Support » Plugin: Wordfence Security » Scan missed inserted image files in wp-admin/images folder

  • Resolved Opally

    (@opally)


    Just FYI about a hack that Wordfence did not correctly identify:

    I had a pharma hack that replaced text with spam and links, and only displayed to non-logged-in users. I was helped by the Wordfence scan which showed changes to wp-includes/default-constants.php and wp-includes/post-template.php which were changed, and pointed to inserted “image” files that were not images in wp-admin/images, but executable encoding. The files were named strlistfile.gif, maplistfile.gif, include.png, tempthumbs.png, loginimage.png, iconscaches.png, graphicspack.png, previewpics.gif. The extraneous files were all dated Feb. 10.

    I was surprised that Wordfence did not identify the added image files in the scan, which should have showed up as extraneous to the WordPress core files, as they were in wp-admin/images.

    https://wordpress.org/plugins/wordfence/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Hi,

    You can send the files to samples@wordfence dot com to have them analyzed. That will help us add them for detection.

    -Brian

    Just for learning sake, I suppose that checking “Disable Code Execution for Uploads directory” in WF Options would not have helped with this, since the images were elsewhere in the folder structure?

    Is there some sort of option in WF, or something that can be put in .htaccess, that would disable code execution for any file with an image extension? That would seem to be a no brainer basic security thing, if possible.

    MTN

    Thanks Brian, I will send them to you in a zip attachment.

    On March 17 (going by the date of the image files) it appears this hack re-occurred, despite the presence of Wordfence. I’ve just modified the options to scan for executable image files.

    wp-includes/default-constants.php was modified thus:

    * Defines functionality related WordPress constants
    304	* 	304	*
    305	* @since 3.0.0 	305	* @since 3.0.0
    306	*/ 	306	*/@include_once ( ABSPATH . 'wp-admin/images/' . 'include.png' );

    and the batch of 8 executable image files were inserted into wp-admin/images

    Is automated scanning only available at Premium level? I’m looking at the settings for Wordfence and it isn’t clear to me.

    What do you suggest for a next step? Change permissions on wp-admin/images folder? It’s 0755.

    I don’t understand yet how this hack is happening.

    Plugin Author WFMattR

    (@wfmattr)

    @opally: Sorry to hear you’re still having trouble. Changing permissions might not help, since some attackers’ tools will “fix” the permissions themselves, but you could try it — it might cause issues when WordPress needs an update though, or if the attacker still modifies that core file, it might stop the site from working.

    We have a guide for cleaning hacked sites here that may help you find additional malicious files, if there are any:
    How to clean a hacked website

    It’s possible even if WordPress and plugins/themes are all up to date, that there is a new vulnerability that a plugin author hasn’t found yet, that could be letting the attack through — or there might just be a single malicious file that isn’t being found in the scans. You might find the file when using the additional scan options in the guide, but if not, if you check the access log of the site, you might be able to see hits on unusual php files.

    Automatic scans are included in the free version, and are scheduled to run once per day. As long as “Enable automatic scheduled scans” is turned on, it should work, unless a conflict with another plugin or a custom security setting is stops it.

    @mtn: That’s right that “Disable Code Execution for Uploads directory” won’t for these other fake image files — though turning on the option to scan images and other files will find them if they contain PHP code. (There is a greater chance of false positives when scanning images and other files.) Most hosts prevent image files from being run directly as PHP code, but if the attacker can modify another PHP file and “include” or “require” a file, any filename is accepted, unfortunately.

    -Matt R

    Hi Matt,

    I just had 2 websites get WordFence notifications this morning identical to the ones in the original post. Is this something you are still working on or do you need me to send samples for analysis?

    Ryan

    Plugin Author WFMattR

    (@wfmattr)

    Hi Ryan,

    If you still have the files, you can send them to us too. It’s possible the same filenames are used with different content, so we can confirm that on our end. Please include the URL of this post in your message. Thanks!

    -Matt R

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Scan missed inserted image files in wp-admin/images folder’ is closed to new replies.