04-07-2014, 05:05 AM
Is this infected?
PHP Code:
wp-content/plugins/gotmls/images/index.php:337
Used by malicious scripts to decode previously obscured data/programsreturn base64_decode(strtr(substr($encoded_string, 0, -1), "-_", "+/wp-content/plugins/gotmls/images/index.php:438
Used by malicious scripts to decode previously obscured data/programs$tracer_code = "(base64_decode('".base64_encode('if(isset($_SERVER["REMOTE_ADDwp-content/plugins/wordfence/js/jquery.dataTables.min.js:113
Often used to execute malicious code'"')):eval("("+d+")")}catch(e){return}d=0;for(f=a.aoStateLwp-content/plugins/wordfence/js/jquery.dataTables.min.js:115
Often used to execute malicious codeeval("("+b+")");b=f(a,h,e.toGMTString(),c.join("/")+"/")}else
b=a+"="+encodeURIComponent(b)+"; expires="+e.toGMTString()+";
path="+c.join("/")+ [line truncated]wp-content/plugins/wordfence/lib/wfLog.php:638
Often used to execute malicious codepublic function getCBLCookieVal(){wp-content/plugins/wordfence/lib/wfLog.php:647
Often used to execute malicious code@setcookie('wfCBLBypass', self::getCBLCookieVal(), time() + (86400 * 365), '/');wp-content/plugins/wordfence/lib/whois/whois.parser.php:112
Often used to execute malicious codeeval("\$block".getvarname($k)."=\$v;");wp-content/plugins/wordfence/lib/whois/whois.parser.php:370
Often used to execute malicious codeeval($var.'="'.str_replace('"','\"',$itm).'";');wp-content/plugins/wordfence/lib/whois/whois.parser.php:449
Often used to execute malicious codeeval('$r'.$var.'=$itm;');wp-content/plugins/wordfence/lib/whois/whois.parser.php:519
Often used to execute malicious codeif ($var != '[]') eval('$r'.$var.'=$block;');wp-content/plugins/wordfence/lib/whois/whois.parser.php:631
Often used to execute malicious codeeval('$r'.getvarname($field).'=$itm;');wp-content/plugins/wordfence/lib/wordfenceScanner.php:206
Often used to execute malicious coded '" . $badStringFound . "' (without quotes). The eval() function along with an encoding function likewp-content/themes/dt-the7/inc/extensions/meta-box/js/jqueryui/jquery-ui-timepicker-addon.js:24
Often used to execute malicious code._defaults){var g=c.attr("time:"+f);if(g)try{d[f]=eval(g)}catch(j){d[f]=g}}b._defaults=e.extend({},thiwp-content/themes/dt-the7/inc/extensions/options-framework/options-framework.php:479
Used by malicious scripts to decode previously obscured data/programs$import_options = @unserialize(@base64_decode($input['import_export']));wp-content/themes/dt-the7/inc/shortcodes/includes/button/functions.php:80
Used by malicious scripts to decode previously obscured data/programs$icon = wp_kses( rawurldecode(base64_decode($icon)), array('i' => array('class' => array())wp-content/themes/dt-the7/wpbakery/js_composer/assets/js/backend/composer-atts.js:68
Used by malicious scripts to decode previously obscured data/programs.match(/^#E\-8_/) ? $("<div/>").text(rawurldecode(base64_decode(value.replace(/^#E\-8_/, '')))).html() : value;wp-content/themes/dt-the7/wpbakery/js_composer/assets/js/backend/composer-atts.js:132
Used by malicious scripts to decode previously obscured data/programsreturn $("<div/>").text(rawurldecode(base64_decode(value))).html();wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/flexslider/demo/js/shCore.js:17
Often used to execute malicious codeeval(function(p,a,c,k,e,d){e=function(c){return(c<a?wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/isotope/js/jquery-1.7.1.min.js:2
Often used to execute malicious codex({url:b.src,async:!1,dataType:"script"}):f.globalEval((b.text||b.textContent||b.innerHTML||"").replacwp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/isotope/js/jquery-1.7.1.min.js:4
Often used to execute malicious codet/},converters:{"text script":function(a){f.globalEval(a);return a}}}),f.ajaxPrefilter("script",functiwp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/json-js/cycle.js:147
Often used to execute malicious codevalue[i] = eval(path);wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/json-js/cycle.js:160
