• My client said someone went to the website I installed I-Themes Security on (after they called about this) and it said they have a virus. I logged in and it was redirecting to the Flash Player con that we all know to get us to install Flash, but this does not happen all the time. Since the install of the Security plugin, I got the below message. Please let me know if this is an issue, as I ran a malware and it says the site is clean so not sure. Any smart people able to help? Also, the site is only for information with no users, etc other than me updating their info fyi. See below –

    Module File Change
    Type Warning
    Description 0 Added, 1 Removed, 1 Changed
    Timestamp 2020-08-01 16:59:20
    User
    URL WP-Cron Scheduled Task
    Changed
    wp-includes/class-wp-http-netfilter.php
    Removed
    wp-admin/css/.default
    Added
    Total Memory 57.64 MB
    Memory Used 5.46 MB
    Raw Details
    Hide Raw Details

    id => 343
    module => file_change
    type => warning
    code => changes-found::0,1,1
    timestamp => 2020-08-01 16:59:20
    init_timestamp => 2020-08-01 16:59:19
    remote_ip => 107.180.125.172
    user_id => [empty string]
    url => wp-cron
    memory_current => 52138776
    memory_peak => 58863408
    data => Array
    added => Array()
    removed => Array
    wp-admin/css/.default => Array
    d => [integer] 1596209299
    h => c34e801effbb22ae03f3ba0f15a1283b
    t => r
    s => [integer] 1
    p => WordPress Core v5.4.2
    changed => Array
    wp-includes/class-wp-http-netfilter.php => Array
    d => [integer] 1596299070
    h => d300e83971b3d42edb38b47598832cb1
    t => c
    s => [integer] 1
    p => WordPress Core v5.4.2
    memory => [double] 5.46
    memory_peak => [double] 57.64

Viewing 10 replies - 1 through 10 (of 10 total)
  • Despite the malware scan result (which is known not to be 100% reliable), the File Change Detection scan result clearly indicates there are changes being made in WordPress core files which cannot be attributed to legal activities. In other words the site is definately compromised and needs to be cleaned up.

    To prevent any confusion, I’m not iThemes.

    Hi,

    I would also like to add that the plugin will only inform you of changes made (if modules are enabled) but it does not have the capability to inform you of any issues in regards to those changes.

    Thanks,

    Matt

    Thread Starter theresaf1

    (@theresaf1)

    I see what is happening. Wondering if you guys can help with input. I have shared hosting on Go Daddy and know they will charge a lot. The person that was working for me did not properly protect these sites, even though I paid her.

    That said, I keep deleting a text file in cgi-bin. The file keeps repopulating itself. I see all the redirects in there… what can I do, as I notice this on more than one site. Please assist with any input. I tried to delete lines of code in the htaccess file but still repopulated. This must have been injected prior to installing I-Themes Security.

    Thank you!

    Thread Starter theresaf1

    (@theresaf1)

    What I noticed is that the line of code that keeps changing had the permissions set for anyone to “write”. So it said the world can both “read” and “write” to that file, so I turned off “write” and so far the “default” file with all the malicious code was not reinserted into the folder cgi-bin. I notice this on another site and will see if deleting the folder cgi-bin stops that for fun, but hopefully I fixed this? Any input appreciated!!! What was happening, is my client’s site would redirect to different spam sites, but not all the time, sporadically!

    Thread Starter theresaf1

    (@theresaf1)

    Well, just looked, and it is re-added to cgi-bin folder again. Dang… help!

    Once your site is hacked it’s probably better to post in a more appropriate support forum.

    You’ll find one and usefull info in the FAQ My site was hacked post.

    Thread Starter theresaf1

    (@theresaf1)

    So, I deleted the cgi-bin folder, and then went on my security program, and did a bunch of extra security features. They are having a hard time finding the file now. Is there a way to block all IP Addresses other than mine from accessing the data on my server. Anyone know? There is no reason that any IP addresses should want access to my server other than my security program and the few trusted folks I allow access. Thoughts?

    Unsubscribed…

    Any update on this?

    Hi,

    The same problem happens on my website. I delete the file, then file abandonment occurs.

    Unknown file in WordPress core: wp-includes/class-wp-http-netfilter.php
    Type: File

    Filename: wp-includes/class-wp-http-netfilter.php
    File Type: Core
    Details: This file is in a WordPress core location but is not distributed with this version of WordPress. This scan often includes files left over from a previous WordPress version, but it may also find files added by another plugin, files added by your host, or malicious files added by an attacker.

Viewing 10 replies - 1 through 10 (of 10 total)
  • The topic ‘Security Breach?’ is closed to new replies.