gwdlarry

Hi Marcel,

very good news!

Thanks for your prompt reaction.

Best, Larry

Hi,
Yes, thank you, I knew this.
This is where you can ask for help and wait and wait and wait and wait….
Best, Larry

@fabwfs

Apparemment, vous souhaitez, entre autres, optimiser la typographie (avec l’espace insécable devant les deux-points), ce que je trouve très positif.

Dans le même esprit, il faudrait alors remplacer l’apostrophe droit ‘ par l’apostrophe typographiquement correcte telle que vous pouvez la voir dans cette phrase.

De plus, le RGPD ne convie pas l’utilisateur à lire une politique de confidentialité ou autres mentions légales, mais à indiquer qu’il en a pris connaissance en cochant une case obligatoire, et ce, même s’il n’a pas lu ladite politique…

Une proposition pour votre dernier message :

? Merci pour votre message qui appara?tra bient?t sur le site après avoir été vérifié. ?

Looks good now. I’ll come back to you in case I have further questions.

Thank you very much for your outstanding support.
Best, Larry

Thank you for your reply.

I will contact the hosting provider regarding the possibility of remotely accessing the DB and hear what he has to say…

Thank you.
Best, Larry

Thank you for your reply.

You were right with the db remote access, I was telnetting the wrong host.
With the correct host, I see that:

J                                                                                                                        5.6.26Jf.Q--9ud!?u?zk)')6sal{mysql_native_password

Verbindung zu Host verloren.

C:\Users\lmg00> 

The “Verbindung zu Host verloren message (“Lost connection to host.”) comes after approx. 8 seconds. So it seems the DB is not remotely accessible or is it?

Thanks again.
Best, Larry

Just a thought: As far as I know, but I could be wrong, there is no need to have executable javascript code in a post (or it could be a policy on the site that forbids it).
For the redirection code to be injected in the database, there must be the equivalent of a statement like "update wp_posts set post_content='hfjdfhjd <script text/javascript href="xyz"></script>'" in the data stream.
Wouldn’t it be possible to filter it out of the data stream? This would mean monitoring the access to the database.
Thanks.
Best, Larry

Thank you for your reply.

1. I looked in the server log files and there are several GET requests (from a few days ago) that are redirected to russian sites (.ru), but I could not see a suspicious POST in their vicinity. I see a lot of “POST /wp-cron.php?doing_wp_cron=” entries but the source is the web server address where the site is hosted.

2. All the following policies are enabled:
Block attempts to modify important WordPress settings
Block user accounts creation
Block attempts to gain administrative privileges
Block attempts to publish or edit a published post by users who do not have the right capabilities
There are 2 legitimate admins. All others have very limited capabilities.

3. I changed the DB password a few moments ago.
I changed the salts and keys 2 weeks ago after the 1st hack.
My DB is apparently not remotely accessible (Trying to connect… -> Connection error), and there are no DB-admin-tools available in the web hosting space. DB-Management is only possible from the provider’s admin interface.
The firewall runs in Full WAF mode.

Thanks again for your help.
Best, Larry

Hello there,

so we’ve been hacked again with a similar script injection, which we removed.
This time the site address (url) was also changed to the hack site.

So it’s the second time the firewall doesn’t catch this type of attack….

Any suggestions?

Thank you.
Best, Larry

You probably were aware, but the fragment from the log file can be decoded at https://www.base64decode.org
It will lead you to (one of) the source(s) of the hack source code…

Thank you for your quick reply.

As you recommended, I just enabled the “NinjaFirewall > Firewall Policies > Basic Policies > Block attempts to publish or edit a published post by users who do not have the right capabilities”.

The requested list is in the mail.

Thank you.
Best, Larry

Hi there ,
thanks for your reply.
It seems we have some other issues NOT related to NinjaFirewall, which is very nice.
So I will close this support ticket for now and thank you for your assistance so far.
I will re-open if necessary.
Thanks again for your support.
Best, Larry

Thanks for your reply. Here are my answers to your questions:

1. The NinjaFirewall log says:

14/May/20 12:54:00 #6657311 HIGH – 46.229.168.xxx GET /index.php – User enumeration scan (author archives) – [author_name=sridevi-poquet] – my-domain.de
14/May/20 15:03:00 #4133863 INFO – 93.238.7xxx POST /wp-login.php – Logged in user – [Julie (administrator)] – my-domain.de

No entry at or around the problematic time slot.

2. In the “Firewall Policies > Advances Policies > HTTP response headers” section, everything is on “No”

3. The admin user is white-listed.

Admin user Julie: You are whitelisted by the firewall.

Tell me if more info is needed.
Thanks a lot.
Best, Larry

Update to my recently publish question:

See below the result of “wp-check.php” (domain anonymized), which I discovered a few moment after my original post. Sorry, I was a bit too slow on this one….
Thanks again.

NinjaFirewall (WP edition) troubleshooter
HTTP server : Apache
PHP version : 7.3.17
PHP SAPI : FPM-FCGI

auto_prepend_file : /var/www/vhosts/my-domain.de/httpdocs/wp-content/nfwlog/ninjafirewall.php
Loader’s path to firewall : /var/www/vhosts/my-domain.de/httpdocs/wp-content/plugins/ninjafirewall/lib/firewall.php
wp-config.php : found in /var/www/vhosts/my-domain.de/httpdocs/wp-config.php
NinjaFirewall detection : NinjaFirewall WP Edition is loaded (Full WAF mode)

Loaded INI file : /opt/plesk/php/7.3/etc/php.ini
user_ini.filename : .user.ini
user_ini.cache_ttl : 300 seconds
User PHP INI : none found

DOCUMENT_ROOT : /var/www/vhosts/my-domain.de/httpdocs
ABSPATH : /var/www/vhosts/my-domain.de/httpdocs/
WordPress version : 5.4.1
WP_CONTENT_DIR : /var/www/vhosts/my-domain.de/httpdocs/wp-content
Plugins directory : /var/www/vhosts/my-domain.de/httpdocs/wp-content/plugins
User Role : Administrator
User Capabilities : manage_options: OK – unfiltered_html: OK
Log dir permissions : /var/www/vhosts/my-domain.de/httpdocs/wp-content/nfwlog dir is writable
Cache dir permissions : /var/www/vhosts/my-domain.de/httpdocs/wp-content/nfwlog/cache dir is writable
NinjaFirewall (WP edition) troubleshooter v1.9.1

Hello again and just as an FYI,

I solved my second question by using the “gwolle_gb_write_add_form” hook.

Regarding my first question, I’ll take my chances modifying the PHP scripts directly.

Thanks.

Best,
Larry