Often used to execute malicious codevalue[name] = eval(path);wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/json-js/json.js:507
Often used to execute malicious codej = eval('(' + text + ')');wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/json-js/json2.js:471
Often used to execute malicious codej = eval('(' + text + ')');wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/nivoslider/demo/scripts/jquery-1.9.0.min.js:3
Often used to execute malicious codeync:!1,global:!1,"throws":!0}):st.globalEval((u.text||u.textContent||u.innerHTML||"").replace(rn,"")));i=o=null}return this}}),st.eac [line truncated]wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:310
Often used to execute malicious code(key in array){if(typeof(userdata)!=='undefined'){eval(funcname+'( array [key] , key , userdata )');}else{eval(funcname+'( userdata ) ');}}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:314
Often used to execute malicious codeif(typeof(userdata)!='undefined'){eval(funcname+'( array [key] , key , userdata )');}else{eval(funcname+'( userdata ) ');}}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:331
Used by malicious scripts to decode previously obscured data/programsfunction base64_decode(data){var b64="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefwp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:377
Often used to execute malicious codefunction doubleval(mixed_var){return this.floatval(mixed_var);}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:384
Often used to execute malicious codeeplacer=function(s,m1,m2){if(m1!=='\\'){return m1+eval(m2);}else{return s;}};this.php_js=this.php_js||wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:496
Often used to execute malicious code+)?/g,']').replace(/(?:^|:|,)(?:\s*\[)+/g,''))){j=eval('('+text+')');return j;}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:623
Often used to execute malicious code=''and&key!==' ')||j===0){key="'"+key+"'";}else{key=eval(evalStr+'.push([]);')-1;}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:624
Often used to execute malicious codeevalStr+='['+key+']';if(j!==keys.length-1&&eval('typeof '+evalStr)==='undefined'){eval(evalStr+' = [];');}}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:625
Often used to execute malicious codeevalStr+=" = '"+value+"';\n";eval(evalStr);}}}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:632
Often used to execute malicious codeEP_INVERT');if(typeof pattern==='string'){pattern=eval(pattern);}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:760
Decodes/encodes text using ROT13. Could be used to hide malicious code.function str_rot13(str){return(str+'').replace(/[a-z]/gi,functionwp-content/themes/dt-the7/wpbakery/js_composer/composer/lib/helpers.php:737
Used by malicious scripts to decode previously obscured data/programs = preg_match('/^#E\-8_/', $value) ? rawurldecode(base64_decode(preg_replace('/^#E\-8_/', '', $value))) : $valuwp-content/themes/dt-the7/wpbakery/js_composer/composer/lib/shortcodes/raw_content.php:22
Used by malicious scripts to decode previously obscured data/programs"' . $param_name . '">'.htmlentities(rawurldecode(base64_decode(strip_tags($value))), ENT_COMPAT, 'UTF-8' ).'</wp-content/themes/dt-the7/wpbakery/js_composer/composer/lib/shortcodes/raw_content.php:51
Used by malicious scripts to decode previously obscured data/programs$content = base64_decode(strip_tags($content));wp-content/themes/dt-the7/wpbakery/js_composer/composer/lib/shortcodes.php:561
Used by malicious scripts to decode previously obscured data/programstype'].'" rows="16">' . htmlentities(rawurldecode(base64_decode($param_value)), ENT_COMPAT, 'UTF-8' ) . '</textwp-content/themes/dt-the7/wpbakery/js_composer/composer/lib/wpb_autoupdate.php:129
Used by malicious scripts to decode previously obscured data/programsreturn unserialize(base64_decode($request['body']));wp-content/themes/dt-the7/wpbakery/js_composer/composer/lib/wp_autoupdate.php:128
