Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #660222

    Hello!

    I keep getting a russian porn site (traf-extractor.ru) infecting my .htaccess file. This is happening starting from folder ./wp-content/themes/enfold/config-layerslider/LayerSlider/. Did you have some security breach reports for this particular plugin?

    I am running wordpress 4.5.3, Enfold 3.6.1. I already chmod-ed all files to 755 and changed all passwords.

    Here is the list of generated infected htaccess files (already erased them, but they keep comming back after a few days). Maybe you can recommend a linux console malware scanner to check all the php files. Thanks!

    bash-4.2$ find . | grep htaccess
    ./.htaccess
    ./wp-admin/.htaccess
    ./wp-admin/network/.htaccess
    ./wp-admin/user/.htaccess
    ./wp-content/.htaccess
    ./wp-content/plugins/.htaccess
    ./wp-content/themes/.htaccess
    ./wp-content/themes/enfold/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/classes/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/config/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/demos/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/helpers/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/includes/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/locales/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/css/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/htmlembedded/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/htmlmixed/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/javascript/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/php/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/xml/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/templates/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/tmp/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/tmp/cache/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/tmp/uploads/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/views/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider/wp/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/classes/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/config/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/demos/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/helpers/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/includes/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/locales/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/css/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/htmlembedded/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/htmlmixed/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/javascript/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/php/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/xml/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/templates/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/tmp/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/tmp/cache/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/tmp/uploads/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/views/.htaccess
    ./wp-content/themes/enfold/config-layerslider/LayerSlider_old/wp/.htaccess
    ./wp-content/uploads/dynamic_avia/.htaccess
    ./wp-content/uploads/wc-logs/.htaccess
    ./wp-content/uploads/woocommerce_uploads/.htaccess

    #660577

    Hey rusoaie,

    This is the first time I’ve heard about something like that so I don’t think they gain access through the Layer Slider. Did you change the password for your database as well? Please try to overwrite the theme files with a fresh copy from your Themeforest account via FTP to see if that helps: http://kriesi.at/documentation/enfold/updating-your-theme-files/

    Thanks,
    Rikard

    #663453

    Hello, Rikard!

    Thank you for your response.

    I am running wordpress 4.5.3, I already overwritten wordpress and enfold theme files with latest ones, chmod-ed all files to 755, cleaned wordpress cron jobs, changed ssh / ftp / mysql and wordpress passwords.

    Problem is still present.

    Is there any way I can get in contact with the layerslider authors in order to debug the problem?

    Thank you!

    #663787

    Hi,

    I’m not sure that would do you any good as it’s most likely not the Layer Slider which is the problem, the problem is that your site is infected already. Could you try completely deleting the theme folder from your server and then uploading it again? Make sure to back your site up before attempting this.

    Thanks,
    Rikard

    #677673

    Hello, Rikard!

    Thanks for the support. Problem seems to be fixed, so I will reproduce what I did, maybe anyone has the same problem.

    1. rename/move website root folder to a different one (e.g. site_infected)
    2. create empty folder for clean website
    3. unpack original wordpress files from wordpress.org/latest.zip
    4. unpack enfold theme original files from your themeforrest account into wp-content/themes/
    5. copy wp-config.php and the wp-content/uploads folders from the site_infected folder (make sure there are no php or other bogus files and folders inside)
    6. keep the database
    7. recurse chmod root folder: chmod -R 755 htdocs
    8. recurse chmod php files: find . -iname “*.php” | xargs chmod 644
    9. chmod htaccess file: chmod 644 .htaccess
    10. change all wordpress users, mysql, ssh, ftp and cpanel passwords to 16 digit generated ones

    Hope this helps someone! These steps worked for me; if you want a full list of actions to secure your wordpress, take a look at https://codex.wordpress.org/Hardening_WordPress

    Cheers!

    #677689

    Hi!

    Pelase update enfold also to the latest version ( 3.7.1 ).
    It seems you have taken all the solutions it is required, I would also suggest to ask your hosting provider to take a look for it, so you can be able to understand if or where the ” hole ” is.

    Please do and let us know what they also told you.

    Thanks a lot

    Cheers!
    Basilis

Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.