Deleted / Added / Modified FIles

Before you assume that Better WP Security is accurately detecting a problem or that your site is hacked you should confirm this visually by checking a file or files that Better WP Security is saying has been modified/added/deleted to see if this is actually accurate or not.

1. Yes, and a lot more with ARQ IDPS with automatic file AutoRestore & Quarantine: https://forum.ait-pro.com/forums/topic/autorestore-quarantine-guide-read-me-first/

2. Yes, and a lot more. You can add IP ban .htaccess code to BPS Pro Custom Code. Example: https://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/

3. Not really sure why this would be considered as security??? BPS and BPS Pro have 404 Not Found error logging code available that you can add to your Theme’s 404.php template file. I checked Better WP Security’s FAQ page and the only reference to 404 errors I found was this information: “Detect hidden 404 errors on your site that can affect your SEO such as bad links, missing images, etc.” This is not a security measure and is a general website check for 404 errors, which BPS and BPS Pro does as well when you add the BPS/BPS Pro 404 logging code to your Theme’s 404.php template.

To view all BPS Pro Features click the link below.
https://www.ait-pro.com/bulletproof-security-pro-flash/bulletproof.html

Also if your website is actually really already hacked then you would need to change all of your passwords (by creating new secure passwords. Example: b#8!Uv6Xp3#!j4X) for FTP, WordPress, WP Database, restore it from a good/clean backup or back everything up, delete everything, reinstall everything brand new and then import your backed up content database tables into your new database.

https://forum.ait-pro.com/forums/topic/website-is-already-hacked-will-bps-pro-automatically-fix-or-remove-the-hackers-files-and-code/

I have verified files added/modified/deleted have actually occurred. It looks like they modified an image file then added it to wp_content/uploads/et_temp then proceeded modify 75 other files. I guess the only answer is to see how far back my backups are corrupted. The only problem is determining if a new restored site is also infected before installing bulletproof pro.

I have 11 sites and this has happened on almost every one.

Thanks again

It does sound like your Hosting account has been compromised then. If the hackers cracked your FTP password then they would have full access to your entire hosting account and be able to hack all of your sites.

Is the image file really an image file or is it a php file disguised as an image file? Example: hackerfile.jpg.php.

Check a php file that has been modified and look at the code. Do you see any references to base64, eval, or strange looking URL encoded/hex/ascii characters in the file?

You should be 100% sure that your sites are actually hacked before doing all the work that is going to be required.

Scan one of your sites with the Sucuri scanner: https://sitecheck.sucuri.net/scanner/

Is the Sucuri Scanner detecting the hack?

Sucuri is monitoring the worst site. I had them look yesterday since their scan wasn’t showing anything but at that point I didn’t know how bad added and modified files were. He didn’t find anything but he didn’t know about all the files – only the 404 intrusion errors. It was one of these ip’s from Russia that did most of the damage one one site.

Based on your earlier suggestion I am going to check one of the modified php files. I do wonder if anyone else is running into this. I always keep everything 100% up to date – checking every day!

Also Ironically on of the folders flooded with this crap were the better wp security plug in folders!!

If the Sucuri scanner is not finding anything then there is a pretty good chance that site is not hacked. If you had someone from Sucuri check that site and they did not find anything then the site is not hacked – the Sucuri folks are top notch. At this point you need to physically/visually inspect one of the files that is supposedly altered. Also at this point, based on everything you just mentioned, I believe the Better WP Security check is invalid/incorrect.

I checked again and see what the 404 intrusion detection option in Better WP Security is and now I understand what this option is doing. This option is designed to block hacker recons using URL’s probing for things like a timthumb file on a website. What is odd to me is this. If a hacker is doing recon on your website looking for a known file that is exploitable and the file does not exist on your site then a 404 Not Found error is generated. So why would you want to block something like this since the file does not exist on your website it cannot be exploited. Seems like a waste of time and resources to check for this or to block something like this. BPS and BPS Pro do not do this and I would never add a silly option like this because it would be pointless thing to do/add and would waste valuable website and Server resources on something that does not matter/is not important.

Also I imagine this option leads to a lot of problems and lost visitor traffic for users since 404 errors are a normal thing that occur on any website. ??

Send a couple of the files that are supposedly altered/hacked to me and I will tell you what is what. Use the contact email address on the AITpro.com website.

I am still trying to determine which ones to send. I looked at some of the index.php files in each folder and they contained: “<!– You shouldn’t be here. tsk tsk –>”. They all say they have been modified, even in Godaddy file manager. That’s why I don’t know which ones to send but I’ll just pick a couple and try.

I can’t believe how helpful you are being!!!! If you are typical AIT – wow!!

I have no idea what this is – “You shouldn’t be here. tsk tsk” in the index.php file, but it is completely harmless, and none of the other files contain any hackers code.

What I suspect is occurring is something like this: You upgraded Better WP Security and it is not correctly detecting the updated plugin files for its own plugin. In other words, Better WP Security is malfunctioning and none of these files are hacked so most likely your websites are fine.

I also sent you some image files from wp-content/uploads/et_temp. I have deleted these 6 times today and they keep coming back. I’ll pass that along to sucuri monday.

Thanks so much

None of the image files have anything malicious embedded in them and it is pretty much impossible to execute a jpg image file. If you would like to look at the code yourself then make a copy of the jpg files and rename the file extension to .txt and view the code with Notepad. Then do the same for any random jpg file on your computer and compare them and you will see that they have very similar standard coding.

What you need to look at is what is restoring files automatically. Do you have another plugin installed that has automatic file restore capability? Like a backup plugin that automatically restores files?

I have backup buddy from ithemes. It lets you restore individual files but there are so many and I don’t know which ones so that may not be practical. There were 75 mods just Friday night. Also although most changes were in the better wp folder – files were also changed in other folders. The only thing I question is:

1. According to godaddy file manager dates the files were changed so it’s not just wp saying that.
2. Do you have a clue as to why I have deleted the wp-content/uploads/et_temp 6 times today and each time they come back? When I delete them in FTP – they are no longer there yet when I check later they are back.

And i just thought of something obvious. The folder name: /wp-content/uploads/et_temp could possibly be some sort of temp folder for caching or placing image files in this temp folder. Maybe your Theme or another plugin is storing image files in this temp folder.

Did you upgrade any plugins or install anything else on the date that the files are showing as modified? If so, then yes of course Go Daddy will also show the modified date of the new or updated files.