Need fake plugin hack file checked

  • Resolved boblebad

    (@boblebad)


    2 years, 9 months ago

    Hi

    I woke up this morning finding out that a few hours earlier my site got a new “plugin” installed. If it wasn’t for Sucuri repoting the action i wouldn’t have discovered it, because i didn’t show on the list of plugins.

    I have the file and i need someone to tell me what it does.

    The problem is that i have a very clean site with only WP, Divi and Sucuri. I had the Customizer Reset plugin from wpzoom. I deleted that just for safety. I didn’t need anymore anyway.

    Everything was updated to newest version. There hasn’t been installed other plugins on it. Just a clean site with Divi.

    ### This is not about that i have been hacked ###

    I just need to find out what this “plugin” does, so i can find out how it came onto my site. There has/had to be a crack in the security. Where it came from so the hole can be closed.

    So there’s three ways that it can have entered. WordPress 5.9, Divi, (+ the other auto-installed WP themes) and the Cuztomizer Reset plugin.

    Of course Sucuri as well. I am in contact with them, and also Elegant Themes.

    So what about WordPress, who deals with hacks and security and can take a look at the file and maybe see how it got onto the site, what it exploited – and of course to close the hole if it’s in WordPress itself ?

    All the best
    Carsten

    • This topic was modified 2 years, 9 months ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Everything else WordPress topic
Viewing 4 replies - 31 through 34 (of 34 total)
  • Thread Starter boblebad

    (@boblebad)

    @josklever When searching google, there were problems with the builder before the version i had. I couldn’t find something for 4.7.7

    For years i have been using so called strong passwords, which is why i know the hacker cannot have guessed it.

    So you did have an older version of Divi installed?

    I know they will not have guessed your password. That’s also not what we are saying. The password could have been leaked or logged somewhere. But you don’t know for sure if that was an issue, unless you have a log of login attempts.

    Thread Starter boblebad

    (@boblebad)

    Yes, apparently the update function in Divi didn’t work.

    From from my searches, the problems in the Divi builder was before 4.7.7 – At least there’s no known issues.

    I have Sucuri installed. It logs many things. And as i wrote, Sucuri noted it as a login. But how this is possible, i don’t know.

    I have seen on another site of mine how they use some IP-jumping thing, but it looks like he went straigt in on this site.

    Ok, so somehow they retrieved your password and your updates weren’t in order. That are two possible causes. I’ve already mentioned how that could work out, but it’s almost impossible to find out more information now.

    Just learn from this and make sure it’s taken care of for the future. The password has been changed and keep an extra eye on the updates and make sure they are detected and installed in time.

    There’s no reason to assume that you have been hacked by an unknown vulnerability.

    Is there anything else we can do?

Viewing 4 replies - 31 through 34 (of 34 total)
  • The topic ‘Need fake plugin hack file checked’ is closed to new replies.

Tags