Used by malicious scripts to decode previously obscured data/programsreturn unserialize(base64_decode($request['body']));wp-content/themes/dt-the7/wpbakery/js_composer/composer/shortcodes_templates/vc_raw_html.php:11
Used by malicious scripts to decode previously obscured data/programs$content = rawurldecode(base64_decode(strip_tags($content)));Level Warning (50 matches)
Location / Description
What was matched
wp-content/plugins/gotmls/index.php:83
iframes are sometimes used to load unwanted adverts and code on your sitewarning").style.backgroundColor=\'#0C0\';</script><iframe style="width: 230px; height: 110px; position: wp-content/plugins/gotmls/index.php:125
iframes are sometimes used to load unwanted adverts and code on your sitess="button-primary" /></center><iframe id="GOTMLS_iFrame" name="GOTMLS_iFrame" style="top: 0px; left: 0px; position: absolut [line truncated]wp-content/plugins/gotmls/index.php:371
iframes are sometimes used to load unwanted adverts and code on your site<li><iframe allowtransparency="true" frameborder="0" scrolwp-content/plugins/gotmls/index.php:810
iframes are sometimes used to load unwanted adverts and code on your sitedie("<html><body>Added $file to Whitelist!<br /><iframe style='width: 90%; height: 350px;' src='$GOTMLwp-content/plugins/gotmls/index.php:874
iframes are sometimes used to load unwanted adverts and code on your siter mind, it worked!",'gotmls').'</span></div><br /><iframe id="test_frame" name="test_frame" src="'.GOTMLwp-content/plugins/gotmls/safe-load.php:33
iframes are sometimes used to load unwanted adverts and code on your sitelink below to have another shot at logging in.<br><iframe src="wp-login.php?GOTMLS_SESSION_check='.str_rwp-content/plugins/wordfence/lib/Diff/Renderer/Html/Array.php:180
The e modifier in preg_replace can be used to execute malicious code$line = preg_replace('# ( +)|^ #e', "\$this->fixSpaces('\\1')", $line);wp-content/themes/dt-the7/inc/extensions/meta-box/js/jqueryui/jquery-ui-timepicker-addon.js:63
JavaScript sometimes used to hide suspicious codeamNames.join("")+b._defaults.pmNames.join("")+a,d=String.fromCharCode(c.charCode===void 0?c.keyCode:c.charCode);retuwp-content/themes/dt-the7/inc/extensions/meta-box/js/select2/select2.min.js:56
JavaScript sometimes used to hide suspicious codeopen();if(a.which!==f.ENTER&and!(48>a.which)){var b=String.fromCharCode(a.which).toLowerCase();a.shiftKey&and(b=b.toUppewp-content/themes/dt-the7/inc/shortcodes/includes/map/functions.php:82
iframes are sometimes used to load unwanted adverts and code on your siteclasses ) . '" style="' . esc_attr( $style ) . '"><iframe src="' . esc_url($src) . '" frameborder="0" mawp-content/themes/dt-the7/inc/shortcodes/vc_templates/vc_facebook.php:28
iframes are sometimes used to load unwanted adverts and code on your site$output = '<div class="'.$css_class.'"><iframe src="http://www.facebook.com/plugins/like.php?wp-content/themes/dt-the7/js/main.js:1028
iframes are sometimes used to load unwanted adverts and code on your site'<iframe class="mfp-iframe" frameborder="0" allowfullscwp-content/themes/dt-the7/js/plugins.dev.js:6767
iframes are sometimes used to load unwanted adverts and code on your site'<iframe class="mfp-iframe" src="//about:blank" framebowp-content/themes/dt-the7/js/plugins.js:437
iframes are sometimes used to load unwanted adverts and code on your siteiframe-scaler">'+'<div class="mfp-close"></div>'+'<iframe class="mfp-iframe" src="//about:blank" framebowp-content/themes/dt-the7/royalslider/jquery.royalslider.js:2721
iframes are sometimes used to load unwanted adverts and code on your siteyouTubeCode: '<iframe src="http://www.youtube.com/embed/%id%?rel=1&awp-content/themes/dt-the7/royalslider/jquery.royalslider.js:2722
iframes are sometimes used to load unwanted adverts and code on your sitevimeoCode: '<iframe src="http://player.vimeo.com/video/%id%?bylinewp-content/themes/dt-the7/royalslider/jquery.royalslider.min.js:88
