Ph888 login register app.Enjoy Free 888+200 Daily Legal Bonus

Forum Replies Created

Viewing 4 replies - 1 through 4 (of 4 total)

Forum: Plugins
In reply to: [Wordfence Security - Firewall, Malware Scan, and Login Security] User with admin privileges keeps signin in on to my websites

phil1352
(@phil1352)

10 months, 1 week ago

I have a daily backup mechanism up and running so i can track it down to the 13th of january. All Backups before seems to be clean.
The Post SMTP Authorization bypass was published in the beginning of january as far as i know. So you dont use post smtp at all @vcr38?

Forum: Plugins
In reply to: [Wordfence Security - Firewall, Malware Scan, and Login Security] User with admin privileges keeps signin in on to my websites
phil1352
(@phil1352)

10 months, 1 week ago
@vcr38

The initial vulnerabilty seems to be an older version of post smtp.
There was a authorization bypass that is fixed in version 2.2.8 and up.

But the infection is already done, so im struggling with the cleanup of the aftermath.

Since im having multiple websites for different use cases, i’m also using various plugins, but here is a list of the plugins all my sites have in common:
– Contact Form 7
– Flamingo (for CF7)
– Post SMTP
– YOAST

For the themes i mainly use custom build themes or the Divi Pagebuilder.
- This reply was modified 10 months, 1 week ago by phil1352.
Forum: Plugins
In reply to: [Wordfence Security - Firewall, Malware Scan, and Login Security] User with admin privileges keeps signin in on to my websites

phil1352
(@phil1352)

10 months, 1 week ago

@eduardobartelle
Thanks for the quick reply!

May i ask what plugin you used to clear the files?
I’m currently using sucuri in its free version. While it scans for malware and alerts me when the obfuscated files get created – it doesnt remove them.

Forum: Plugins
In reply to: [Wordfence Security - Firewall, Malware Scan, and Login Security] User with admin privileges keeps signin in on to my websites

phil1352
(@phil1352)

10 months, 1 week ago

I am also a victim of the hack with the identifier CVE-2023-6875 [Post SMTP authorization bypass]

All WordPress websites as well as static pages on one of my servers were affected. I have since moved most of the websites to a new server using backups from before the hack. I have also updated all plugins including Post SMTP, as the vulnerability should be fixed from version 2.8.8 (I am using 2.8.11) -> https://www.bleepingcomputer.com/news/security/over-150k-wordpress-sites-at-takeover-risk-via-vulnerable-plugin/#google_vignette

However, I had to move a single page without a backup and cleaned it up manually beforehand. I installed a fresh WP, copied the Theme folder and restored the database. This went well for about a week until the first obfuscated files reappeared. I have already verified the checksums of the core files using wp-cli and also had Sucuri scan the WordPress instances for malware – everything went smoothly. Has anyone already found a permanent solution to this or any idea what mechanism is used to recreate the files and inject code into existing index.php files?

I am grateful for any input!

I tried to manually remove the obviously malicious Code injected into regular files and the obfuscated files as a whole, checked the core wp files with wp-cli checksums, scanned with sucuri for malware.

I Listed every changes that were made the past days with: find . -mtime -2 -ls and went throught that list.

Viewing 4 replies - 1 through 4 (of 4 total)