Backdoor (1) in default.php file?

  • Hi folks!

    Now, after struggling with search, search to find answer to my WEB hotel server warning, I have to take place her in formu with this thread.

    The WARNING:
    # Damaged files found: 2
    Backdoor (1): ./www/default.php
    Malware-URL-4 (hecodat.de (11)): ./www/index.html

    First error, temporary not in use (from old hTML creater), was removed from the WEB server.
    So next file, default.php, place under this directory: \www\wp-content\plugins\siteorigin-panels\widgets\widgets\animated-image\tpl

    It’s follow contains this string command:

    [malware removed]

    So, my wondering, where are the “secret” Backdoor, and sincere and original, it is necessary with this default.php file at all?
    Just wondering? And, still MalwareByte and Bitdefender block my web site, while Google safe search did not mention to any risks / harmful behavior is registered to my side. Please make a visit for test to my my WEB site:
    panoramaflyfoto.no

    My Anti-Malware from GOTMLS.NET reppor:
    Potential Threats

    * NOTE: These are probably not malicious scripts (but it’s a good place to start looking IF your site is infected and no Known Threats were found).

    ?…/www/wp-content/plugins/wp-simple-firewall/src/common/Twig/Environment.php
    ?…/www/wp-content/plugins/wp-simple-firewall/src/common/Twig/Test/IntegrationTestCase.php
    ?…/www/wp-content/plugins/wp-simple-firewall/src/common/json/JSON.php
    ?…/www/wp-content/themes/ultra/js/flexie.js
    ?…/www/wp-content/uploads/ithemes-security/logs/event-log-panoramaflyfoto-no-J84zrog.log

    Thank you for further assistance, to one that is completely fresco in phage and novice in this code language.

Viewing 14 replies - 1 through 14 (of 14 total)
  • Moderator James Huff

    (@macmanx)

    Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Thread Starter roof55-no

    (@roof55-no)

    Thanks.
    First I was do, remove an old html file, as index.html. Easy. Next to do was change the password for enter WEB server hotel. Also change password to WP enter. Both password with >>>16 char., lower/upper caser+ mix of count tal, as well.

    I was implemented 3 different security ads to my WP. 1. Anti-Malware from GOTMLS.NET, 2. iThemes Security, 3. iControlWP, think tat shod be enough. Just first one running av full version (donated), two other running thus function as free version. possibility. Other paid function cost $$$, so have to see for a while if extra function are paid for.

    any way, one error left, and I really did not see it! Google search inform as not dangerous page for visit, even my MalwareBytes+Bitedefender give warning to entry this web. The malware are <hidden> into the file default.php, which contains as follow:
    <img src=”<?php echo esc_url($instance[‘image’]) ?>” style=”visibility:hidden” data-animation=”<?php echo esc_attr($instance[‘animation’]) ?>” />

    I will now simply try to remove this file from my WEB server (back up all files as download to my pc). Then let see wath happen with the function for the WEB, also about this entering warning, disappear(?).

    Thread Starter roof55-no

    (@roof55-no)

    That was no good idea:
    Error 503 Backend fetch failed

    Backend fetch failed
    Guru Meditation:
    XID: 115332999
    Varnish cache server

    So, wondering why Google search did not give any warning to visit this WEB site, but MalwareBytes and Bitdefender do it?

    Moderator James Huff

    (@macmanx)

    Did you replace the file with a freshly downloaded copy after you removed it?

    Thread Starter roof55-no

    (@roof55-no)

    No. I just leave it, but change the end words, from PHP to PHP-OLD. When entry the page, I get the 503 error. Renamed this file again., and it was up and running. My worry are my MalwareBytes and Bitdefender give warning to entry this site, but Google safe search did not give any warnings(?). It could be a solution to sent inquiry to thus two security software, in same method as it is for google safe search, you have to give a manual operation to google to be whitelisted again after attac. After this, I have open every php files in www/wp-contains map and take a look for suspicious, but could not find any crypted sentence.

    Moderator James Huff

    (@macmanx)

    What directory is the file currently in?

    Thread Starter roof55-no

    (@roof55-no)

    At first i goes through all php files in the root\www Dir.

    The default.php belongs to Dir. root\www\www\wp-content\plugins\siteorigin-panels\widgets\widgets\animated-image\tpl
    This file are declared to contains a Backdoor

    Hopefully this was some helps?

    Moderator James Huff

    (@macmanx)

    Ok, deactivate and delete the SiteOrigin Panels plugin from the Plugins section of your blog’s Dashboard, then install a new copy via Plugins -> Add New.

    Thread Starter roof55-no

    (@roof55-no)

    Glosshh! So easy! No, no warning longer! Thanks to volunteers, but especially James Huff. It’s great, made my day’s!

    Moderator James Huff

    (@macmanx)

    You’re welcome!

    Thread Starter roof55-no

    (@roof55-no)

    Thanks to Jim Huff for still supporting with good advices!
    Last sacan:
    Congratulations! No security problems were detected by Wordfence.

    GOTMLS.NET repporting in front of above scan:
    Check all 4 Items in Quarantine
    …/www/wp-includes/js/jquery/jquery-migrate.min.js
    …/www/wp-includes/js/jquery/jquery-migrate.js
    …/www/wp-includes/images/crystal/license.txt
    …/www/license.txt

    All file was re-installed, work out by GOTMLS.NET features. Result of new scan:
    Potential Threats

    * NOTE: These are probably not malicious scripts (but it’s a good place to start looking IF your site is infected and no Known Threats were found).

    ?…/www/wp-content/plugins/wp-simple-firewall/src/common/Twig/Environment.php
    ?…/www/wp-content/plugins/wp-simple-firewall/src/common/Twig/Test/IntegrationTestCase.php
    ?…/www/wp-content/plugins/wp-simple-firewall/src/common/json/JSON.php
    ?…/www/wp-content/themes/ultra/js/flexie.js
    ?…/www/wp-content/uploads/ithemes-security/logs/event-log-panoramaflyfoto-no-J84zrog.log

    It seems to be a trust WEB site so far, even McAfee tells this:
    Phishing attempt!
    This page is part of a phishing attempt

    Web page:
    https://www.trustedsource.org/?p

    https://www.VIRUStotal scan give this report:
    ADMINUSLabs Malicious site
    Avira Malware site
    Fortinet Malware site
    Yandex Safebrowsing Malware site
    But I still want my WEB hotel supplier to make a re-scan. And still update result here.

    Moderator James Huff

    (@macmanx)

    If you can, make your site public, and run it through https://sitecheck.sucuri.net/ too.

    Thread Starter roof55-no

    (@roof55-no)

    Yeh, have donne this at securi.com for several time. Seems to only helps her is to pay $$$ as commercial page for service. If this service contains any sort of useful information, it’s good covered.
    I can see Mc Afee first time declare this site as red as long since to 2. in January 2016!
    panoramaflyfoto.no

    This page shows details and results of our analysis on the domain panoramaflyfoto.no
    Threat Detail

    Web Category: Malicious Downloads
    Activation:
    Last Seen: 2016-02-01
    So, it is perhaps a matter of fact to get rid of the place in a blacking list?

    I did not find more information, so far.

    Moderator James Huff

    (@macmanx)

    Sucuri is definitely worth the money, but I was asking more if it found anything wrong with your site to begin with.

    If there is one specific page McAfee doesn’t like, you can try removing it and filing an appeal with them.

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Backdoor (1) in default.php file?’ is closed to new replies.