Joel Masci
Forum Replies Created
-
Scans might not always find stuff in your theme folder, or in plugins that are not official plugins. Apart from the usual (which i’m sure if you search the WordFence site you will find generic instructions for cleanup), I would them the theme and plugin files for anything suspicious.
There is also malicious code in your functions.php files in probably all your themes, and if you have more than 1 website in same environment those are probably infected also. Also look out for wp-vcd.php in wp-includes as well as the other 2 you mentioned, and wp-includes/post.php will have a line at the top that needs to be removed also. Don’t just use my advice though, google it.
This is a hack, and a common one, and one I am working on as we speak. I didn’t read your whole post. Lots of stuff on the internet about it however.
in short, the code found in functions.php, wp-vcd.php and wp-tmp.php create the code in the other files each time the code is run. You definitely won’t get anywhere unless you ensure nobody is visiting the site while you clean the files. I suggest commenting out the code at first because the codes checks files to see if it has an exact string anywhere in the file as an indicator of whether the file needs to code to be added. even logging in to ep admin or performing any action such as a security scan or even activating a plugin via wp-cli will actually cause the code to run, possibly re inserting itself to where it previously was. The other issue is other WordPress installs in the same hosting environment, since if those are contaminated then the code may reappear. some more testing is needed as i potentially have not found all sources of the code, and many things im unsure of. but one thing is for sure is that trying to debug by logging into wp admin on a live site, will probably not work. Best to start with fresh WordPress install, delete and re install all plugins then move theme files over while being careful to remove infected code first. even if you attempt to deactivate your theme, thinking that code in functions.php won’t run, it’s possible the hacker visits that url directly, causing it to run. so try to commenting first, then deleting solution, and use fresh install if that doesn’t work.
Its pw on site, nevermind. Debug mode showed it.
Well, now I have the button. It shows no output in the log when I press it, just a loading animation for a few seconds and then stops, no updates.
No js errors. It just triggers admin-ajax with a response of this in about 2.39 seconds:
{“ok”:1,”issueCounts”:{“new”:0,”ignoreP”:0,”ignoreC”:0},”nonce”:”6668795f0f”}
Any ideas? On a local install of a different website with same version of WordFence, things are working as expected. There is a status, when clicking the button it says “contact WordFence to start scan”, but on this site that may be infected, I just get nothing. Status only says idle. Loading animation for 2 seconds then button says “start scan” again.
Does WF have some caching thing built in, not letting me scan because it recently determined everything was fine?
Ok so you know, you go to dashboard, and hit the “manage scan” button, and it takes you to the the “manage scan” subpage, of the scan page itself.
It would be very nice to have a link at the top, that says, back to “scan” landing page you know, because the page will be highlighted in the sidebar so you might think clicking “scan” from sidebar is same as clicking “manage scan” from dashboard.
Wasted over an hour on this. Very very very frustrating.