January 15, 2015 at 10:57 pm #14916
I just got an alert from WordFence security that “This file appears to be installed by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The text we found in this file that matches a known malicious file is: “edoced_46esab(“. “.
I went and looked at the functions.php file and at the very top of the file the text is as follows;
Then following this is the “start the engine” line of code.
Not sure what to do here.
DanJanuary 15, 2015 at 11:09 pm #14917
That malicious code isn’t in any of the themes I have from Appfinite. Where did you download this theme from? If you downloaded it from appfinite directly, then it definitely won’t have any malicious code (I just checked all of the versions that I have)…..but if you’ve downloaded from someone else on the outside, then they could have very well added in something malicious in an attempt to hack you. This is why everyone in WordPress recommends downloading themes from the people/company that actually made the theme to avoid something like this.
If you did download from appfinite ONLY, then that means you have something else wrong with your site (unrelated to the child theme). It’s definitely not from the theme, as there isn’t anyway for them to do so through the child theme itself. It could be a plugin, or any type of vulnerable code that could have been added in manually. This is the first time I’ve ever seen something like this mentioned on this site, and since I know Genesis is known for good security, I can assume there must be something else causing the issue.
I would contact your host ASAP to see if they can figure out whats going on. They should have the tools to find out exactly where and how whoever was able to hack into your account were able to do it.
January 15, 2015 at 11:11 pm #14918
I don’t see this encoding in the insynch theme I downloaded, so it got added but what’s strange is that when I look at the file in FTP the last mod date was 12/14 of 2014. Any insight would be appreciated. The permissions on the file is 644.January 15, 2015 at 11:12 pm #14919
Yeah, it came from appfinite. Can I just delete the section? can’t get in touch with the host unfortunately. It’s a client site and have to wait until tomorrow AM. What to do.January 15, 2015 at 11:18 pm #14920
Yes, you could delete that section, but I can’t promise that will fix the issue. Since it doesn’t appear to be a theme issue, that means that someone somehow has or had access to your account in some kind of way. So if they’ve added code into that file before, I’m not sure if they’ll be able to repeat it or not. I would reset your passwords and check any outdated plugins to make sure everything is up to date. This is definitely an unusual thing, and I would take immediate action to try and at least prevent it from happening in the future.
January 15, 2015 at 11:20 pm #14921
Agreed. I just scanned with scuri and no malware was found and there is no admin account and I’m using a very secure p/w. thanks for the immediate reply Eric. I’m leary of deleting the lines in the code. Guess I should back up functions.php anyway even though it might be suspucious. Or wait until the AM to call the host.January 15, 2015 at 11:30 pm #14922
When browsing WordFence security the only allowed user login was from me. All other attempts trying to hack the admin account (which is non existent) were blocked by WordFence.
And as mentioned FTP shows last mod of the functions.php was on 12/14. I’ll leave it for now but if I learn anything from this I will share for the benefit of others.January 16, 2015 at 2:35 pm #14925
- You must be logged in to reply to this topic.