• Resolved vinnymickey

    (@vinnymickey)


    Last update WF deactivated and asking me to download .htaccess and USER.ini

    Also received a message email that “server_admin” logs eg I to site.

    I went thought steps and lol went good on another site. Just checking. If this is normal because another site has same thing going on.

    Has to do with /wordfence-waf.php

    Thnx

Viewing 6 replies - 1 through 6 (of 6 total)
  • Hi @vinnymickey,

    I believe your server might have reverted the changes within .htaccess when Wordfence updated. This then prompted Wordfence to ask you to re-optimize your firewall. This isn’t normal behavior (as Wordfence should stay optimized between updates), and I would recommend asking your host if they changed .htaccess or .user.ini on your behalf.

    The second thing with the email telling you that a server admin logged into your site is normal. You can change the notification under Wordfence -> All Options -> Alert me when someone with administrator access signs in.

    Dave

    Thread Starter vinnymickey

    (@vinnymickey)

    Awesome; TY I did the changes via WF and all went good. Just Holding off on second website just incase. Waiting for host to tell me if they logged in or if that is their account. I’ll also ask them if they edited the files. TY very much for your time.

    Thread Starter vinnymickey

    (@vinnymickey)

    PS strange I can’t find this user or delete it in my cpanel PHPMYADMIN thnx again

    • This reply was modified 4 years, 9 months ago by vinnymickey.
    Thread Starter vinnymickey

    (@vinnymickey)

    Just got another alert:

    Critical Problems:

    * File appears to be malicious: wp-content/plugins/wp-security/anon.php

    * File appears to be malicious: wp-content/plugins/wp-security/index.html

    * File appears to be malicious: wp-content/plugins/wp-security/index.php

    * File appears to be malicious: wp-content/plugins/wp-security/kuda.php

    * File appears to be malicious: wp-content/plugins/wp-security/mail.php

    * File appears to be malicious: wp-content/plugins/wp-security/wp.php

    * File appears to be malicious: wp-includes/js/includes.php

    High Severity Problems:

    * Unknown file in WordPress core: wp-includes/js/includes.php

    * Unknown file in WordPress core: wp-includes/js/php.ini

    2 existing issues were found again and are not shown.

    NOTE: You are using the free version of Wordfence. Upgrade today:

    Receive real-time Firewall and Scan engine rule updates for protection as threats emerge
    Real-time IP Blacklist blocks the most malicious IPs from accessing your site
    Country blocking
    IP reputation monitoring
    Schedule scans to run more frequently and at optimal times
    Access to Premium Support
    Discounts for multi-year and multi-license purchases

    Pretty sure it’s related to yesterday’s….

    • This reply was modified 4 years, 9 months ago by vinnymickey.
    Thread Starter vinnymickey

    (@vinnymickey)

    Here is one of the 8 files :

    Filename: /home/campruf1/public_html/wp-content/plugins/wp-security/index.html
    File Size: 1,681 bytes
    File last modified: Thursday 4th of June 2020 09:34:24 AM
    <!DOCTYPE html>
    <!–Galauer’s–>
    <head>
    <meta name=”description” content=”Hacked by Raymond7″>
    <meta name=”keywords” content=”Hacked by Raymond7″>
    <meta http-equiv=”cache-control” content=”index,cache”>
    <meta http-equiv=”pragma” content=”index,cache”>
    <link rel=”stylesheet” type=”text/css” href=”https://fonts.googleapis.com/css?family=Ubuntu Mono”>
    <link REL=”shortcut icon” type=”image/jpg” href=”https://palmaserasih.co.id/images/giphy.gif”&gt;
    <title>blackpink in your area!</title>
    </head>
    <body>
    <center>
    <table width=100% height=100%>
    <td align=center>
    <body bgcolor=”black”>
    <iframe width=”0px” height=”0px” src=”https://palmaserasih.co.id/lagu/northmane.mp3&#8243; allow=”autoplay; encrypted-media” allowfullscreen>
    </iframe>
    <br>
    <br>

    <br><br>
    <br>
    <font face=”Ubuntu Mono”><font size=”6″ color=lime>Garuda Security Hacker</font>
    <br>
    <br>
    <font face=”Ubuntu Mono”><font size=”5″ color=white>Yukinoshita47 – Snooze – He4ler – EngkuszGanteng – Cr4bbyP4tty – _Tuan2Fay_ <br> E7B_404 – Fazlast – Yoschiero1 – Gh0st_c0der <br> ZakirDotID – CYBERSCRY -<font color=lime> Raymond7</font>
    <br>
    <br>
    <marquee direction=left behavior=alternate scrollamount=”2″ scrolldelay=”20″ width=”40%”>
    <font color=”white” size=”5″>Mr.xBarakuda – BDJ-007 – ./Xi4u7 -xSana – magelang6etar – ./Coco – PYS404 – Keep Wannabe – JavCode – ZeroByte.ID – IndoXploit – Lamongan Xploiter – Surabaya BlackHat – Indonesian Hackers</font>
    </marquee>
    <br>
    <font face=”Ubuntu Mono”><font size=”5″ color=”lime”><i>Indonesian Hacker Rulez</i>
    </font>
    </center>
    </body>
    </html>

    Thread Starter vinnymickey

    (@vinnymickey)

    Both my sites where hacked on same server :/ and they left the same files!

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Optimize WF’ is closed to new replies.