Title: Security Breach? Last modified: August 1, 2020 --- # Security Breach? * [theresaf1](https://wordpress.org/support/users/theresaf1/) * (@theresaf1) * [5 years, 9 months ago](https://wordpress.org/support/topic/security-breach-8/) * My client said someone went to the website I installed I-Themes Security on ( after they called about this) and it said they have a virus. I logged in and it was redirecting to the Flash Player con that we all know to get us to install Flash, but this does not happen all the time. Since the install of the Security plugin, I got the below message. Please let me know if this is an issue, as I ran a malware and it says the site is clean so not sure. Any smart people able to help? Also, the site is only for information with no users, etc other than me updating their info fyi. See below – * Module File Change Type Warning Description 0 Added, 1 Removed, 1 Changed Timestamp 2020-08-01 16:59:20 User URL WP-Cron Scheduled Task Changed wp-includes/class- wp-http-netfilter.php Removed wp-admin/css/.default Added Total Memory 57.64 MB Memory Used 5.46 MB Raw Details Hide Raw Details * id => 343 module => file_change type => warning code => changes-found::0,1,1 timestamp => 2020-08-01 16:59:20 init_timestamp => 2020-08-01 16:59:19 remote_ip => 107.180.125.172 user_id => [empty string] url => wp-cron memory_current => 52138776 memory_peak => 58863408 data => Array added => Array() removed => Array wp-admin/css/.default => Array d => [integer] 1596209299 h => c34e801effbb22ae03f3ba0f15a1283b t => r s => [integer] 1 p => WordPress Core v5.4.2 changed => Array wp-includes/ class-wp-http-netfilter.php => Array d => [integer] 1596299070 h => d300e83971b3d42edb38b47598832cb1 t => c s => [integer] 1 p => WordPress Core v5.4.2 memory => [double] 5.46 memory_peak => [double] 57.64 Viewing 10 replies - 1 through 10 (of 10 total) * [nlpro](https://wordpress.org/support/users/nlpro/) * (@nlpro) * [5 years, 9 months ago](https://wordpress.org/support/topic/security-breach-8/#post-13202449) * Despite the malware scan result (which is known not to be 100% reliable), the File Change Detection scan result clearly indicates there are changes being made in WordPress core files which cannot be attributed to legal activities. In other words the site is definately compromised and needs to be cleaned up. * To prevent any confusion, I’m not iThemes. * [beardedginger](https://wordpress.org/support/users/beardedginger/) * (@beardedginger) * [5 years, 9 months ago](https://wordpress.org/support/topic/security-breach-8/#post-13205127) * Hi, * I would also like to add that the plugin will only inform you of changes made( if modules are enabled) but it does not have the capability to inform you of any issues in regards to those changes. * Thanks, * Matt * Thread Starter [theresaf1](https://wordpress.org/support/users/theresaf1/) * (@theresaf1) * [5 years, 9 months ago](https://wordpress.org/support/topic/security-breach-8/#post-13209732) * I see what is happening. Wondering if you guys can help with input. I have shared hosting on Go Daddy and know they will charge a lot. The person that was working for me did not properly protect these sites, even though I paid her. * That said, I keep deleting a text file in cgi-bin. The file keeps repopulating itself. I see all the redirects in there… what can I do, as I notice this on more than one site. Please assist with any input. I tried to delete lines of code in the htaccess file but still repopulated. This must have been injected prior to installing I-Themes Security. * Thank you! * Thread Starter [theresaf1](https://wordpress.org/support/users/theresaf1/) * (@theresaf1) * [5 years, 9 months ago](https://wordpress.org/support/topic/security-breach-8/#post-13209882) * What I noticed is that the line of code that keeps changing had the permissions set for anyone to “write”. So it said the world can both “read” and “write” to that file, so I turned off “write” and so far the “default” file with all the malicious code was not reinserted into the folder cgi-bin. I notice this on another site and will see if deleting the folder cgi-bin stops that for fun, but hopefully I fixed this? Any input appreciated!!! What was happening, is my client’s site would redirect to different spam sites, but not all the time, sporadically! * Thread Starter [theresaf1](https://wordpress.org/support/users/theresaf1/) * (@theresaf1) * [5 years, 9 months ago](https://wordpress.org/support/topic/security-breach-8/#post-13209887) * Well, just looked, and it is re-added to cgi-bin folder again. Dang… help! * [nlpro](https://wordpress.org/support/users/nlpro/) * (@nlpro) * [5 years, 9 months ago](https://wordpress.org/support/topic/security-breach-8/#post-13210245) * Once your site is hacked it’s probably better to post in a more appropriate support forum. * You’ll find one and usefull info in the [FAQ My site was hacked](https://wordpress.org/support/article/faq-my-site-was-hacked/) post. * Thread Starter [theresaf1](https://wordpress.org/support/users/theresaf1/) * (@theresaf1) * [5 years, 9 months ago](https://wordpress.org/support/topic/security-breach-8/#post-13210565) * So, I deleted the cgi-bin folder, and then went on my security program, and did a bunch of extra security features. They are having a hard time finding the file now. Is there a way to block all IP Addresses other than mine from accessing the data on my server. Anyone know? There is no reason that any IP addresses should want access to my server other than my security program and the few trusted folks I allow access. Thoughts? * [nlpro](https://wordpress.org/support/users/nlpro/) * (@nlpro) * [5 years, 9 months ago](https://wordpress.org/support/topic/security-breach-8/#post-13211355) * Unsubscribed… * [ontheroad](https://wordpress.org/support/users/ontheroad/) * (@ontheroad) * [5 years, 5 months ago](https://wordpress.org/support/topic/security-breach-8/#post-13767241) * Any update on this? * [mehmet061](https://wordpress.org/support/users/mehmet061/) * (@mehmet061) * [5 years, 3 months ago](https://wordpress.org/support/topic/security-breach-8/#post-14015566) * Hi, * The same problem happens on my website. I delete the file, then file abandonment occurs. * Unknown file in WordPress core: wp-includes/class-wp-http-netfilter.php Type: File * Filename: wp-includes/class-wp-http-netfilter.php File Type: Core Details: This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker. Viewing 10 replies - 1 through 10 (of 10 total) The topic ‘Security Breach?’ is closed to new replies. * ![](https://ps.w.org/better-wp-security/assets/icon.svg?rev=2980272) * [Solid Security – Password, Two Factor Authentication, and Brute Force Protection](https://wordpress.org/plugins/better-wp-security/) * [Frequently Asked Questions](https://wordpress.org/plugins/better-wp-security/#faq) * [Support Threads](https://wordpress.org/support/plugin/better-wp-security/) * [Active Topics](https://wordpress.org/support/plugin/better-wp-security/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/better-wp-security/unresolved/) * [Reviews](https://wordpress.org/support/plugin/better-wp-security/reviews/) * 10 replies * 5 participants * Last reply from: [mehmet061](https://wordpress.org/support/users/mehmet061/) * Last activity: [5 years, 3 months ago](https://wordpress.org/support/topic/security-breach-8/#post-14015566) * Status: not resolved