slywy

There was an update to Jetpack today, and now it’s working.

It looks like WPForms Lite may be the problem . . . this started a couple weeks ago.

I haven’t been able to resolve it yet. The only way to make it go away so far is to deactivate Jetpack, which I like to use for a few things. The DNS checker shows no DNS issues.

@moeo I’m not sure what I could do to get it removed. It doesn’t appear to be affected on, say, Google or Bing.

@slywy?Do you have any other details on what MalCare did? I’m facing your exact same issue. What plugin? What option stored the script? etc.

It said: Script?DELETED?in Table ‘wp_options’

I have the script itself but not sure it’s a good idea to post it?

MalCare seems to have taken care of this so am marking “resolved.”

I have not seen any clicks to the auth my cookie site today for the first time in a couple of weeks at least. Removal of the script may have done it. (I can’t tell what the script is intended to do. It’s a foreign language to me.)

Okay, now I’ve installed and paid for MalCare, which said the site was hacked and reported:

Script?DELETED?in Table ‘wp_options’

I hope that does it . . .

I would suggest check your .htacess file it may have a redirect in there that only happens when you’re referred by known referring agents like google or bing. I think the idea is this evades detection by not replacing the contents if you go in direct via your normal domain.

Good idea, but when I checked the .htaccess file there was nothing in there that would cause this (there was very little in there). I was hoping that was the answer too.

Yeah, I can’t think of anything else I can do with so little info available. I don’t want to be passing malware or whatever on to site visitors or inadvertently sending them somewhere that does. I did find this:

https://radar.cloudflare.com/scan/618138a9-30e2-4c77-9f2d-b2ebba91bdbe/summary

As for the clicks, about the only other thing I can suggest is running a search for “authmycookie” through your server. This wouldn’t be a search in WordPress, but on the file system on your host.

I found this under?logs/slywy.com_443_access_log. I don’t know what it means.

61.22.214.128 – – [28/Nov/2024:18:46:09 -0700] “GET /?s=authmycookie HTTP/1.1” 200 73214

Hi there! First off, have you been able to fix the malware issue? One setting that is often involved with new admin accounts being generated is at?wp-admin > Setting > General > Membership > Anyone can register. If that is on, and the?New User Default Role?under it is set to?Administrator, that can be a problem.

I think I have fixed the malware issue. According to Wordfence and Sucuri, there are no more issues. (Until it happens again.) But I suspect something is lingering somewhere.

“Anyone can register” is unchecked, and the New User Default Role is Subscriber.

As for?authmycookie.com/rt4.php?r3=[different random strings of letters, numbers, and hyphens], like you, I couldn’t find a lot of information. Perhaps there’s a theme or plugin accessing that site periodically? Do you know if these clicks were there before the most recent issues with your site?

These “clicks” started to appear after all the malware attacks, which makes me think something is lingering that Wordfence and Sucuri haven’t found or can’t find. I also eliminated files outside WordPress that had appeared. I’m not sure what else to do.

I’m having the same problem daily for the last week. Wordfence is active (although once they managed to deactivate it). Passwords changed numerous times. Plugins and theme are up to date. I’m really not sure what else to do.

Malicious files affecting the theme and some other things were the culprit. I found one, and Wordfence found the rest.

Dave of Prohosting tech support figured it out, and I’m embarrassed at the solution. While I disabled plugins as a possible cause, it didn’t occur to me to disable the theme (Weaver Xtreme). Once it was switched to the TwentyTwo theme, he was able to update WordPress, and I updated plugins.

A good reminder to check themes as well as plugins.

• This reply was modified 2 years, 4 months ago by slywy.