Support » Plugin: NinjaFirewall (WP Edition) - Advanced Security » Site hacked while running NinjaFirewall

  • Resolved Dagmar

    (@fraudiebels)


    Hi,

    one of my sites has been hacked although I had NinjaFirewall up and running (Vers. 3.2.2). Provider took the site offline. He sent an email saying that the site was distributing malware and that /wp-content/nfwlog/firewall_2016-07.php was causing this. In the file I found these two lines:

    [1469117342] [0.07036] [xxxxx.de] [#3373820] [155] [3] [122.9.48.61] [403] [POST] [/index.php] [Code injection] [POST:subject = <?php @eval($_POST[‘cmd’]); ?>]
    [1469117342] [0.07697] [xxxxx.de] [#5454958] [155] [3] [122.9.48.61] [403] [POST] [/index.php] [Code injection] [POST:subject = <?php @eval($_POST[‘cmd’]); ?>]

    Corresponding lines in the Firewall Log are:

    21/Jul/16 18:09:02 #3373820 critical 155 122.9.48.61 POST /index.php – Code injection – [POST:subject = <?php @eval($_POST[‘cmd’]); ?>]
    21/Jul/16 18:09:02 #5454958 critical 155 122.9.48.61 POST /index.php – Code injection – [POST:subject = <?php @eval($_POST[‘cmd’]); ?>]

    I would like to know how this could happen to prevent it happens again. Any idea?

    Best wishes,
    fraudiebels

    https://wordpress.org/plugins/ninjafirewall/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author nintechnet

    (@nintechnet)

    Hi,

    Your host is not correct: the “/firewall_2016-07.php” is NinjaFirewall’s log, not a backdoor.
    It shows that someones tried to inject PHP code via your main /index.php script. NinjaFirewall blocked it, and wrote the incident to the firewall log.
    In addition, no one can access the log, as it is protected by the firewall.

    You’d need to ask your host to give you some evidences of the hack (files, logs)

    Dagmar

    (@fraudiebels)

    Hi,

    Thanks a lot for your prompt reply! I contacted the host, I’m curious about what they will say ….

    Dagmar

    (@fraudiebels)

    Hi,

    I am sure you are right, but host insists – delete it or site will stay down. Support is not so great, they don’t give any evidence of a supposed hack, just complain about the /firewall_2016-07.php-file again.

    O.k. I can delete it – but if there are simmilar threats in the future it will happen again.
    As I cannot move the site to another host at the moment – is it possible to prevent NinjaFirewall from writing those logfiles?

    Plugin Author nintechnet

    (@nintechnet)

    Hi

    They are not really helpful, but still, that’s a good news: you were not hacked!

    You can delete the log, the firewall will create a new one anyway.

    We will release v3.2.5 this Sunday, which includes a new log format (hexencoded), as we had many requests for that lately. That should solve your issue.
    If you can’t wait until Sunday, you can download the v3.2.5-RC1 available in the repo:
    1. Go to https://wordpress.org/plugins/ninjafirewall/developers/ and download “Other Versions > Development Version”.
    2. Extract the ZIP file, and upload the ‘ninjafirewall’ folder to your ‘/wp-content/plugins/’ folder. That will erase all NinjaFirewall files, but will keep your current config.
    3. Log in to your admin dahsboard, click on “NinjaFirewall > Overview” and make sure it reads “Version 3.2.5-RC1”

    When the final 3.2.5 version will be available this weekend, you could update it from your admin dashboard as usual.

    Dagmar

    (@fraudiebels)

    Hi,

    that’s good news! Just updated the plugin and hope it will not happen again.

    Hi, I have the same issue, but my host did not block anything. Instead, Ninja Firewall itself (version 3.2.6) marked this file as malware. The log-entries are practically identical to fraudiebels’ entries.

    Need for concern?

    Plugin Author nintechnet

    (@nintechnet)

    That looks normal. All data written to the log is about threats and hence an antivirus or antimalware can flag it as malware.
    Version 3.2.6 uses a new log format. That should solve the problem. But you probably still have entries in plain text from the previous 3.2.5 version.
    You can either safely ignore the warning, or simply delete the log. The firewall will create a new one and will use the new format.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Site hacked while running NinjaFirewall’ is closed to new replies.