|
#1
Sep 9, 2015, 10:23 AM
|
|
Although my site seems to be functioning normally, my Avast antivirus is sending a trojan alert when I try to download theme backup files. I have been able to identify the problematic file as /public_html/wp-content/themes/atahualpa/functions/bfa_get_option.php. This file has a different (more recent) date from all of the other files in the directory.
I notice there is also a very similarly named file in the same directory, bfa_get_options.php, which has the same date as all the other files. Should wp-content/themes/atahualpa/functions/ contain both a bfa_get_option.php and bfa_get_options.php file, or can I safely delete the get_option file?
|
#2
Sep 9, 2015, 11:22 AM
|
|
|
|
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
|
|
There is NO bfa_get_option.php in the theme - there is a bfa_get_options.php
I would take a look at that file BEFORE you delete it to see what was in it. If it is no the normal code it is probable that your ite has been hacked and you need to deal with that.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
|
#3
Sep 10, 2015, 06:11 PM
|
|
MY AV program wouldn't let me open bfa_get_option.php before deleting (but I'm OK with that). I deleted it from my WordPress installation and happily, my site didn't break. I am now able to create downloadable backups of my theme files (though thanks to your excellent save all settings option, I was not nearly as freaked out that I couldn't save backups as I might've been - I have done a LOT of customization on my site, so I really appreciate that feature).
I'm not sure what else to check. I asked my ISP, but they didn't reply. Anyway, I know that's not your problem. Thanks a lot for the swift reply.
|
#4
Sep 11, 2015, 01:18 AM
|
|
|
|
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
|
|
it's too bad you deleted it, you have lost a peice of forensic evidence. Looking at the date the file was las changed would have been helpful because you would know the point when you may have been hacked.
to be safe, you should do a google search 'wordpress site hacked' and follow thru with the suggestions you find.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
|
#5
Sep 12, 2015, 01:34 AM
|
|
I did note the date before deleting - Sept. 6th. Surely I don't want to open a file that has been identified as a possible trojan on my computer?
|
#6
Sep 12, 2015, 01:54 PM
|
|
|
|
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
|
|
'I' would have opened it in a text editor to see what was in it. Comparing it to the original code would have shown what was changes/added and given a clue as to what hack was used. This would be something you could take to your host
As it is, it the file was changed September 6th and you didn't do it, you have been hacked and that might not be the only file that was compromised.
I'd also look thru ALL the files in the wordpress root to see if anything else was changed on September 6th, then I would reinstall all the wordpress files, plugins and all themes.
change all passwords in the database and on your channel and ftp accounts and run a scan on your pc and anyother pc that you or anyone with admin rights may have used to access the site.
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
|
#7
Sep 18, 2015, 02:12 PM
|
|
When I do a settings export, does that settings file include my css inserts, or do I need to back those up separately?
|
#8
Sep 18, 2015, 06:05 PM
|
|
|
|
23,765 posts · Mar 2009
OSX 10.11.5 WP 4.x Atahualpa(all) Safari, Firefox, Chrome
|
|
The atahualpa export contains ALL the atahualpa settings. Since the CSS inserts are an atahualpa option it gets exported
__________________
"Tell me and I forget, teach me and I may remember, involve me and I learn." - Benjamin Franklin
Juggledad | Forum Moderator/Support
|
#9
Sep 19, 2015, 02:51 AM
|
|
Excellent! I know I already said thanks for that feature, but after spending way too much of the day screenshotting the settings of every plugin and widget I use in preparation for reinstalling my site, I have a whole new level of appreciation for it! How I wish everyone else would make you their role model!
|
|