Webamaze

I will but I’ve been using this theme for 3 years now and it has only just started doing this. There hasn’t been a theme update for a few months.

Hi. I’m getting this problem too with Wordfence highlighting high risk files in the wp-includes/js/tinymce/ folder.

I’ve removed this folder from my C Panel and run another Wordfence scan that shows my WP install as being clean. Go back a hour later and that folder is back again and Wordfence again shows the high risk files.

How is this folder being continually re-created? Would this be the source of the porn re-directs that I’m being plagued with?

I’m getting it too:

https://www.dropbox.com/s/t4hrmqeet310nf8/Screenshot%202020-09-03%2010.15.45.png?dl=0

• This reply was modified 4 years, 6 months ago by Webamaze.

Hi Dave

Do you have any progress news on this problem please. I deleted loads of these porn links this morning and a hour later I have another 24 pages of them.

I still can’t identify the cause my end and wondered if you had found anything.

Phil…

Hi Dave.

Diagnostic test has been sent. I ran a search query for those terms and the chinese dating one came up with:

Search results for “chinese-dating-app-free” all of the words:
0 matches in b2s_posts
0 matches in b2s_posts_network_details
0 matches in b2s_posts_sched_details
0 matches in b2s_post_sched_settings
0 matches in b2s_user
0 matches in b2s_user_contact
0 matches in b2s_user_network_settings
0 matches in drz1_adrotate
0 matches in drz1_adrotate_groups
0 matches in drz1_adrotate_linkmeta
0 matches in drz1_adrotate_schedule
0 matches in drz1_adrotate_stats
0 matches in drz1_adrotate_stats_archive
0 matches in drz1_adrotate_tracker
0 matches in drz1_commentmeta
0 matches in drz1_comments
0 matches in drz1_horizontal_scrolling_hsas
0 matches in drz1_links
0 matches in drz1_masterslider_options
0 matches in drz1_masterslider_sliders
0 matches in drz1_options
0 matches in drz1_postmeta
0 matches in drz1_posts
297 matches in drz1_redirection_404 Browse Delete
0 matches in drz1_redirection_groups
0 matches in drz1_redirection_items
0 matches in drz1_redirection_logs
0 matches in drz1_smush_dir_images
0 matches in drz1_termmeta
0 matches in drz1_terms
0 matches in drz1_term_relationships
0 matches in drz1_term_taxonomy
0 matches in drz1_tm_taskmeta
0 matches in drz1_tm_tasks
0 matches in drz1_usermeta
0 matches in drz1_users
0 matches in drz1_wfBlockedIPLog
0 matches in drz1_wfBlocks7
0 matches in drz1_wfConfig
0 matches in drz1_wfCrawlers
0 matches in drz1_wfFileChanges
0 matches in drz1_wfFileMods
0 matches in drz1_wfHits
0 matches in drz1_wfHoover
0 matches in drz1_wfIssues
0 matches in drz1_wfKnownFileList
0 matches in drz1_wfLiveTrafficHuman
0 matches in drz1_wfLocs
0 matches in drz1_wfLogins
0 matches in drz1_wfls_2fa_secrets
0 matches in drz1_wfls_settings
0 matches in drz1_wfNotifications
0 matches in drz1_wfPendingIssues
0 matches in drz1_wfReverseCache
0 matches in drz1_wfSNIPCache
0 matches in drz1_wfStatus
0 matches in drz1_wfTrafficRates
0 matches in drz1_yoast_seo_links
0 matches in drz1_yoast_seo_meta
Total: 297 matches

——————————————-

As you can see it came up in the 404’s. drz1_redirection_404

Hi Dave.

As you can see /khfc/ is a subfolder of harriers-online.co.uk so I have two .htaccess and user.ini files.

The first two are from harriers-online and the second two are from /khfc/

I don’t see anything suspicious there but you might.

