yorman
Forum Replies Created
-
@bemsertanejo the ticket was marked as resolved after I answered the questions from the original poster in my previous comment. Please read that comment and let me know if you don’t understand something so I can explain it with more details.
Be aware that this forum doesn’t offers any assistance with regards to a malware infection, only if you notice an inconsistency with the information provided by the plugin. To clean your website, I suggest you to contact your hosting provider to solve the problem on their end, or hire a security firm to do a clean up.
Anything else, feel free to ask.
@bemsertanejo problem with what?
The instructions above work in a normal installation of the Apache web server. It is possible that your hosting provider have a special configuration. Please inquire one of their support agents them about this to know how to allow access to a directory using
mod_authz. They may be the only people who can help you if their installation is not standard.Create this file
wp-content/plugins/wordpress-social-login/hybridauth/.htaccessThen, paste these rules inside:
<FilesMatch "index\.php"> <IfModule !mod_authz_core.c> Order allow,deny Allow from all </IfModule> <IfModule mod_authz_core.c> Require all allowed </IfModule> </FilesMatch>This will allow the execution of the
index.phpfile.Any other PHP files in this directory will still be blocked.
I wouldn’t recommend to whitelist all the PHP files contained in a directory with an inherited restriction. An attacker can take advantage of this and put the infected files in this directory, bypassing the whole protection and rendering the hardening useless.
However, if you still want to go ahead with this change, you can use the “Whitelist Blocked PHP Files” panel located at the bottom of the Hardening tab to whitelist individual PHP files. This is a better solution than whitelisting the whole directory without knowing what PHP files are actually running.
Or you can use another “htaccess” file to override the protection.
Create this file
/wp-content/plugins/xplugin/.htaccessand add the code below:<FilesMatch "\.(?i:php)$"> <IfModule !mod_authz_core.c> Order allow,deny Allow from all </IfModule> <IfModule mod_authz_core.c> Require all allowed </IfModule> </FilesMatch>Will downloading this plugin help to fix this problem or do we need to take further action?
You need to talk further action.
The plugin helps to prevent some type of attacks, by providing more visibility to the user about suspicious activity generated by non-regular web traffic. If you are already infected, what you need is a malware clean up service to flush the infection from the code/database. Then, you will want to install a web application firewall in front of your website to prevent re-infections.
We would be very grateful for any advice on how to fix this problem
If I understand correctly, the redirection only happens when you click a link from Google, but the website itself works okay if you type the domain in the address bar, right?
In that case, the infection may be inside the access control file, commonly known as “htaccess”. There is a type of malware that checks some information in the HTTP request, generally checking if the user-agent is one of the popular web crawlers like Google, Bing, Yandex, etc. Then, it redirects the user to another website.
Locate and inspect that file, you may find the infection there.
If that doesn’t solves the problem, there are a million of other things you can do, one more complicated than the other. It would be better to hire a security export and let them deal with this problem. There are many companies offering these services, Sucuri is one of them [1] if you are interested.
How could they possibly know which user names to try, as I’ve told no-one?
There is an URL in WordPress that receives a parameter where the value is an username. If the username exists, the page redirects to another part of the website. If the username doesn’t exists, it returns a “404 Not Found” HTTP status code. You can read more about this technique here [1].
Can I automatically block an IP address after a certain number of failed attempts per minute?
Yes, you can, but not with this plugin.
There are some free and paid plugins out there that you can use to limit the number of login attempts on a WordPress website. There are better alternatives, like a firewall [2] if you want to get fully protected from all sort of attacks. If you are only concerned about unwanted login attempts, you can give Fail2Ban [3] a try.
[1] https://hackertarget.com/wordpress-user-enumeration/
[2] https://sucuri.net/website-firewall/
[3] https://codex.wordpress.org/BruteForceAttacks#Fail2BanYes, if you reload the plugin dashboard some of the files will be generated, but they will not contain the data that you had before the reset action was requested. For example, this file [1] which is used to store the settings, it will be automatically re-generated after the reset with default values. Some other files, like the cache and event logs, will contain a few lines representing the metadata, but there will not be any relevant data inside.
[1]
/wp-content/uploads/sucuri/sucuri-settings.phpThis page is not generated by the plugin, but by the Sucuri Firewall.
You can finish the configuration by visiting this page [1].
Sucuri can also configure this for you, use the chat here [2] (bottom-right corner).
Sorry @sarahreecesa I misunderstood your original comment.
I will check the source code of “IP Blacklist Cloud” to see why they are showing an incorrect IP address. It is possible that it’s not the plugin but the Sucuri Firewall changing the IP and the other plugin is missing the forwarded address.
Marking as unresolved while I investigate.
The reset button is probably working but you may be confusing the purpose.
When you click that button, the plugin reverts all the (manually applied) hardening options, this is, the access control rules inserted into multiple htaccess files in the document root, admin and includes directories. It also deletes all the cache files stored at “/wp-content/uploads/sucuri/” as well as the logs and settings (which are also stored in plain text files in the same directory).
What the button doesn’t do is to delete the events listed in the “Audit Logs” panel. This is because these events are stored in a remote server owned by Sucuri. You cannot request the deletion of this information. A malicious user could impersonate you and request Sucuri to delete this data to hide their fingerprints during/after an attack.
If you want to be 100% sure that the local data is being reset, simply delete this directory
/wp-content/uploads/sucuri/and all the files contained inside. If you are an European citizen and want to exercise your rights of erasure, please contact the GDPR team at gdpr@sucuri.netMarking as resolved, let me know if you need more information.
The problem seems to be solved, there was some kind of update from WordPress that apparently took care of it.
Good to know that the problem is now resolved.
However, the whole operation was started to get an API from Sucuri for activating the firewall and I was now able to request one as that button is now working, but I didn’t receive an API through the mail and the API which was produced in the Sucuri app doesn’t seem to work.
In order to fully activate the plugin, you need two keys:
Plugin API Key (FREE)
This key is completely free.
It can be generated using the big blue button at the top of the page in the Sucuri plugin dashboard. You just need to provide a valid domain name and an email address (used to send email alerts about security events, and for the recovery of the key itself in case you lose it in the future). Notice that the domain is required to have an MX record, otherwise our system will flag it as invalid, this may also affect the delivery of the messages to your inbox.
Firewall API Key (PAID)
You can read about the Sucuri Firewall here [1].
In simple words, the firewall is a software that filters the bad traffic to goes to your website before it arrives to your host. To do this, your hosting account has to be modified to pass the traffic through Sucuri. This cannot be done via WordPress, the plugin will not do this, that’s why you have to pay for the service.
The key mentioned in the plugin is simply used to show some information that the firewall provides, but the firewall works very independently from the plugin. In fact, you can use the firewall without setting that key at all. If you are not using the Sucuri Firewall, you don’t need to set that key.
There are other options in the market that may or may not be free [2].
[1] https://sucuri.net/website-firewall/
[2] https://en.wikipedia.org/wiki/Web_application_firewall#Commercial_vendorsThat message in red doesn’t comes from the Sucuri plugin.
What other plugins do you have installed? It is possible that you are using a login locker to prevent brute force attempts. Please contact the developer of that plugin to resolve the problem.
Marking as resolved, let me know if you need more information.
HTTP/1.1 508 Loop Detected
As the error says, when the malware scanner tried to connect with your website it got redirected to another location, and this new location redirected the scanner to the original URL again, and this URL to the new location, and so on, forever. This is called an “Infinite Loop” [1] and the only way to prevent it is to stop the execution after a few redirections.
The scanner stopped trying to scan your website after 20+ redirections before giving up. Please fix your website to remove the redundant redirection rules before requesting a fresh malware scan.
Please send me the address of your website at
[removed].I will try to troubleshoot the error from my side. We know that the jQuery library is not being loaded, but we cannot see the reason for that from the error messages that you are seeing in the DevTools Console. The 4 plugins that you currently have active don’t seem to have any incompatibility, as far as I know.