New to the community? Start here

wp-load.php exploit

I’ve had Defender installed, but I was still hit with a wp-load.php exploit. Every minute the content of that file gets deleted. I’m almost 100% positive there is some code in my DB that affecting it but I cannot find it. Every developer, I’ve hired is unable to find it as well.

#4 on this page.

https://www.getastra.com/blog/911/wordpress-files-hacked-wp-config-php-hack/

 

Sun, 21 Jun 2020 7:55:12
  • Shaun
    • Site Builder, Child of Zeus

    Hello:

    Thank you for your response. I loaded everything and activated one plugin at a time and checked the wp-load.php file after each installation. Everything looked fine and I left the website alone and went to sleep around 2:30 am EST. By 8:11 am the file was still there, but the content had been deleted. And then again at 9:11 am the same thing.

    I went to use/view the website about 10 minutes ago and the website appeared to be fine, but just a few minutes ago the website went down. I haven’t touched any of the plugins or themes so I don’t know what this could possibly be.

    The error log file shows the following (multiple times):

    [21-Jun-2020 15:25:41 UTC] WordPress database error Unknown column ‘wp_users.spam’ in ‘field list’ for query SELECT wp_users.ID,wp_users.user_login,wp_users.user_pass,wp_users.user_nicename,wp_users.user_email,wp_users.user_url,wp_users.user_registered,wp_users.user_activation_key,wp_users.user_status,wp_users.display_name,wp_users.spam,wp_users.deleted FROM wp_users WHERE 1=1 AND wp_users.ID IN (2) ORDER BY user_login ASC made by require(‘wp-blog-header.php’:wink:, require_once(‘wp-includes/template-loader.php’:wink:, include(‘/themes/onesocial/buddypress.php’:wink:, the_content, apply_filters(‘the_content’:wink:, WP_Hook->apply_filters, bp_replace_the_content, apply_filters(‘bp_replace_the_content’:wink:, WP_Hook->apply_filters, BP_Groups_Theme_Compat->single_content, bp_buffer_template_part, bp_get_template_part, bp_locate_template, load_template, require(‘/themes/onesocial/buddypress/groups/single/home.php’:wink:, bp_get_template_part, bp_locate_template, load_template, require(‘/themes/onesocial/buddypress/groups/single/group-header.php’:wink:, buddyboss_group_list_admins, BP_User_Query->__construct, BP_User_Query->do_wp_user_query, WP_User_Query->__construct, WP_User_Query->query
    [21-Jun-2020 15:25:41 UTC] PHP Warning: Creating default object from empty value in /home/REDACTED/public_html/wp-content/plugins/analytify-analytics-dashboard-widget/.analytify-analytics-dashboard-widget.php on line 1635
    [21-Jun-2020 15:28:08 UTC] PHP Fatal error: Uncaught Error: Call to undefined function wp() in /home/REDACTED/public_html/wp-blog-header.php:16

    Stack trace:
    #0 /home/REDACTED/public_html/index.php(17): require()
    #1 {main}
    thrown in /home/REDACTED/public_html/wp-blog-header.php on line 16
    [21-Jun-2020 15:34:44 UTC] PHP Fatal error: Uncaught Error: Call to undefined function wp() in /home/REDACTED/public_html/wp-blog-header.php:16
    Stack trace:
    #0 /home/REDACTED/public_html/index.php(17): require()
    #1 {main}
    thrown in /home/REDACTED/public_html/wp-blog-header.php on line 16

  • Patrick Freitas
    • FLS

    Hi Shaun

    Thank you for the information and sorry to hear you are having this issue.

    We already escalated this to our Second Line Support.

    Once the agent replies to the ticket, you will receive a notification.

    Note, the second line support team deal with a more complex situation, and it can cause a delay in the response. Thank you for understanding.

    Best Regards
    Patrick Freitas

  • Alessandro
    • Nightcrawler & Daydreamer

    Hey Shaun

    Could you please enable “Support Access” on WPMUDEV Dashboard plugin so we can access you installation?

    No worries, we ll clear out any malicious code and we ll add loggers to track any request to your website. We ll detect what goes wrong with your website. :nerd:

    Kind regards,
    Alessandro.

    • Shaun
      • Site Builder, Child of Zeus

      Alessandro:

      Thank you for your support. I’ve provided access for you.

      I hired a specialist who was able to remove all of the malicious code and restore my website. I would definitely appreciate any logger you can add to help track those kinds of requests so I can better protect my website it.

  • Alessandro
    • Nightcrawler & Daydreamer

    Hey Shaun

    As your WordPress is clean now there is no need for any loggers. I use logging to detect and restore and infected files.

    As this logs everything it affects your website’s performance.

    As an advice, keep a minimum of required plugins and use strong passwords.

    At your disposal.

    Kind regards,
    Alessandro.