Virus not found in Wordfence

Viewing 4 replies - 31 through 34 (of 34 total)
1 2 3
  • chrisprouty

    (@chrisprouty)

    8 years, 7 months ago

    Here’s my workaround that I’m using on a client site until we can better understand the source of the hack.

    I’ve noticed that the attack happens through both the header.php of the theme and through the WP file nav-menu.php. Same symptoms everyone is reporting in this thread. WordFence picks up on both files being infected.

    Since the temporary fix is to replace the infected file with a clean file, I’ve included two lines of code in the index.php file at the root of the WordPress installation:

    copy("/home3/user/public_html/nav-menu.php", "/home3/user/public_html/wp-includes/nav-menu.php");
copy("/home3/user/public_html/header.php", "/home3/user/public_html/wp-content/themes/themename/header.php");

    I placed copies of the header.php and nav-menu.php files at the hosted root.

    I put these near the beginning of the file, before anything else happens.

    What these lines do is automatically copy clean versions of the files whenever someone visits the site, so if a file, like header.php gets infected, it is overwritten before it is called into the browser upon a site visit.

    Simply put, I’m automating the process of overwriting infected files with clean ones and triggering that automation when someone visits the site.

    If you do this, you’ll have to modify the code to fit your server’s directory structure.

    Look, I know this is pounding in a nail with a sledgehammer. It’s a band-aid, not a panacea. It’s buying me the time to find the real problem. Yes, I know, copying files on page load is a lot of server work and a WordPress update will overwrite my changes. Bake a pie, eat a pie. It’s working of now and keeping people on site.

    Plugin Author WFMattR

    (@wfmattr)

    8 years, 7 months ago

    PhilaPhans: You can enable scanning for files outside of the normal Wordfence folders by turning on “Scan files outside your WordPress installation” on the Wordfence Options page. It won’t be able to scan your non-WordPress database tables though.

    CosmicRaptor: Yes, it’s possible for the infection to cross multiple sites on the same hosting account.

    ewsweb: You can reinstall your theme, if it is a free theme or premium theme from another site — if it is a custom theme or child theme, you will need to edit the files manually.

    chrisprouty: Thanks for posting a workaround, and the disclaimer about how it works. 🙂 (This can also cause a warning in your Wordfence scans, for the modified file.)

    If anyone else can send me a list of the themes and plugins they’re using, you can send them to me at mattr [at] wordfence.com — if anyone has an access log file you’re willing to share from a site without a ton of traffic, for a time period starting before the problem was found, you can email that to me, too — it won’t tell me everything, but something odd might stand out.

    ewsweb

    (@ewsweb)

    8 years, 7 months ago

    Thank you chrisprouty and WFMattR for responding in this matters.

    roncruickshank

    (@roncruickshank)

    8 years, 7 months ago

    I have the same problem occurring across all of my sites. I am using Weaver ll Pro Theme. It seems that the only Plugin that is in common with those listed previously may be Akismet. Akismet was on a new install that I did for a customer on 31/8/2015. I removed Akismet straight away as I have found WP SpamShield does a better job, but it may have let the virus through.

Viewing 4 replies - 31 through 34 (of 34 total)
1 2 3
  • The topic ‘Virus not found in Wordfence’ is closed to new replies.

Tags