WordFence Help

  • PSIEngineering

    (@psiengineering)


    11 years ago

    Hello,

    My website was recently hacked. Once I “fixed” the issue I installed the WordFence plugin. When I ran a scan I got the following information:

    – File appears to be malicious: wp-admin/fs-login.php
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “\x65\x76\x61\x6C\x28”.

    – File appears to be malicious: wp-includes/comnon.php
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “$site?$kverya”.

    – File appears to be malicious: wp-includes/pomo.php
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “\x65\x76\x61\x6C\x28”.

    – File appears to be malicious: wp-admin/wp-css.php
    This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “\x65\x76\x61\x6C\x28”.

    – WordPress core file modified: wp-includes/functions.php
    This WordPress core file has been modified and differs from the original file distributed with this version of WordPress.

    I’m wondering, what do these malicious errors mean and how do I fix/remove them so my website is back to 100% health.

    Thank-you!

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    ww.wp.xz.cn Admin

    11 years ago

    Replace the WordPress files with known good versions from a fresh download of the ZIP file.

    Thread Starter PSIEngineering

    (@psiengineering)

    11 years ago

    Thank-you very much for your help!

    Do you know what “\x65\x76\x61\x6C\x28” is and how I can remove it so my files don’t appear to be malicious?

    Here’s an example (please not file is very long, hence the ellipsis):
    <?php

    echo ‘walex’;
    preg_replace(“\x2F\x2E\x2A\x2F\x65”,”\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65 …

    Moderator Samuel Wood (Otto)

    (@otto42)

    ww.wp.xz.cn Admin

    11 years ago

    You cannot “remove” it. Don’t try. Just download a fresh copy of WordPress from this website, and replace those modified files with this junk in them with the actual correct copies of those files which do not have this junk in them.

    If the files are not in WordPress, then delete them. In fact, I would delete your entire wp-admin and wp-includes directory, and replace it with those directories from a fresh download of WordPress.

    tmhrconsulting

    (@tmhrconsulting)

    10 years, 11 months ago

    I have a web site that has been attacked a number of times but with wordfence we have been able to prevent the hackers from getting in.

    We researched the ip addresses of the attackers and determined that it was a better idea to block the entire server ip range rather than just the one ip address.

    Do you have any plans on publishing the IP addresses or ip address ranges that your customers have entered into the advanced options section of their Wordfence installation?

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘WordFence Help’ is closed to new replies.