Support » Plugin: Wordfence Security - Firewall & Malware Scan » WF critical nobodycrew backdoor

  • Resolved MtGamberWebsiteDesign

    (@mtgamberwesbitedesign)


    Hi,

    On a clients website I’ve had the following critical warning however other security checks have cleared the website and I can’t find anything on a google search

    Filename: wp-content/uploads/bbpowerpack/index.php
    File Type: Not a core, theme, or plugin file from wordpress.org.
    Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: function_exists(‘exec’)){ @exec($code,$res);

    The issue type is: Backdoor:PHP/nobodycrew.3414
    Description: A backdoor known as nobodycrew

    Please can you confirm that is NOT a false positive.

    I have already raised a support ticket with the plugin developers. Even a new version of the plugin seems to give the same error.

    Thanks for your help,
    Karen

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Support WFGerroald

    (@wfgerald)

    Hey @mtgamberwesbitedesign,

    This definitely seems to be some nasty code. Your index.php file shouldn’t contain any code. I’d suggest completely deleting that plugin and update all of your credentials including WordPress, FTP, database and your hosting control panel. Then you can upload a new version. I would make sure you’re getting it either from the WordPress.org repository or the official Beaver Builder site.

    Here’s some tips on cleaning your site from a hack.

    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

    Please let me know how it goes.

    Thanks,

    Gerroald

    macmeister

    (@macmeister)

    I just spotted this one as well. Thanks for the post and feedback! Still reviewing possible effects.

    MtGamberWebsiteDesign

    (@mtgamberwesbitedesign)

    Hi @macmeister was your issue in BB Powerpack addon as well?

    macmeister

    (@macmeister)

    @mtgamberwesbitedesign Great question.
    I reviewed 4 other sites with powerpack and cannot find where this file shows up in any of the others. They all had the same directory as yours and mine, but no index.php suspicious file Wordfence found on this particular one. I have removed the file and still not sure how it got there. Hopefully I removed it in time. If not, there will be more cleanup… It is also possible that the file was uploaded via a vulnerability, but was unable to execute with Wordfence or Cloudways firewalls.

    Plugin Support WFGerroald

    (@wfgerald)

    Hey @mtgamberwesbitedesign,

    Have you had a chance to try my suggestions and reinstall a fresh copy? If so, did it clear it up?

    @macmeister – Thanks for the update, and happy to hear that you were able o clear this up.

    I would like to mention that if this issue returns after removing the malicious content and updating your credentials the root of the problem may be elsewhere. In that case I’d suggest reaching out to a hack repair service to have the site professionally cleaned and the point of entry patched.

    Please let me know how it goes.

    Thanks,

    Gerroald

    • This reply was modified 8 months ago by WFGerroald.
    macmeister

    (@macmeister)

    @mtgamberwesbitedesign
    I see them accessing the rogue file in the log which is a bummer, but then I see Wordfence, so it likely blocked it. Yay. I did hide the IPs below. Not sure why I’d protect the criminal other than this way they can’t google there IP and find this post…? LOL

    XX.XXX.XXX.111 - - [25/May/2019:01:09:32 +0000] "GET / HTTP/1.0" 301 543 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
    XX.XXX.XXX.111 - - [25/May/2019:01:09:32 +0000] "GET / HTTP/1.0" 200 13747 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
    XX.XX.XX.XX - - [25/May/2019:01:09:34 +0000] "POST /?wordfence_syncAttackData=XXXXXXXXXX.XXXX HTTP/1.0" 200 171 "https://xxxxxxxx.com/?wordfence_syncAttackData=XXXXXXXXXX.XXXX" "WordPress/5.1.1; https://xxxxxxxx.com"
    XX.XXX.XXX.111 - - [25/May/2019:01:09:33 +0000] "POST / HTTP/1.0" 200 343 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
    XX.XXX.XXX.111 - - [25/May/2019:01:09:35 +0000] "POST / HTTP/1.0" 200 343 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
    XX.XXX.XXX.111 - - [25/May/2019:01:09:36 +0000] "GET /wp-content/uploads/bbpowerpack/index.php HTTP/1.0" 200 532 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
    
    MtGamberWebsiteDesign

    (@mtgamberwesbitedesign)

    I did a restore of the website to a time before the file was there. I realise that it doesn’t cure the problem of how it got there but it will fix it for now.

    I intend to restore of the infected version and then get the client to pay Wordfence to clean the website and check for any clues on how it came to be there.

    I only use BB Powerpack addon on 2 websites and the other seems fine so far.

    I have reported this to the BB guys and they are also looking into it.

    Cheers,
    Karen

    macmeister

    (@macmeister)

    You rock @mtgamberwesbitedesign
    Thanks for the info and passing it onto the BB Powerpack folk!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘WF critical nobodycrew backdoor’ is closed to new replies.