My Site Hacked – Files Added, Deleted & Modified

What plugin or plugins are giving you the information?

Thanks for your reply.

The message is a WordPress message, but it seems the two Security Plugins are the culprit – though am unsure.

The plugins are: WordFence and iTheme Security

However some of the Deleted, Modified and Added files gave me this clue.

For example, see this “Modified File”
wp-content/plugins/wordfence/tmp/configCache.php

See “Files Added:
wp-content/uploads/ithemes-security/backups/backup-anabolic-steroids-fo-1424598561-IKY8w.zip

See “Filed Deleted:
wp-content/uploads/ithemes-security/backups/backup-anabolic-steroids-fo-1424425471-QlSowfv5.zip

I think is iTheme Security has been sending the report. Here is what is written on their website:

“File Change Detection”

“If someone manages to get into your site, they’ll probably add, remove or change a file. Get email alerts showing any file changes so you know if you’ve been hacked.”

I don’t see any signs of damage looking at your site. I see you also have Wordfence installed. Would you look at Dashboard > Wordfence > Scan for New and Ignored issues at the bottom of the page? Do you see any files listed?

Yes 2 files are listed:

———————————–

This file may contain malicious executable code: /hermes/bosoraweb122/b1422/ipg.garciniacambogiarevi/wp-content/cache/object/000000/b0a/a31/b0aa310c0dd5df8fe4f0bb18cba12f03.php

Filename: wp-content/cache/object/000000/b0a/a31/b0aa310c0dd5df8fe4f0bb18cba12f03.php
File type: Not a core, theme or plugin file.
Issue first detected: 1 min ago.
Severity: Critical
Status New

This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.

———————————–

This file may contain malicious executable code: /hermes/bosoraweb122/b1422/ipg.garciniacambogiarevi/wp-content/cache/object/000000/da1/0bc/da10bc9e3c87e50ad4c299d47095decb.php

Filename: wp-content/cache/object/000000/da1/0bc/da10bc9e3c87e50ad4c299d47095decb.php
File type: Not a core, theme or plugin file.
Issue first detected: 1 min ago.
Severity: Critical
Status New

This file is a PHP executable file and contains an eval() function and base64() decoding function on the same line. This is a common technique used by hackers to hide and execute code. If you know about this file you can choose to ignore it to exclude it from future scans.

Clear your cache and run Wordfence scan again.

I just finished scanning. It brought out the TWO malicious warning again.

NOTE: Am using the free version of WordFence

The free version is fully functional for what you and I are working with here.

What cache plugin are you running and are you sure you got the cache flushed before you re ran the last Wordfence scan?

Did Wordfence find exactly the same two files this time as earlier? Meaning, do the long strings of numbers on the end of the link match?

I know that severity = critical sounds bad but the two files found above are both cache objects. Meaning they are not a permanent part of your installation and probably any code they contain is not executable. I’ll know more when you answer my questions in the last two paragraphs.

Am using the “WP Fast Cache” plugin. I clicked on Delete All Cached Url’s

Yes, the long strings of numbers on the end of the link match. They are EXACTLY SAME as the first ones I posted here.

1st:
This file may contain malicious executable code: /hermes/bosoraweb122/b1422/ipg.garciniacambogiarevi/wp-content/cache/object/000000/b0a/a31/b0aa310c0dd5df8fe4f0bb18cba12f03.php

2nd:
This file may contain malicious executable code: /hermes/bosoraweb122/b1422/ipg.garciniacambogiarevi/wp-content/cache/object/000000/da1/0bc/da10bc9e3c87e50ad4c299d47095decb.php

Use Wordfence to delete the two files shown above. And rerun the scan in Wordfence.

Hello,

Appreciate your kindest assistance ??

When I open the WordFence page, I saw a clean bill of health notice below. However I scan it and the 2 codes appeared again.

However I was able to delete the first one, while I continue to receive an error message thus:

“An error occurred”

“Could not delete file wp-content/cache/object/000000/da1/0bc/da10bc9e3c87e50ad4c299d47095decb.php. The error was: unlink(/hermes/bosoraweb122/b1422/ipg.garciniacambogiarevi/wp-content/cache/object/000000/da1/0bc/da10bc9e3c87e50ad4c299d47095decb.php): Permission denied”

Maybe the WordFence is clashing with my host security account I have called SiteLock?

Also I received mails from that someone got an access into my account. However the IP Address are not mine. Could the WordFence be telling me lies?

SiteLock should be able to tell you if you have a problem with your site and if there is a possibility of a conflict with Wordfence.

Who are the emails from? What do they say?

Hello,

First accept my apology for late response. My PC down am posting from tablet now.

