Malicious code in wfHits

  • Hi,

    Hopefully this will be helpful to both Wordfence makers and users.

    My hosting company recently disabled my outbound ports due to malicious code found in the SQL files of my 2 most recent “Duplicator” backups.

    It turns out the code in question was from the wfHits table and of this form: eval(chr(112).chr(104).chr(112).chr(105).chr(110).chr(102).chr(111).chr(40).

    For now I’m disabling the back up wfHits, but additional insight would be appreciated.

    Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Wordfence Security

    (@mmaunder)

    Hi,

    Can you explain what you mean by “disabled your outbound ports”? That phrase could have several meanings.

    Which column in wfHits contained that data? Note that wfHits stores referrers, user-agents and other data that any site visitor or attacker can modify. It’s just a data table. The code in there never gets executed and it’s well sanitized before being displayed. So there’s no harm in code that might look malicious being in there.

    Can you go into a bit more detail describing why you’re concerned about this being in a backup? Those SQL files should never be publicly accessible and they also aren’t executable.

    Thanks,

    Mark.

    Thread Starter philrp

    (@philrp)

    Hi,

    Thank you for the response.

    My shared hosting provider runs some form of malicious code scans on a regular basis.

    Their response to identifying the malicious code in my sql database backups was to disable my Outbound Ports 80, 443, 587 and 465. (Port80 in Cpanel) The site did remain accessible.

    The consequence was that Wordfence, Analytics, SEO plugins did not function properly, and the WordPress “Add New” plugins page would not load.

    The code in question was found in UA column of the wfHits table. Full text of the entry:

    }__test|O:21:”JDatabaseDriverMysqli”:3:{s:2:”fc”;O:17:”JSimplepieFactory”:0:{}s:21:”\0\0\0disconnectHandlers”;a:1:{i:0;a:2:{i:0;O:9:”SimplePie”:5:{s:8:”sanitize”;O:20:”JDatabaseDriverMysql”:0:{}s:8:”feed_url”;s:119:”eval(chr(112).chr(104).chr(112).chr(105).chr(110).chr(102).chr(111).chr(40).chr(41).chr(59));Factory::getConfig();exit”;s:19:”cache_name_function”;s:6:”assert”;s:5:”cache”;b:1;s:11:”cache_class”;O:20:”JDatabaseDriverMysql”:0:{}}i:1;s:4:”init”;}}s:13:”\0\0\0connection”;b:1;}????

    I’ll reach out in the “Duplicator” plugin forum to see if there is some way I can disable the creation of the SQL file, as the same SQL file contained in the ZIP file that is also created does not seem to cause issue.

    I’m not sure what can be done, or how to work around this yet, but I felt I should share the experience.

    Thanks again.
    Phil

    • This reply was modified 8 years, 3 months ago by philrp.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Malicious code in wfHits’ is closed to new replies.