File Integriry Check is Wrong

  • RL

    (@yofazza)


    1 year ago

    Hello,

    Is there a known trick that render wordpress’ sucuri or wordfence file integrity scan useless? Or other obvious reasons that I’m not aware of? ??

    I have a WP installation with changed index.php (among others) and both Sucuri & Wordfence said there’s nothing to worry about.

    Thank you.

    • This topic was modified 1 year ago by RL.
    • This topic was modified 1 year ago by RL.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @yofazza, thanks for reaching out!

    I just put this to the test by changing my index.php file to contain a new comment, so no attempt to run any new PHP code or insert a known malicious sample. After running a new scan, the file change was flagged as a high severity change to a core WordPress file.

    Ensure you run a full scan after making your changes and have the following enabled in your Wordfence > All Options > General Options page:

    • Scan core files against repository versions for changes
    • Scan theme files against repository versions for changes
    • Scan plugin files against repository versions for changes

    If your change still isn’t being acknowledged, let me know if there are any other requirements to this test, such as altering an index.php in a location that wasn’t bundled with WordPress core etc.

    Thanks,
    Peter.

    Thread Starter RL

    (@yofazza)

    @wfpeter thanks for the response.

    I managed to get it to work, but I didn’t do anything on the WordFence part.

    The malware is this. Slightly different in the random string part and (obviously) the encoded file path.

    I see it in index.php and wp-config.php first. They are @including different files, where I also see a lot of weird files and folders in the WP installation (in root, wp-includes, wp-content, etc.), where some of them contain similar includes, and others contain completely encoded PHP function(s).

    From the other post, I see this happened for at least two years. I can’t (yet) find any other discussions about it, and I’m not that familiar with WP “news”.

    So, I finally just fix/clean everything that I can see, manually, where at some point WordFence suddenly works by telling me there are still some 20ish files that are either changed or unknown files in core. Sorry, but I really don’t know what I did. This is one of those times when you don’t know what you did or did not do that fixed a problem.

    I finished the cleaning by clicking “delete” and “repair” buttons in WordFence.

    Still monitoring the site now to see if any of the malware returned.

    Thanks!

    • This reply was modified 1 year ago by RL.
    • This reply was modified 1 year ago by RL.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘File Integriry Check is Wrong’ is closed to new replies.

Tags

  • In: Plugins
  • 2 replies
  • 2 participants
  • Last reply from: RL
  • Last activity: 1 year ago
  • Status: not resolved