iframes are sometimes used to load unwanted adverts and code on your siteideBlocks:!1,autoHideCaption:!1,youTubeCode:'<iframe src="http://www.youtube.com/embed/%id%?rel=1&autoplay=1&showinfo=0&autoplay=1&wmode=t [line truncated]wp-content/themes/dt-the7/royalslider/jquery.royalslider.min.js:113
iframes are sometimes used to load unwanted adverts and code on your sitection(){k||(m=(m=b.fn.hashchange.src)and&m+c(),k=b('<iframe tabindex="-1" title="empty"/>').hide().one("lowp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/flexslider/demo/js/shCore.js:17
JavaScript sometimes used to hide suspicious codeon(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,Striwp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/flexslider/demo/video.html:51
iframes are sometimes used to load unwanted adverts and code on your site<iframe id="player_1" src="http://player.vimeo.com/vidwp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/isotope/js/jquery.ba-bbq.min.js:18
iframes are sometimes used to load unwanted adverts and code on your sitefunction p(){o=q=function(s){return s};if(h){n=$('<iframe src="javascript:0"/>').hide().insertAfter("bodwp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/isotope/js/make-big-graph-projects.js:19
JavaScript sometimes used to hide suspicious codereturn String.fromCharCode(code);wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/isotope/_posts/tests/2011-03-27-flash.html:93
iframes are sometimes used to load unwanted adverts and code on your site<iframe title="YouTube video player" width="500" heighwp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/json-js/json_parse.js:175
JavaScript sometimes used to hide suspicious codestring += String.fromCharCode(uffff);wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/json-js/json_parse_state.js:291
JavaScript sometimes used to hide suspicious codereturn b ? String.fromCharCode(parseInt(b, 16)) : escapes[c];wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/nivoslider/demo/scripts/jquery-1.9.0.min.js:1
iframes are sometimes used to load unwanted adverts and code on your site];return n||(n=A(e,t),"none"!==n&&n||(cn=(cn||st("<iframe frameborder='0' width='0' height='0'/>").css("wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/nivoslider/demo/scripts/jquery-1.9.0.min.js:2
JavaScript sometimes used to hide suspicious codenction(e,t){var n="0x"+t-65536;return n!==n?t:0>n?String.fromCharCode(n+65536):String.fromCharCode(55296|n>>10,56320|1023&n)};try{K.call(H.childNwp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:332
JavaScript sometimes used to hide suspicious codeits>>8&0xff;o3=bits&0xff;if(h3==64){tmp_arr[ac++]=String.fromCharCode(o1);}else if(h4==64){tmp_arr[ac++]=String.fromCharCode(o1,o2);}el [line truncated]wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:342
JavaScript sometimes used to hide suspicious code(codePt){if(codePt>0xFFFF){codePt-=0x10000;return String.fromCharCode(0xD800+(codePt>>10),0xDC00+(codePt&0x3FF));}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:343
JavaScript sometimes used to hide suspicious codereturn String.fromCharCode(codePt);}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:362
JavaScript sometimes used to hide suspicious codefor(i in result){result[i]=(mode===4)?String.fromCharCode(i):0;}}else if(mode===3){for(i=0;i!=str.lengthwp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:420
JavaScript sometimes used to hide suspicious codees){if(entities.hasOwnProperty(decimal)){hash_map[String.fromCharCode(decimal)]=entities[decimal];}}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:657
JavaScript sometimes used to hide suspicious code(plus){while(inival<=endval){matrix.push(((chars)?String.fromCharCode(inival):inival));inival+=walker;}}else{while(inival>=endval){matrix.push( [line truncated]wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:738
