Optimize WF

Hi @vinnymickey,

I believe your server might have reverted the changes within .htaccess when Wordfence updated. This then prompted Wordfence to ask you to re-optimize your firewall. This isn’t normal behavior (as Wordfence should stay optimized between updates), and I would recommend asking your host if they changed .htaccess or .user.ini on your behalf.

The second thing with the email telling you that a server admin logged into your site is normal. You can change the notification under Wordfence -> All Options -> Alert me when someone with administrator access signs in.

Dave

Awesome; TY I did the changes via WF and all went good. Just Holding off on second website just incase. Waiting for host to tell me if they logged in or if that is their account. I’ll also ask them if they edited the files. TY very much for your time.

PS strange I can’t find this user or delete it in my cpanel PHPMYADMIN thnx again

• This reply was modified 4 years, 9 months ago by vinnymickey.

Just got another alert:

Critical Problems:

* File appears to be malicious: wp-content/plugins/wp-security/anon.php

* File appears to be malicious: wp-content/plugins/wp-security/index.html

* File appears to be malicious: wp-content/plugins/wp-security/index.php

* File appears to be malicious: wp-content/plugins/wp-security/kuda.php

* File appears to be malicious: wp-content/plugins/wp-security/mail.php

* File appears to be malicious: wp-content/plugins/wp-security/wp.php

* File appears to be malicious: wp-includes/js/includes.php

High Severity Problems:

* Unknown file in WordPress core: wp-includes/js/includes.php

* Unknown file in WordPress core: wp-includes/js/php.ini

2 existing issues were found again and are not shown.

NOTE: You are using the free version of Wordfence. Upgrade today:

Receive real-time Firewall and Scan engine rule updates for protection as threats emerge
Real-time IP Blacklist blocks the most malicious IPs from accessing your site
Country blocking
IP reputation monitoring
Schedule scans to run more frequently and at optimal times
Access to Premium Support
Discounts for multi-year and multi-license purchases

Pretty sure it’s related to yesterday’s….

• This reply was modified 4 years, 9 months ago by vinnymickey.

Here is one of the 8 files :

Filename: /home/campruf1/public_html/wp-content/plugins/wp-security/index.html
File Size: 1,681 bytes
File last modified: Thursday 4th of June 2020 09:34:24 AM
<!DOCTYPE html>
<!–Galauer’s–>
<head>
<meta name=”description” content=”Hacked by Raymond7″>
<meta name=”keywords” content=”Hacked by Raymond7″>
<meta http-equiv=”cache-control” content=”index,cache”>
<meta http-equiv=”pragma” content=”index,cache”>
<link rel=”stylesheet” type=”text/css” href=”https://fonts.googleapis.com/css?family=Ubuntu Mono”>
<link REL=”shortcut icon” type=”image/jpg” href=”https://palmaserasih.co.id/images/giphy.gif”&gt;
<title>blackpink in your area!</title>
</head>
<body>
<center>
<table width=100% height=100%>
<td align=center>
<body bgcolor=”black”>
<iframe width=”0px” height=”0px” src=”https://palmaserasih.co.id/lagu/northmane.mp3&#8243; allow=”autoplay; encrypted-media” allowfullscreen>
</iframe>
<br>
<br>

<br><br>
<br>
<font face=”Ubuntu Mono”><font size=”6″ color=lime>Garuda Security Hacker</font>
<br>
<br>
<font face=”Ubuntu Mono”><font size=”5″ color=white>Yukinoshita47 – Snooze – He4ler – EngkuszGanteng – Cr4bbyP4tty – _Tuan2Fay_ <br> E7B_404 – Fazlast – Yoschiero1 – Gh0st_c0der <br> ZakirDotID – CYBERSCRY -<font color=lime> Raymond7</font>
<br>
<br>
<marquee direction=left behavior=alternate scrollamount=”2″ scrolldelay=”20″ width=”40%”>
<font color=”white” size=”5″>Mr.xBarakuda – BDJ-007 – ./Xi4u7 -xSana – magelang6etar – ./Coco – PYS404 – Keep Wannabe – JavCode – ZeroByte.ID – IndoXploit – Lamongan Xploiter – Surabaya BlackHat – Indonesian Hackers</font>
</marquee>
<br>
<font face=”Ubuntu Mono”><font size=”5″ color=”lime”><i>Indonesian Hacker Rulez</i>
</font>
</center>
</body>
</html>

Both my sites where hacked on same server :/ and they left the same files!