Dangerous malware or false alarm?

  • Resolved George Chatzifotis

    (@inthessalonikicom)


    6 years, 4 months ago

    Hello we had a huge issue with code injection (malicious 307 redirects) that we managed to deal with. However it is highly possible pieces of code have been left in our website.

    I would like to ask your opinion on the following. I had trouble with the wordfence scans completed and after trying several things i decided to post here.

    Thank you for your time guys!

    File: /parts/none.php

    {__ ‘Apologies, but no results were found. