Support » Plugin: Wordfence Security - Firewall & Malware Scan » Free Wordfence scan missed hacked code in favicon.ico file

  • Resolved Miss Taddie

    (@tadtadhannacom)


    I admin a WP site with the free version of Wordfence plugin. It was hacked last week, I installed Wordfence (it had had iThemes security before). I scanned, removed bad files. I checked the server files a couple times since then via FTP, nothing suspicious. Then today, it started redirecting to payday loan sites AGAIN. Aaarrgh! Ran Wordfence again, found similar files to last time, deleted them, re-uploaded wp_config.php to replace again-hacked wp_config.php.

    Then I started poking around on my own on the server files for anything suspicious. I found an odd-looking file here: /wp-content/languages/favicon_0b57d5.ico. Huh? No favicon files should be here, and is there usually a /languages directory there? I added .txt file extension to the file and opened it, and sure enough, full of hacky-looking code. So I deleted the /languages directory and the .ico file.

    So just to say, Wordfence missed this file in its scan, and it may have been the culprit for reinfecting the site. I know I have the free version of Wordfence, not the paid one, but the fact this file was missed in the scan is disappointing. And also just wanted to let others know to look for files with .ico extensions anywhere they shouldn’t be. Change the file extension, open in a text editor and see if they are malware code.

    • This topic was modified 1 year, 3 months ago by  Miss Taddie.
Viewing 7 replies - 1 through 7 (of 7 total)
  • Adam

    (@adamlachut)

    Hello,

    The free version of Wordfence detects these files, but you need to enable at least:
    “Scan images, binary, and other files as if they were executable”
    option in scanning settings.

    If your website was hacked, in my opinion, you should perform a full scan, with additional 2 scanning options enabled:
    “Scan files outside your WordPress installation”
    “Enable HIGH SENSITIVITY scanning (may give false positives)”
    and carefully analyse the results.

    BTW, the favicon_xxxxxx.ico files are malicious but aren’t dangerous if not included in another .php file or if your .htaccess file(s) weren’t modified.

    Last, but not least: always remember to block an access to your website at the time of cleaning, to change all the passwords (including DB password) and to fix vulnerabilities.

    Best,
    Adam

    Miss Taddie

    (@tadtadhannacom)

    Hi Adam,

    Thanks so much! The site was reinfected again this morning in two places (a php file and wp-config.php as usual) but the malware hadn’t gotten around yet to implementing its full redirect to payday loan sites so client site still looked normal. I followed your suggestions with the high-sensitivity scan settings which include “scan images, binary and other files as if they were executable” and “scan files outside your WordPress installation”. With these settings, Wordfence found an additional bad .ico file here: wp-content/plugins/wp-db-backup/favicon_e612b8.ico which I am guessing was the source of the reinfection.

    Thanks for the help, much appreciated.

    Hi Miss Taddie,
    As Adam mentioned, enabling “Scan files outside your WordPress installation”
    and “HIGH SENSITIVITY scan” options is recommended when you are cleaning an infected website, also, I highly recommend going through this document “How to Clean a Hacked WordPress Site using Wordfence” when you are cleaning your website. Check this guide as well.

    Thanks.

    Scanning your files for malware code is not enough. You need to find out how an attacker was able to *upload* the malicious code in the first place, else it will just keep reoccurring.

    I have this exact same reinfection problem, if your site is hosted in a shared hosting i suppose you don’t really have any choice except to move your site to a vps or dedicated server. No matter how secure your account is, there are other accounts in your shared hosting that don’t know that theirs have been compromised by malicious files.

    Since scanning binary takes a huge amount of resources and slows down the scan time considerably, how does one include a file extension to scan instead of having to scan ALL binaries, images etc. For example, we know malicious codes hide in .ico files, how do we scan only .ico files? I’ve tried entering “.ico” in the additional scan pattern but it didn’t scan only .ico files.

    Adam

    (@adamlachut)

    Hi,

    You may try to find all .ico files using external tools (like your hosting panel, ftp client or simple php script if you are allowed to use shell_exec()) and delete all other than favicon.ico
    But notice, that the .ico files can’t be executed if there are no other modifications, like AddHandler/SetHandler (mainly in .htaccess) or inclusion of .ico files in other .php files.
    Also, you really need to find and fix the vulnerability.

    No matter how secure your account is, there are other accounts in your shared hosting that don’t know that theirs have been compromised by malicious files.

    Not a true: on properly configured shared hosting all user accounts are separated and unproperly configure VPS will not be secure.

    Adam

    inclusion of .ico files in other .php files.

    Yes, this is why i prioritise on finding and deleting the .ico files, since probably the included .ico files are the payload (or remotely requesting the payload). Then we’ll deal with the injected php files with Wordfence. My hosting’s ClamAV virus scanner usually detects those malicious .ico files but lately it’s not been as reliable, hence my question about wordfence’s ability to scan only .ico files without scanning all binaries as that would take ages.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Free Wordfence scan missed hacked code in favicon.ico file’ is closed to new replies.