WordPress.org

1. drashok
   Member
   Posted 3 months ago #
   

   Hi,
   Compliments to Maunder for Wordfence Security Plugin.

   My site was hacked 3 days ago.
   3 days prior to that I had installed "WebsiteDefender WordPress Security".

   12 hours ago I installed and activated "Wordfence Security". I got om my dashboard warning of 50 (precisely 50, not a round figure) attempted logins in just one scan of "Wordfence Security".

   Below is a sample:
   

   <blockquote>
   United States Saint Louis, United States attempted a failed login using an invalid username "admin".
   IP: 66.154.54.43  [block]
   17 minutes ago
   Canada Montreal, Canada attempted a failed login using an invalid username "admin".
   IP: 108.163.128.206  [block]
   17 minutes ago
   Cayman Islands Cayman Islands attempted a failed login using an invalid username "admin".
   IP: 74.117.220.10  [block]
   Hostname: ns10.dnchosting.com
   17 minutes ago
   Vietnam Ho Chi Minh City, Vietnam attempted a failed login using an invalid username "admin".
   IP: 118.69.198.230  [block]

   I am impressed with Wordfence Security plugin's functioning (it has been only 12 hours since activation).

   I know what it means when your site is hacked.

   Best wishes,
   Dr. Ashok Koparday

   http://wordpress.org/extend/plugins/wordfence/

2. leejosepho
   Member
   Posted 3 months ago #
   

   Agreed.

   i installed Wordfence Security just yesterday, and my first scan revealed some altered plugin files where someone had apparently been trying to break in...and then just a little later, it showed where someone else had been trying.

   Valuable plugin.

3. drashok
   Member
   Posted 3 months ago #
   

   To
   Mark Maunder,
   CEO Wordfence

   Hi Mark,
   
   Can you tell if this is hacker's code?

   My site was hacked on 1st February 2013. Perhaps you can recognize the message displayed on my website. It appears the hacker is saying something in triumph.

   hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz hacked by haxorsistz

   Server host restored my website with one month previous backup.

   1.
   Wordfence warned me today of a file found in wp content > W3 Total Cache's > object cache that may contain malicious executable code. I see a lot of garbage characters in the file.

   Status New

   This file is a PHP executable file and contains a line 2201 characters long without spaces that may be encoded data along with functions that may be used to execute that code. If you know about this file you can choose to ignore it to exclude it from future scans.

   Before I delete this file I wish to know if this is indeed a malicious code. How much is your suspicion graded 1 to 10?
   Would you like to get a copy of that file?

   2.
   How does Wordfence Security " _ _ _Repair infected core, theme and plugin files_ _ _"? Is it by notifying changes in the files?

   I have gone through most of the links at WordPress Codex related to what to do if site is hacked and how to prevent.

   I am reading the documentation on your http://www.wordfence.com website.

   3.
   I have daily backups of my site prior to the hacking.
   If any one of your team be interested in finding how/why of the hack I can give the backup.

   Mark, any other suggestions you may have to offer are welcome.

   High regards,

   Dr. Ashok Koparday

4. drashok
   Member
   Posted 3 months ago #
   

   Hi Mark,

   In another warning
   "Modified plugin file: wp-content/plugins/wordpress-seo/languages/wordpress-seo-hu.mo" I see garbage characters.

   Thanks,
   Dr. Ashok Koparday

5. mmaunder
   Member
   Plugin Author
   Posted 3 months ago #
   

   Hi,

   Yes you can send the infected file to mark at wordfence dot com and I'll take a look. Please note that I can't spend too much time doing email support for free customers, but I'll do what I can.

   Regards,

   Mark.

Reply

You must log in to post.