mlhwebsites

Thanks for the supper quick response!!! Yes I use the BPS XML-RPC DDoS Protection Bonus Code on every site but this is the only one getting this error. As far as I can tell your .htaccess file is the only thing protecting this. I don’t want to open this up for hackers I just don’t know how serious this error is or whether I can fix it but keep the protection.

Thanks again for your speedy answer.

Sorry my indentations disappeared when I posted. Website2 and Website3 are folders within the root of website1.

Sorry for the delay I was doing some final checking. For all I can tell you were correct and there is really not a hacking issue but the wp program picking up changes that were not a problem.

Once again I certainly appreciate you expertise and most of all you effort to help me solve this.

Thanks again

Mike

This is the only site I use this them on. The rest are Ithemes Builder themes. If I do have to rebuild the site I will change back to builder. I checked and you are correct – there is no et_temp folder on the builder sites!

I think that only leaves files godaddy says are changed in folders other than wp sec.

If nothing else I am learning a lot from this – lol!!

I have backup buddy from ithemes. It lets you restore individual files but there are so many and I don’t know which ones so that may not be practical. There were 75 mods just Friday night. Also although most changes were in the better wp folder – files were also changed in other folders. The only thing I question is:

1. According to godaddy file manager dates the files were changed so it’s not just wp saying that.
2. Do you have a clue as to why I have deleted the wp-content/uploads/et_temp 6 times today and each time they come back? When I delete them in FTP – they are no longer there yet when I check later they are back.

I also sent you some image files from wp-content/uploads/et_temp. I have deleted these 6 times today and they keep coming back. I’ll pass that along to sucuri monday.

Thanks so much

I am still trying to determine which ones to send. I looked at some of the index.php files in each folder and they contained: “<!– You shouldn’t be here. tsk tsk –>”. They all say they have been modified, even in Godaddy file manager. That’s why I don’t know which ones to send but I’ll just pick a couple and try.

I can’t believe how helpful you are being!!!! If you are typical AIT – wow!!

Also Ironically on of the folders flooded with this crap were the better wp security plug in folders!!

Sucuri is monitoring the worst site. I had them look yesterday since their scan wasn’t showing anything but at that point I didn’t know how bad added and modified files were. He didn’t find anything but he didn’t know about all the files – only the 404 intrusion errors. It was one of these ip’s from Russia that did most of the damage one one site.

Based on your earlier suggestion I am going to check one of the modified php files. I do wonder if anyone else is running into this. I always keep everything 100% up to date – checking every day!

I have verified files added/modified/deleted have actually occurred. It looks like they modified an image file then added it to wp_content/uploads/et_temp then proceeded modify 75 other files. I guess the only answer is to see how far back my backups are corrupted. The only problem is determining if a new restored site is also infected before installing bulletproof pro.

I have 11 sites and this has happened on almost every one.

Thanks again

The only reason I added it was it did some things Bulletproof didn’t such as logging 404 errors (detection), monitoring changed files etc. I’ve had one site hacked so I get nervous. Perhaps I should deactivate it for a while to see if that stops the 404 to 644.

Thank you much for your unbelievably quick response!

Do you know where I can find the Better WP Security .htaccess code? Is the .htaccess in the root folder the one I should backup in case this breaks something? I can try this in one of my test sites.

Before trying this I am trying to determine when this is triggered by monitoring all sites to see when the 404 changes to 644. I know better wp security is not your problem but for info purposes while it’s 404: In their dashboard it shows “Better WP Security is allowed to write to wp-config.php and .htaccess.” but under System Info it says: “neither of these are writeable”. This seems like a conflict.

Thanks again – I appreciate your tim

I have seen lots of threads related to this issue and am still confused so any help would be appreciated. I have the free bulletproof plugin and “better wp security” plugin. On most of my logins to wp I check Bulletproof security status and it shows: “The WP readme.html file is not .htaccess protected”. Instead of the 404 .htaccess it has changed to 644. I then do the “Activate Website Root Folder .htaccess Security Mode”. This corrects both problems but has to be repeated on most subsequent logins which means the site is vulnerable in between.
I would like to see if then can be resolved prior to upgrading.

Server Type: Apache
Operating System: Linux
Server API: cgi-fcgi – Your Host Server is using CGI.

If this should be posted in a different thread please advise.

Thanks very much
mlhwebsites