Wordfence Does not Detect Reverse Shell

  • Resolved robwebsec

    (@robwebsec)


    3 years, 4 months ago

    I’ve been running a simulation for some interns in which they have to brute force a site, inject a reverse shell in twentytwenty 404.php, deface the site through index.php, and get a shell session via netcat. That all worked fine, but Wordfence never detected the shell in 404.php nor did it detect the changes to index.php. I also uploaded a bunch of malicious plugins that would give a shell session and it didn’t find those either.

    So far I’ve looked at file permissions, and uninstalled and reinstalled Wordfence, but I don’t know why it can’t detect the reverse shell, the changes to the index, and all the malicious plugins.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @robwebsec, thanks for contacting us about this.

    Generally, reverse shells should be caught by our signatures, but if these are custom-built then we might not have a signature for it. Changes to a theme’s 404.php and an index.php should be caught by signatures or other scans too.

    Could you check (tick) the box at Wordfence > Debugging Options > Enable Debugging Mode, run a scan, and send us the scan log to wftest @ wordfence . com? If you can email a copy of the modified files to that address too, that may help us out.

    Thanks,

    Peter.

    Thread Starter robwebsec

    (@robwebsec)

    Hi Peter,

    Ram Gall got in touch with me via e-mail and I’m working on the issue with him. Thank you for replying!

    Plugin Support wfpeter

    (@wfpeter)

    No worries at all @robwebsec, I notified the team that we’d be expecting some log information and pleased you’re working with Ram.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Wordfence Does not Detect Reverse Shell’ is closed to new replies.

Tags