Support » Plugin: Anti-Malware Security and Brute-Force Firewall » /wp-admin/includes/class-ftp.php hack in all my wordpress websites

  • Resolved sostoss

    (@sostoss)


    i disinfect my websites and keep hacked again

    what is the nature of this attack and how can i stop it?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Eli

    (@scheeeli)

    The first step is to determine if this infection is coming from another internal file on your site or from another site. Check the timestamps on the latest infected file to see exactly when it was infected (before you clean the file). If you have already cleaned the infection with my plugin then you can find the exact infection time in the Anti-Malware Quarantine (times are recorded as GMT). Then cross-reference that time with any activity in your access_log file at the same exact time (keep in mind that your log file times might be adjusted for your server’s local time).

    If there is nothing in your access_log for the times of your last infection then you will know that this infection is spreading from another site to yours (probably another site on your server). Typically, shared hosting accounts are not protected from cross-contamination, so infections from one vulnerable site can easily spread to other sites on the same server (even if they are on another account).

    If you find a suspect in you log files please send it to me for further examination. If not then you should move your site to another (more secure) server.

    I have checked on localhost with the new WordPress installation. Anti Malware plugin detects the file, /wp-admin/includes/class-ftp.php as infected!

    Not only that I have checked at least 20 websites on different hosting. Everywhere /wp-admin/includes/class-ftp.php infected! Is this a false detection?

    Plugin Author Eli

    (@scheeeli)

    Yes, Thank you! This /wp-admin/includes/class-ftp.php file does appear to be a false positive. I have fixed the definition update from yesterday and released a new definition update today that fixes this issue.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.