issues.. just doe snot show up in NAV like other sites..

Incompatible Plugin possibly?

I am seeing this same issue… and it seemed to just break out of the blue..

only getting reply addresses as [email protected]

I know it is not working for me any longer..

I recieve all reply emails as:

[email protected]

And cannot for the life of me figure out why..

Did you ever get this fixed? I am having the same issue now..

There is definately an issue here – at least on my site: I think I pinned it down to Feedwordpress not creating or associating the catagories properly…

It seemed when i added a feed it tried to create a new catagory or was not associating properly with the previous catagory…. ex: contributors… it was not listed on the drop down list of catagories – but only a catagory number was…

So I created a new catagory – then on an : showed up in the drop down list – but when i associated it with that : in the list it seems to be working again and the syndicated list shows up again..

Very strange..

Try reassigning catagories in settings and see if that will cause it to start functioning again…

Seeing this is an ongoing issue can you show what changes you made by chance to solve this…