-
AuthorPosts
-
July 13, 2016 at 8:12 am #660222
Hello!
I keep getting a russian porn site (traf-extractor.ru) infecting my .htaccess file. This is happening starting from folder ./wp-content/themes/enfold/config-layerslider/LayerSlider/. Did you have some security breach reports for this particular plugin?
I am running wordpress 4.5.3, Enfold 3.6.1. I already chmod-ed all files to 755 and changed all passwords.
Here is the list of generated infected htaccess files (already erased them, but they keep comming back after a few days). Maybe you can recommend a linux console malware scanner to check all the php files. Thanks!
bash-4.2$ find . | grep htaccess
./.htaccess
./wp-admin/.htaccess
./wp-admin/network/.htaccess
./wp-admin/user/.htaccess
./wp-content/.htaccess
./wp-content/plugins/.htaccess
./wp-content/themes/.htaccess
./wp-content/themes/enfold/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/classes/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/config/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/demos/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/helpers/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/includes/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/locales/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/css/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/htmlembedded/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/htmlmixed/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/javascript/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/php/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/static/codemirror/mode/xml/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/templates/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/tmp/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/tmp/cache/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/tmp/uploads/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/views/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider/wp/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/classes/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/config/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/demos/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/helpers/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/includes/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/locales/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/css/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/htmlembedded/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/htmlmixed/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/javascript/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/php/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/static/codemirror/mode/xml/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/templates/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/tmp/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/tmp/cache/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/tmp/uploads/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/views/.htaccess
./wp-content/themes/enfold/config-layerslider/LayerSlider_old/wp/.htaccess
./wp-content/uploads/dynamic_avia/.htaccess
./wp-content/uploads/wc-logs/.htaccess
./wp-content/uploads/woocommerce_uploads/.htaccessJuly 13, 2016 at 9:34 pm #660577Hey rusoaie,
This is the first time I’ve heard about something like that so I don’t think they gain access through the Layer Slider. Did you change the password for your database as well? Please try to overwrite the theme files with a fresh copy from your Themeforest account via FTP to see if that helps: http://kriesi.at/documentation/enfold/updating-your-theme-files/
Thanks,
RikardJuly 21, 2016 at 4:36 pm #663453Hello, Rikard!
Thank you for your response.
I am running wordpress 4.5.3, I already overwritten wordpress and enfold theme files with latest ones, chmod-ed all files to 755, cleaned wordpress cron jobs, changed ssh / ftp / mysql and wordpress passwords.
Problem is still present.
Is there any way I can get in contact with the layerslider authors in order to debug the problem?
Thank you!
July 22, 2016 at 11:12 am #663787Hi,
I’m not sure that would do you any good as it’s most likely not the Layer Slider which is the problem, the problem is that your site is infected already. Could you try completely deleting the theme folder from your server and then uploading it again? Make sure to back your site up before attempting this.
Thanks,
RikardAugust 25, 2016 at 5:08 pm #677673Hello, Rikard!
Thanks for the support. Problem seems to be fixed, so I will reproduce what I did, maybe anyone has the same problem.
1. rename/move website root folder to a different one (e.g. site_infected)
2. create empty folder for clean website
3. unpack original wordpress files from wordpress.org/latest.zip
4. unpack enfold theme original files from your themeforrest account into wp-content/themes/
5. copy wp-config.php and the wp-content/uploads folders from the site_infected folder (make sure there are no php or other bogus files and folders inside)
6. keep the database
7. recurse chmod root folder: chmod -R 755 htdocs
8. recurse chmod php files: find . -iname “*.php” | xargs chmod 644
9. chmod htaccess file: chmod 644 .htaccess
10. change all wordpress users, mysql, ssh, ftp and cpanel passwords to 16 digit generated onesHope this helps someone! These steps worked for me; if you want a full list of actions to secure your wordpress, take a look at https://codex.wordpress.org/Hardening_WordPress
Cheers!
August 25, 2016 at 5:44 pm #677689Hi!
Pelase update enfold also to the latest version ( 3.7.1 ).
It seems you have taken all the solutions it is required, I would also suggest to ask your hosting provider to take a look for it, so you can be able to understand if or where the ” hole ” is.Please do and let us know what they also told you.
Thanks a lot
Cheers!
Basilis -
AuthorPosts
- You must be logged in to reply to this topic.