Support » Plugin: Wordfence Security - Firewall & Malware Scan » Wordfence files being targeted

  • Resolved fpmsummer

    (@fpmsummer)



    I installed Wordfence last week on a couple of sites that have been under attack by malicious and relentless injection attacks, and while the attacks slowed down, they increased again after targeting WF plugin files for injections.

    They’re injecting the backdoor code directly into the plugin files, and the number of files being added & injected have increased again.

    Doing another search of the affected sites has yielded some pretty interesting additions to the options table that were sneakily named, and I’m hoping that will take care of the repeat infections of these sites, but I figured you guys should know that the WF plugin is being targeted as a payload delivery vector by the attackers when they find them on sites. Very enterprising of them 🙂

    FWIW, I had installed the Sucuri plugin alongside Wordfence to get some added monitoring, and their backdoor allowed them to circumvent the Sucuri hardening features that I’d activated as well. Like I said, persistent and rather relentless.

Viewing 3 replies - 1 through 3 (of 3 total)
  • bluebearmedia

    (@bluebearmedia)

    Sounds like there was a backdoor on the site already, that was allowing them access, rather than some lack on the part of the security plug-ins – you should sweep your site for other possible intrusions…

    (Note: I’m just a long-time WF user, and not part of WF support.)

    wfalaa

    (@wfalaa)

    Hi fpmsummer,
    I want to make sure that the “Firewall Status” was set to “Enabled and Protecting” on these websites during the attack?

    I do agree with @bluebearmedia as well, there must be a backdoor that allowed them to inject this malicious code into your files and the database, another reason could be that your MySQL/FTP login credentials are compromised, I highly recommend going through these steps mentioned in “How to Clean a Hacked WordPress Site using Wordfence“, and I want to emphasize on making sure that your working environment is secured.

    Finally, please send a copy of the plugin’s “modified” files including this “injected code” to “samples [at] wordfence [dot] com” for further investigation.

    Thanks.

    • This reply was modified 2 years ago by  wfalaa.
    fpmsummer

    (@fpmsummer)

    @bluebearmedia yes, I know that Wordfence wasn’t their way in. The sites had been compromised about a week after I’d cleaned them up the first time, and I started using Wordfence as a means of finding out which files had been compromised that I might have missed. I just thought it was interesting to note that they began attacking Wordfence files after it had been installed on those sites.

    @wfalaa I will gather the files and send them, thanks!

    • This reply was modified 2 years ago by  fpmsummer.
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Wordfence files being targeted’ is closed to new replies.