• Resolved Rik0399

    (@rik0399)


    All my sites are down…

    This is what WF generated …

    Alert generated at Friday 3rd of March 2017 at 05:19:27 PM
    Critical Problems:

    * File appears to be malicious: wp-content/themes/theme1/functions.php

    * File appears to be malicious: wp-content/theme1/variant-landing-page/functions.php

    Database not connecting, sites not loading

    Any ideas please?

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter Rik0399

    (@rik0399)

    Further to my last, here is what WF is reporting :

    File appears to be malicious: wp-content/themes/accesspress-store/functions.php
    Filename: wp-content/themes/accesspress-store/functions.php
    File type: Not a core, theme or plugin file.
    Issue first detected: 1 min ago.
    Severity: Critical
    Status New
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “<?php\x0a\x0aif (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ‘9567573b5a1ccfe552821463c81e6437’))\x0a\x09{\x0a\x09\x09switch ($_REQUEST[‘action’])\x0a\x09\x09\x09{\x0a\x09\x09\x09\x09case ‘get_all_links'”. The infection type is: Backdoor:PHP/get_all_links.

    Thread Starter Rik0399

    (@rik0399)

    So should I replace/restore ‘functions.php’ with the original file?

    Thanks

    luhas-wp

    (@sahulap)

    The same here. All sites infected. Please help! Thanks.

    Thread Starter Rik0399

    (@rik0399)

    @sahulap

    It seems that the theme was hacked and a uploaded malicious file,

    This is what I did to resolve the matter :

    (This is really easy to do, simply follow the steps)

    1) Made sure I had a backup,

    2) DO NOT DELETE DATABASE

    3) Deleted/Backed up plugins and uploads dir,

    4) Deleted WP and did a fresh install – DO THIS FROM YOUR CPANEL and NOT ftp!

    5) Uploaded the original theme,

    Then …

    1) Changed the database details in ‘config.php’ to reflect the database, replacing the new WP database details that it created when I did a new install.

    2) Install WF but then check the options and check ‘remove tables’ then ‘deactivate’ it so it removes ‘existing’ wf tables. Then, reactivate it to create ‘new’ tables.

    3) Now, I discovered a clever function in WF – in options, look for ‘Disable Code Execution for Uploads directory’ at the button and ‘check’ it. This is where I believe the malicious code was added.

    By checking ‘Disable Code Execution for Uploads directory’ this will stop and code from being executed.

    4) Put the uploads dir back in replacing new one,

    5) Uploaded the plugins dir then one by one, activate and check that its ok and do this for the rest.

    6) When you setup WF, make sure you also setup the ‘firewall’ correctly although at the time of writing, its a bugger to get this to work right with .htaccess file.

    7) Run a WF ‘complete’ scan

    Done!

    Worked for me!

    HTH

    • This reply was modified 7 years ago by Rik0399.
    barnez

    (@pidengmor)

    I would add to that list:

    – scan your local machine for malware
    – check and remove any unknown administrator level users in the WordPress dashboard >> Users and/or in the database
    – change *all* passwords (WordPress dashboard/cPanel/MYSQL database) for unique strong versions (15-20 characters) that include special characters such as: (*&^%£:@_+
    change your salt keys in your wp-config.php file to log out all existing users

    Thread Starter Rik0399

    (@rik0399)

    @barnez

    Agreed 😉

    wfalaa

    (@wfalaa)

    Hi @rik0399
    Glad to hear that you managed to clean your website from this infection, I just want to let you know that we had a guide regarding “How to Clean a Hacked WordPress Site using Wordfence” which is too close to what you have done here, also it’s worth to to take a look at “How to Harden Your WordPress Site From Attacks” for some great tips that could prevent this attack from happening again, some of these tips were already mentioned by @pidengmor “thanks!”.

    Thanks.

    luhas-wp

    (@sahulap)

    Thank you very much for your help.

    Same issue. I compared to a normal functions.php file that and you see the code on top of the suspicious file is actually not supposed to be there.

    I also deleted wp-cd.php files (as godaddy rightly pointed) and removed the top one php line in post.php (also flagged by wp)

    What I could not figure yet is what caused the breach?
    All the functions.php files in one hosting account were affected, including the non-active themes. I’ve fixed it for now but want to secure it for the future.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Attack’ is closed to new replies.