Need fake plugin hack file checked

Thank you @otto42

I have a very good host here in Denmark; Azehosting

I went there as soon as i had removed the file from my site, checked it with malware scanner. Gone through all the dirs on the domain to see if there was anything else hiding in the WordPress folders.

They have checked all what they could and it’s not possible to see how it happened. Every kind of log has been turned upside down. Suddenly there’s a zip uploaded and unpacked and a “plugin” installed. Sucuri registered it so i saw it only a few hours after it had happened.

And yes, it’s a very clean install with only WordPress, Divi and Sucuri. There was the Customizer Reset plugin too, i deleted it for safety. I installed it again and ran a deep scan after that. The plugin from that view looks ok.

And again, everything was up-to-date. No old version. It’s a site i have been working on most recently, and not even done with.

And just to be clear, i’m not here to get anyone to look at my site or clean or whatever, that is done. But as i don’t know how it got there and there’s only a few components on the site; I have to go with what is.

The file, WordPress – Divi – Sucuri – Customizer Reset

I hope that’s understandable.

@boblebad Yes, you keep repeating this same information here. However, that is not enough information for anybody to actually do anything useful with.

To the best of our knowledge, there are no security issues in those three items. If there were, and we knew about it, then we would attempt to get them corrected.

So, unless you can give us specific information on what the actual bug is in some actual piece of code that we can work to correct, then there is nothing we can do. Until you have that information, your report here is not useful to us.

I repeat, it is unlikely that the “hole” in your site is in one of those three things. Unless you can tell us what that hole actually is, there’s nothing more we can do to assist you.

I think it’s too late now, but the way to find the point of entry would be to check the timestamp of the file. Then you check the access log for what happened on that timestap. That can tell you the cause of the hack.
But as the file has been removed already and you probably haven’t recorded the timestamp, we can only guess.

If you keep all components on your site updated, you should be fine. If not it’s also possible that some hack took place a while ago. They might have placed a backdoor file (out of reach of Sucuri or hidden well enough so it’s not recognized) that could later be used to upload a file. Or maybe an account was created, so they could get in.
I don’t think there’s an actual security issue in one of the used components, but a wrongly configured site can result in unexpected situations.

Also, Sucuri is a security business that protects and monitors sites for security issues, and repairs them post-hack.

If you’re a Sucuri customer, have you reached out to them yet?

Thank you @josklever

Sucuri stamped the breach 4.13, and from the RAW access logs i can see what’s going on. For some reason he wanted to roll-back my Divi to 4.7.7 – I don’t know if there’s something special that can be done through this move ?

And then this so called plugin.

That’s the only thing happening. Then i discover it a couple of hours later and remove. New clean WP 5.9 and Divi.

I don’t know how he tricked the login because it’s impossible to guess my password and has been for years. It’s a random combination of small and big letters, numbers and special characters.

I only use the free Sucuri version, but have talked with them and sent them the “plugin” file.

I also banned the whole IP-range from cPanel, probably not a surprise that it’s from Russia ??

I don’t know how he tricked the login

Just a question – has it ever been possible for visitors to register as a user on your site as a subscriber? Or has registrations always been locked?

Hello @alanfuller

No, never. I always deny that as soon as the install is done, also deny commenting.

Are you sure that the timestamp Sucuri reported was the time of infection? Or maybe just the time of detection? That’s why I always check the timestamp of the file itself.

You also say that “he” tried to rollback Divi to 4.7.7. As that’s a really old version (latest is 4.14.7), how did you see that? Was that done by a user? If so, how did they login and with which account? Have you checked all user accounts for unknown accounts?

Hello again @josklever

I just went through the logs, but coldn’t see anything other than the time stamp which matched Sucuri.

I then remembered that i have JetBackup on my server, which goes back 14 days. So i downloaded from february 2nd and 3rd. There’s was nothing on the 2nd uploaded, and there was nothing in the backup from the 3rd either. Remember i discovered the hack only 2 hours after it had happened, so i cleaned it out before it would be backed-up.

So time of entry and install is as Sucuri reported it.

Alright, that can be true then… How about the Divi and users questions?

If you mean wether i have allowed other registered user than myself, then no.

I don’t know if there’s problem in Divi. I have been in contakt with them, so they are aware that there could be a problem.

When looking at the logs i could see that atempts ot enter my site is almost never when i’m awake, so if it’s possible via .htaccess to close-off wp-login when i’m not awake, then it’s good start ??

RewriteEngine On
RewriteCond "%{TIME_HOUR}" ">=20" [OR]
RewriteCond "%{TIME_HOUR}" "<07"
RewriteRule "^/fridge"     "-" [F]

But i don’t know if i can do it for a file with this.

Just a thought. Attempts ( failed ) at wp-login should not really be a concern.
A password attack is never going to guess a strong password.

If you have a way in – it wont be in wp-login it will be a backdoor somewhere else.

I don’t know if the Sucuri plugin does offer monitoring logins. I’m using Wordfence Security that can handle this as well. It logs and blocks brute force logins. So you can always check what happened with logins. Just to be sure you can/should change your password.

But you were saying that you saw tracks of “someone” trying to rollback Divi to a previous version. What can you tell more about that? How did you come to that analysis?

I’m not aware of a recent vulnerability in Divi. The last security related update to Divi was 4.12. If you have been keeping your site updated, then it should be no issue.

@alanfuller Yes, that i know, but since i have that and they still got in. Sucuri noted it as a login, and i have no idea how this is possible with the password i use.

It is of course changed and i have added even more wierd characters to it. I also changed the password on the database.

@josklever When having a closer look at the logs when trying to figure out what had happened when, i discovered that Divi itself has some files called “roll-back”, and i checked logs before the hack and found that Divi was at the same version. I have been talking to Divi support and they had a look at my site, becuase the automated update of Divi had not worked, or even told me that there was an update. It looks like it works now after i deleted and uploaded and installed Divi again, but will keep an eye on it when i see updates on my other sites.

Divi version now is 4.14.7

Divi has a builtin rollback function to go back to the previous one, if something happens. That has nothing to do with the hack. I thought you saw something in the logs about a rollback. What version of Divi was installed on time of the hack? The most recent one or an old one? In the last case it might have been a point of entry, although I can’t explain the specifics. Maybe Divi support can.

Make sure you always use strong and unique passwords. If a strong password is leaked through another platform or maybe even retrieved via a keylogger or something, they can use it to login. That’s why it’s important to log login attempts and alert you if someone actually was able to login from a new location. Also 2-factor authentication (2FA) can be applied to secure your account even more.