These files are not malicious, they are written by the Brute-Force Login patch installed by my plugin. These are essentially log files that record all the failed login attempts. As you can see from the info you have decoded, those files store a timestamp and method in a serialized array.
I don’t want to use the database to store that info because the whole point of my Brute-Force patch is to preempt the WordPress boot-loader so as to prevent attacks from having a DDoS effect on your server.
I am working on a better way to do this though, one that does not require writing to files or using a session.
Are you getting any error messages?
Check the error_log files on your server to see what is causing the site not to come up. If your not sure where to find your error_log files ask your hosting provider where to they are on your server.
As I said, you need to install the Core File definitions by checking the automatic-update box and starting a Complete Scan.
Did you just upgrade to the new version of WordPress?
When you change the version of WordPress that you have installed the Core Files definitions need to be updated too. This can be done by checking the automatic-update button and starting a Complete Scan.
You will need to install my plugin on each site that you want to protect. You can register each site using the same email address so that you only have one account. Then you can donate from any site on that account and it will show up accross all the site on the same account.
I think there must be something that is blocking the external JavaScript from loading in your browser. Can you check your browser’s Error Console and/or the Element Inspector for any errors on that page?
Also try another browser, maybe even on another computer, to see if the results are any different.
Thanks for sending me your wp-admin login. I found that new threat in your theme header file and I added it to my definition updates. When I downloaded the new update on your site and scanned your theme again it found the malicious script and removed it.
Your site is now clean, I re-checked it on sucuri sitecheck too and it also shows that it’s clean now.
You can’t post any HTML here. Can you try just pasting the URL without any formatting or HTML tags?
You can also just email it directly to me if you want.
Does it display the other buttons in the Updates & Registration section, like “Check for Definition Updates Now!” or “Download new Definitions!”?
Can you send me a screenshot?
Please email any new threats directly to me: eli AT gotmls DOT net
Awesome! Thank you for sharing your solution.
I’m not sure what the owner setting are or what they are supposed to be on your server but it doesn’t sound like messing with that is a good idea. From your description it sounds like you changing the .htaccess files in my plugin, this would not help anyway, I was referring to the main .htaccess file in the root of your site, but please don’t make any changes to that file unless you know how to change it back.
I will need more specific info about the permissions on your server and the directory structure of your site to help you further. It would make it easier for me if I had direct access to your site. Please contact me directly to get more help: eli AT gotmls DOT net
Don’t post any sensitive data on the forum.
Please email the file directly to this address: eli AT gotmls DOT net
I see that these are HTML files, so I am assuming that there is not any malicious PHP code in them. I realize that these pages probably contain content that is not supposed to be on your site. If you can send me these files in an email then I will take a look at them and see if they can be added to my definition updates.
what was the owner before and what did you change it to? Is it the same as the owner on the other files in your WordPress site? Are you able to use the built-in plugin and theme editor within WordPress, or does that also not work?
