My site attacked by lowerbeforwarden

Same problem. I manually clear all scripts generated all over the site in all php and js files. Fresh copy of WordPress, Plugins, Theme. Also delete more than 300 script lines generated at data base. Wordfence help to find infected files… but the redirection continues. After 2 days trying everything no idea what to do.

Hello @cssthotro2020 and thanks for reaching out!

I am sorry to hear that you are experiencing this. I will explain in more detail some possible scenarios of how a hacker can gain entry and why a site becomes compromised – even if you are very meticulous at keeping your server software, WordPress, your active and inactive plugins and themes all up to date with the latest versions.

Some causes of a hack are impossible for any WordPress security plugin to protect against.
1) If you are using a weak password for your hosting account control panel or FTP account then a hacker may gain entry this way, with full access to your site’s file system and database.
2) You are storing unmaintained, unarchived backups of your site that are publicly accessible that contain exploitable vulnerabilities.
3) You are hosting more than one PHP application, such as more than one installation of WordPress, in the same hosting account and infection can spread from another application to this site.
4) You have unmaintained or vulnerable 3rd party scripts installed in your hosting account. Examples would be the Adminer or SearchReplaceDB database management tools.
5) A nulled theme or plugin with malware already pre-installed. If you paid for a theme or a plugin outside of the vendor’s website at a massively reduced price, that seemed too good to be true, then it is likely to be nulled.
6) If you are using a shared hosting account a neighboring account can be infected and spread the infection to this site.
7) Your WordPress wp-config.php configuration file could be readable to the hacker, either directly via your hosting account, via a vulnerable plugin, or via another hacked site on the same server.
8) The hosting accounts on the server may not be properly isolated so the hacker has access to your database via another user’s database.
9) The server software has vulnerabilities that allow the hacker to get root access – such as running an end-of-life version of PHP on the hosting server that has unpatched vulnerabilities.
10) If the hack took place at a time when you only had the free version of Wordfence installed then you wouldn’t have had access to the latest firewall rules that premium customers have access to.
11) You may be using a plugin or theme with a vulnerability that is so severe that Wordfence can not protect against it and we may be unable to create a custom firewall rule for the vulnerability. However, being unable to create a custom firewall rule is very rare.

Wordfence protects against a vast variety of attacks. Whether you were hacked because of an unknown attack method or because there is some other issue in your system impossible to say at this stage without an extensive investigation. There are some aspects of your site security that are completely beyond our control such as vulnerabilities on your hosting server as described above. Although rare, for examples of hosting provider vulnerabilities please see these two articles below:
https://www.wordfence.com/blog/2019/06/service-vulnerability-four-popular-hosting-companies-fix-nfs-permissions-and-information-disclosure-problems/
https://www.wordfence.com/blog/2018/02/service-vulnerability-nfs-permissions-problem/

You have two choices:
1) You can clean the site yourself by following the steps in this guide:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
https://www.wordfence.com/help/scan/scan-results/

Useful links after you have completed your cleaning:
https://www.wordfence.com/blog/2017/04/20-minutes-to-secure-wordpress/
https://www.wordfence.com/blog/2018/10/php5-dangerous/ (important note – this is an old blog post from October 2018 but still very relevant)
https://www.wordfence.com/blog/2018/10/three-wordpress-security-mistakes-you-didnt-realize-you-made/
https://www.wordfence.com/blog/2017/06/wordpress-backups/

We also have an extensive Learning Centre here:
https://www.wordfence.com/learn/

2) You can hire a professional service to clean the site for you. Wordfence offers such a service, as do others.

@asmo111 You can follow this as well or open a new forum thread and I would be glad to assist you!

Let me know if this helps!

Thanks!

thanks for your help WFAdam (@wfadam)

If you need anything else, please don’t hesitate to open another topic!

Thank you for your support! @cssthotro2020

Any Update on this? Looks like everyone with the WP File Manager plugin got hacked. Some of my sites it was in the index.html and index.php files. but others I can’t find the redirect.

Same here… I have also been victim of the vulnerability in WP File Manager.

Yesterday, I had cleaned the site with Wordfence, and a second scan revealed no issues. But this morning the redirects got active. I managed to access wp-admin by quickly clicking the stop button in the browser when the page was finished loading, and before the redirect JS would be executed. Running another scan revealed problems in the section “File Changes”. A bunch of minified JS files had been changed. Clicking “Repair all repairabla files” and running another scan resulted in no issues.

However, the redirects were still active. Looks like Wordfence does not recognize this type of attack.

Same problem

I had to restore about 20 websites today because of this issue. I did the following to fix:

Restored backups (Still ran into issues)
Restored entire server (still ran into issues)
Edited index file and removed script
and updated all plugins on every account

The plugins that I ran into that were causing it were:

Really Simple SSL, WP File Manager & Squirrly SEO… Please update these plugins!!!!

That seemed to fix it for now

I have to augment my statement from above. Though Wordfence DID recognize the threat, it did not check all the files.

In my case it had cleaned up the original JS and PHP files, but the malicious script was still present in the minified JS files created by my caching plugin WP Fastest Cache.

Those minified script files were still applied. So I deleted all files ‘*.min.js’ via SSH CLI console and finally the redirect was gone.

After everything was cleaned (or so it seemed) the redirect just occurred again.

This time they’re coming from within the database in the wp_posts table, where the content is prepended with the JavaScript code to do the reroute.

Highly annoying.

Check out our latest blog post for recommendations:
https://www.wordfence.com/blog/2020/09/millions-of-sites-targeted-in-file-manager-vulnerability-attacks/

If your firewall is properly optimized, Wordfence should catch this before its an issue.

If you have any further questions though, feel free to open up a new topic on the forum.

Forum Guidelines state:
“Unless users have the exact same version of WordPress on the same physical server hosted by the same hosts with the same plugins, theme, and configurations, then the odds are the solution for one user will not be the same for another. For this reason, we recommend people start their own topics.”

Thanks!

Hi folks,
As in the comments, you have to check twice: scripts and database.
Keep in mind to delete afterwards all cache files, located in cache and wp-content/cache.
If you re server uses some kind of page speed, like mod_pagespeed in plesk or cpanel, you have to delete all files in there.
Best way to find those is to search via shell like:
grep -rli domain.com /

Best Regards your A Team :]!

• This reply was modified 4 years, 2 months ago by a7eam.