Site got hacked with shield instaled

  • Resolved danc77

    (@danc77)


    7 years, 9 months ago

    hello Paul.

    I have installed and active shield. Website is up to date including all plugins, themes and core.

    However after installation once I got a message about wp core files mismatch which I promptly replaced all manually.

    My server is set to allow max 10 mails per hour. And yesterday it did sent out some spam, aproximatelly 30 mails. Mail about altered files did not arrive but reason is server side block after 10th mail in one hour.

    After cleaning i still have 2 files resulting suspicious in server side scan

    wp-content/plugins/wp-statistics/vendor/maxmind-db/reader/ext/maxminddb.c’
    Suspicious file type [application/x-c]

    wp-content/plugins/wp-simple-firewall/src/features/firewall.php’
    Regular expression match = [\n(?!\s*(//|\#|\*)).*/etc/passwd]

    the one about web statistic was replaced and it most likely a false positive

    https://wordpress.org/plugins/wp-simple-firewall/

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Paul

    (@paultgoodchild)

    7 years, 9 months ago

    hi

    Thanks for reporting this. Could you explain what the hack was exactly? What you have described isn’t a hack… unless I didn’t fully understand.

    Thread Starter danc77

    (@danc77)

    7 years, 8 months ago

    thanks for reply.

    site had fake wp core files and tried to send out mails. however our mail server is blocking more than 10 mails per hours and we caught the issue soon enough.

    after manual cleaning of the whole installation and some original core files (there was code added to it) we put the shield plugin firewall blocking on aggressive mode and had no issues after it anyhow. But we still getting this:

    wp-content/plugins/wp-simple-firewall/src/features/firewall.php’
    Regular expression match = [\n(?!\s*(//|\#|\*)).*/etc/passwd]

    when scanning server side for malware, basically clam av is considering that file somehow dangerous

    Plugin Author Paul

    (@paultgoodchild)

    7 years, 7 months ago

    Yea, the reason this would be flagged is that the text “/etc/passwd” is in there in one of the strings.

    Thread Starter danc77

    (@danc77)

    7 years, 7 months ago

    Ok thanks for explanation, its a false positive,

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Site got hacked with shield instaled’ is closed to new replies.