JavaScript sometimes used to hide suspicious codeeroPad,customPadChar);case'c':return formatString(String.fromCharCode(+value),leftJustify,minWidth,precision,zeroPadwp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:760
JavaScript sometimes used to hide suspicious codeturn(str+'').replace(/[a-z]/gi,function(s){return String.fromCharCode(s.charCodeAt(0)+(s.toLowerCase()<'n'?13:-13));wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:830
JavaScript sometimes used to hide suspicious codele){var pos=0;if(typeof needle!=='string'){needle=String.fromCharCode(parseInt(needle,10));}wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:925
JavaScript sometimes used to hide suspicious code1=str_data.charCodeAt(i);if(c1<128){tmp_arr[ac++]=String.fromCharCode(c1);i++;}else if(c1>191&&c1<224){c2=str_data.charCodeAt(i+1);tmp_arr[ac++ [line truncated]wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/php.default/php.default.min.js:928
JavaScript sometimes used to hide suspicious codell;if(c1<128){end++;}else if(c1>127&&c1<2048){enc=String.fromCharCode((c1>>6)|192)+String.fromCharCode((c1&63)|128);}else{enc=Strin [line truncated]wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/prettyphoto/js/jquery.prettyPhoto.js:7
iframes are sometimes used to load unwanted adverts and code on your sitembed></object>',iframe_markup:'<iframe src ="{path}" width="{width}" height="{height}" frameborder="no"></iframe>',inline_ma [line truncated]wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/scrollTo/tests/WinMaxY-to-iframe-compat.html:13
iframes are sometimes used to load unwanted adverts and code on your site<iframe src="WinMaxY-compat.html?notest" style="widthwp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/scrollTo/tests/WinMaxY-to-iframe-quirks.html:12
iframes are sometimes used to load unwanted adverts and code on your site<iframe src="WinMaxY-quirks.html?notest" style="width:wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/scrollTo/tests/WinMaxY-with-iframe-compat.html:10
iframes are sometimes used to load unwanted adverts and code on your site<iframe src="WinMaxY-compat.html" />wp-content/themes/dt-the7/wpbakery/js_composer/assets/lib/scrollTo/tests/WinMaxY-with-iframe-quirks.html:9
iframes are sometimes used to load unwanted adverts and code on your site<iframe src="WinMaxY-quirks.html" />wp-content/themes/dt-the7/wpbakery/js_composer/composer/shortcodes_templates/vc_carousel.php:110
The e modifier in preg_replace can be used to execute malicious code$key = preg_replace('/_([a-z])/e', "strtoupper('\\1')", $key);wp-content/themes/dt-the7/wpbakery/js_composer/composer/shortcodes_templates/vc_facebook.php:10
iframes are sometimes used to load unwanted adverts and code on your site$output = '<div class="'.$css_class.'"><iframe src="http://www.facebook.com/plugins/like.php?wp-content/themes/dt-the7/wpbakery/js_composer/composer/shortcodes_templates/vc_gmaps.php:6
iframes are sometimes used to load unwanted adverts and code on your site'link' => '<iframe src="https://mapsengine.google.com/map/u/0/embwp-content/themes/dt-the7/wpbakery/js_composer/composer/shortcodes_templates/vc_gmaps.php:31
iframes are sometimes used to load unwanted adverts and code on your siteif (preg_match('/^\<iframe/', $link) ) echo $link; // trim(substr($link, 0, 8)) == '<iframe' and& strpos($link, '//mapsengine.google')) echowp-content/themes/dt-the7/wpbakery/js_composer/composer/shortcodes_templates/vc_gmaps.php:32
iframes are sometimes used to load unwanted adverts and code on your siteelse echo '<iframe width="100%" height="'.$size.'" frameborder="0wp-content/themes/dt-the7/wpbakery/js_composer/inline/templates/editor.tpl.php:97
iframes are sometimes used to load unwanted adverts and code on your site<iframe src="<?php echo htmlspecialchars($this->url) ?wp-content/themes/dt-the7/wpbakery/js_composer/inline/templates/templates.tpl.php:41
iframes are sometimes used to load unwanted adverts and code on your site<iframe src="" scrolling= "no" style="width: 100%;vc"