php exit(‘Access denied’); __halt_compiler(); ?>

  • Resolved samvisualkitchen

    (@samvisualkitchen)


    2 years ago

    hello,

    having been hacked on 5 different virtual servers within one hosting scheme using wp (on 4 of them, one joomla), I’ve started using wf since the last reinstall, alas to no prevail, the hacks keep coming even with wf. After a while wf scans failed, as reconnecting to the site didn’t work anymore. Now as I’ve been cleaning up manually (I learnt a lot from the scans!) I started checking the wf php’s as well and found this in the config-livewaf.php

    first line php: exit(‘Access denied’); __halt_compiler(); ?>

    and then the rest,

    This file is used by the Wordfence Web Application Firewall. Read
    more at https://docs.wordfence.com/en/Web_Application_Firewall_FAQ

    a:2:{s:4:”cron”;a:4:{i:0;O:42:”wfWAFCronFetchCookieRedactionPatternsEvent”:1:{s:11:” * fireTime”;i:1717607010;}i:1;O:24:”wfWAFCronFetchRulesEvent”:1:{s:11:” * fireTime”;i:1717607010;}i:2;O:25:”wfWAFCronFetchIPListEvent”:1:{s:11:” * fireTime”;i:1717222535;}i:3;O:36:”wfWAFCronFetchBlacklistPrefixesEvent”:1:{s:11:” * fireTime”;i:1717157777;}}s:20:”whitelistedURLParams”;N;}

    can I assume all the wf php is hacked too by now?

    kind regards

    sam vanoverschelde

    The page I need help with: [log in to see the link]

Viewing 1 replies (of 1 total)
  • Plugin Support wfpeter

    (@wfpeter)

    2 years ago

    Hi @samvisualkitchen, thanks for reaching out.

    The paste of wp-content/wflogs/config-livewaf.php above look like the expected contents of that file.

    If connecting back to the site, database connections etc. have suddenly started failing (consistent with why scans also started failing), it can sometimes be down to a change your host has made to your server so I’d certainly see if they’re able to provide any more information around that before attempting to clean the site.

    The fact a Joomla site also appears to be affected may suggest an access point outside of the front-end, so if you believe your site was compromized, we’ll always recommend the passwords for your hosting control panel, FTP, and database have all been changed in addition to all WordPress admin users. Also make sure WordPress, themes, and all of your plugins are now fully up-to-date.

    When something has created unwanted or malicious files/code, you may find our detailed site cleaning instructions and free Learning Center can help you find the cause and clear it yourself:
    https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
    https://wordfence.com/learn/

    Let us know what you find out,
    Peter.

Viewing 1 replies (of 1 total)

The topic ‘php exit(‘Access denied’); __halt_compiler(); ?>’ is closed to new replies.

Tags

  • 1 reply
  • 2 participants
  • Last reply from: wfpeter
  • Last activity: 2 years ago
  • Status: resolved