404testpage4525d2fdc , Malware ?

Hi Chris,

These could be a configuration problem and not malware. In some cases, it would be a line in the .htaccess file, but there could be other causes too. If you know where to find the error log for your site, it should have details on what caused the “500” error instead of the expected “404” page. (The hosting company can help you find the error log, if you’re not sure where it is.)

If you had an infection in any of the theme files, you might want to try reinstalling the theme, in case any the files are missing or still damaged (possibly including the file that generates the 404 pages, which might be the reason for the error).

-Matt R

Thanks for the reply, Ive taken a look at the .htaccess
there is an .htaccess and a .orig version

The .htaccess version is:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /mywebsitename.uk/
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /mywebsitename.uk/index.php [L]
</IfModule>

# END WordPress

the .orig is

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

does this look ok ?

I have deleted redundant themes, made all the plugin updates etc, re-installed fresh theme files, updated WP.
Wordfence shows clean, but Google and Securi net scan show infection,

However it shows clean for non www. but infected on www. ? (on securi.net scanner

(I’ll take a look at the log file, but Im no expert on this sort of thing

Thanks for your input

I removed an error log a few days ago…..

wp-includes/simplePie/error_log
it was 91.19mb !

It has lots of these logged, just with different dates and a few different line numbers and adated between 26th – 31st Jan

[29-Jan-2016 23:37:16 UTC] PHP Strict Standards: Only variables should be passed by reference in /home/vmysco/public_html/www.mysitename.uk/slic.php(1) : eval()’d code on line 311

I cant find slic.php
there is now a lic.php in the root directory?

at the beginning of this large file it reads

[02-Jan-2016 09:47:00 UTC] PHP Fatal error: Uncaught exception ‘Exception’ with message ‘We received an error response when trying to contact the Wordfence scanning servers. The HTTP status code was [502]’ in /home/vmysco/public_html/www.mysitename.uk/wp-content/plugins/wordfence/lib/wfAPI.php:89
Stack trace:
#0 /home/vmysco/public_html/www.mysitename.uk/wp-content/plugins/wordfence/lib/wfAPI.php(32): wfAPI->getURL(‘https://noc1.wo…&#8217;, Array)
#1 /home/vmysco/public_html/www.mysitename.uk/wp-content/plugins/wordfence/lib/wordfenceClass.php(149): wfAPI->call(‘ping_api_key’)
#2 [internal function]: wordfence::dailyCron()
#3 /home/vmysco/public_html/www.mysitename.uk/wp-includes/plugin.php(579): call_user_func_array(‘wordfence::dail…’, Array)
#4 /home/vmysco/public_html/www.mysitename.uk/wp-cron.php(117): do_action_ref_array(‘wordfence_daily…’, Array)
#5 {main}

at the end of the file:

[10-Feb-2016 11:14:58 UTC] PHP Warning: require_once(/home/vmysco/public_html/www.mysitename.uk/wp-load.php): failed to open stream: No such file or directory in /home/vmysco/public_html/www.mysitename.uk/wp-blog-header.php on line 12
[10-Feb-2016 11:14:58 UTC] PHP Fatal error: require_once(): Failed opening required ‘/home/vmysco/public_html/www.mysitename.uk/wp-load.php’ (include_path=’.:/usr/lib/php:/usr/local/lib/php’) in /home/vmysco/public_html/www.mysitename.uk/wp-blog-header.php on line 12

Any thoughts?

Thanks

The slic.php and lic.php issues definitely sound like malware. If you still have a copy of the file you found, you can email it to us at samples (at) wordfence.com for evaluation and inclusion in future scans.

The last error was a while ago, so it might not be related. Do you see any other error log files aside from the one in the SimplePie directory?

-Matt R

Thank you.

I have decided to rebuild the site, it was only small and took only a few hours.

Thank you for you input

Chris