`<blockquote># Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
#end

# Brower leverage
ExpiresActive On
ExpiresByType image/jpg “access plus 1 year”
ExpiresByType image/jpeg “access plus 1 year”
ExpiresByType image/gif “access plus 1 year”
ExpiresByType image/png “access plus 1 year”
ExpiresByType text/css “access plus 1 month”
ExpiresByType application/pdf “access plus 1 month”
ExpiresByType text/x-javascript “access plus 1 month”
ExpiresByType application/x-shockwave-flash “access plus 1 month”
ExpiresByType image/x-icon “access plus 1 year”
ExpiresDefault “access plus 2 days”
#end

#RewriteEngine on
#RewriteCond %{HTTP_HOST} ^harriers-online.co.uk [NC,OR]
#RewriteCond %{HTTP_HOST} ^www.harriers-online.co.uk [NC]
#RewriteRule ^(.*)$ https://harriers-online.co.uk/khfc/ [L,R=301,N]

RewriteEngine On
RewriteRule ^$ /khfc [L]

Options +FollowSymLinks

# Enable mod_rewrite
RewriteEngine On
RewriteBase /

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

# Redirect non-www to www
RewriteCond %{HTTP_HOST} ^domain\.co\.uk$ [NC]
RewriteRule ^(.*)$ https://www.harriers-online.co.uk/$1 [R=301,L]

Redirect /index.shtml /khfc/
# Added automatically by Gridhost panel Wednesday 18th of July 2018 01:00:58 PM
Options -Indexes

# BEGIN cPanel-generated php ini directives, do not edit
# Manual editing of this file may result in unexpected behavior.
# To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
# For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI)
<IfModule php7_module>
php_flag display_errors Off
php_value max_execution_time 3000
php_value max_input_time 6000
php_value max_input_vars 1000
php_value memory_limit 2048M
php_value post_max_size 200M
php_value session.gc_maxlifetime 1440
php_value session.save_path “/var/cpanel/php/sessions/ea-php73”
php_value upload_max_filesize 200M
php_flag zlib.output_compression Off
</IfModule>
<IfModule lsapi_module>
php_flag display_errors Off
php_value max_execution_time 3000
php_value max_input_time 6000
php_value max_input_vars 1000
php_value memory_limit 2048M
php_value post_max_size 200M
php_value session.gc_maxlifetime 1440
php_value session.save_path “/var/cpanel/php/sessions/ea-php73”
php_value upload_max_filesize 200M
php_flag zlib.output_compression Off
</IfModule>
# END cPanel-generated php ini directives, do not edit

# php — BEGIN cPanel-generated handler, do not edit
# Set the “ea-php71” package as the default “PHP” programming language.
<IfModule mime_module>
AddHandler application/x-httpd-ea-php71 .php .php7 .phtml
</IfModule>
# php — END cPanel-generated handler, do not edit</blockquote>

<blockquote>; cPanel-generated php ini directives, do not edit
; Manual editing of this file may result in unexpected behavior.
; To make changes to this file, use the cPanel MultiPHP INI Editor (Home >> Software >> MultiPHP INI Editor)
; For more information, read our documentation (https://go.cpanel.net/EA4ModifyINI)

[PHP]
display_errors = Off
max_execution_time = 3000
max_input_time = 6000
max_input_vars = 1000
memory_limit = 2048M
post_max_size = 200M
session.gc_maxlifetime = 1440
session.save_path = “/var/cpanel/php/sessions/ea-php73”
upload_max_filesize = 200M
zlib.output_compression = Off</blockquote>

From /khfc/

<blockquote><ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>

# BEGIN WordPress
# The directives (lines) between BEGIN WordPress and END WordPress are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /khfc/
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /khfc/index.php [L]
</IfModule>

# END WordPress

; Wordfence WAF
auto_prepend_file = ‘/home/harrier1/public_html/khfc/wordfence-waf.php’
; END Wordfence WAF

Thanks Valentine & Jan.

I went through what you said to do and finally the cache has cleared and the re-direction no longer works. Now to find out how they got in.

I have Wordfence installed and that didn’t seem to flag it up. I’ve changed all my passwords now.

Phil…

Thanks Dave.

I did have that checked so that may have been part of the problem. Now to tackle the re-direction problem.

Thanks for your help. A Merry Christmas to you and yours.

Phil…