Yes SiteLock report now malware but according to them will not detect or remove ‘backdoor scripts’.

As for cache I will rescan when my PC is okay. So do you suggest I use another cache plugin? If yes which one?

Am not 100% sure but I think iTheme Security is sending the “Files Added. Files Deleted. Files Modified” mails.

NOTE: Yesterday I receive same kind of mail for another site which has no malware issues.

————-

“A file (or files) on your site at: have been changed. Please review the report below to verify changes are not the result of a compromise. Scan Time: Thursday, February 26th 4:49 pm UTC”

Files Added: 6
Files Deleted: 2
Files Modified: 7
Memory Used: 17.1 MB
Files Added
File
Modified
File Hash
htaccess.txt
Friday February 20th, 2015 at 3:13 pm UTC
d573d56b42503d53c60dbc4a9fc4c6b9
stats/access_log_20150225.gz

Thursday February 26th, 2015 at 5:18 am UTC
d0e38658c86cce55c7989639ef9a4181
stats/access_log_20150226.gz

Thursday February 26th, 2015 at 4:19 pm UTC
ba0326959f67fac19a007e840ee39b12
stats/ftp_log_20150226.gz

Thursday February 26th, 2015 at 11:32 am UTC
f8b274e3ae4fdea6ddfd1b07f8e05103
stats/ftp_log_20150225.gz

Wednesday February 25th, 2015 at 10:32 am UTC
2629cf50242d4275da067ed751e83635
GZipNinjaSpeed_install_backup1424944051.htaccess

Thursday February 26th, 2015 at 9:47 am UTC
f9eebf4db43d2e897f9ac82b313a583d
Files Deleted
File
Modified
File Hash
stats/access_log_20150124.gz
Sunday January 25th, 2015 at 5:18 am UTC
6ad13e847bc3ade1f88562767ec021fa
stats/access_log_20150125.gz
Monday January 26th, 2015 at 5:20 am UTC
d636b055dfef097fd86e6f728fd8f209
Files Modified
File
Modified
File Hash
stats/access_log_20150224.gz
Wednesday February 25th, 2015 at 5:20 am UTC
50cc352df0784d1a6682306f9792923e
stats/webalizer.hist
Thursday February 26th, 2015 at 8:25 am UTC
1226829930528d2bfba367dcc16c7bd8
stats/index.html
Thursday February 26th, 2015 at 8:25 am UTC
47e85fb9dcb43a3cf6115f88dc70b14b
stats/cgi_error_log
Thursday February 26th, 2015 at 10:12 am UTC
99ab625206c0305001911d1a66394fc9
stats/webalizer.current
Thursday February 26th, 2015 at 8:25 am UTC
c9e54616646e2c57b4474275009a7a71
stats/usage_201502.html
Thursday February 26th, 2015 at 8:25 am UTC
c2eae6c35eeb0ee838fd08a99c8827da
.htaccess
Wednesday February 25th, 2015 at 2:18 pm UTC
f9eebf4db43d2e897f9ac82b313a583d

Do I understand correctly, you contacted SiteLock and they said your site had malware but they can’t clean it? Isn’t that what they do?

It’s not unusual for me to have a hard time convincing a site owner their site is hacked. In your case, I have seen noting that leads me to believe your site is damaged.

WordPress sites by their nature automatically add to, modify and delete files. The files your malware software is finding are cache files, backup files, server stats and the like.

As for your choice of cache plugins, if your getting the speed boost you were expecting, I wouldn’t change.

Have you recently changed graphics? Google shows some cached links to your site with different graphics than you are using now. The views are cached from January. Also there are some cached links with https were you using SSL in January? I’m wondering if you made some significant changes recently causing the emails that are concerning you so much?

Sorry I was not clear enough. SiteLock is from my host, iPage so I bundled the service with my hosting package.

They told me my site has no malware. They also said SiteLock don’t remove “backdoor script an hacker may have added to regain access to a site even when password changed”

That actually inform my being worried that the hacker may still be having access to my site, hence the File Added/Modify/Deletion report I’d receving. Also iTheme Security has a feature that detect Files Change/Delete/Added they claim may be an hacker’s job.

Those two were the reasons for my worry couple with the fact that my site was badly hacked.

But now that you clarified that File Change/Delete/Added is normal I think I should rest.

Did I do any major change? I did not. However I installed both WordFence and iTheme Security after my site was recovered from hacker. Later I deactivated one of them and activated it again.

As per the cache. What do you suggest I do to stop occurrence. Or should leave things as is? I also notice they appearing in my statcounter stat yesterday after I asked Google to recrawl my site (the hacker stopped my site from Google crawl previously)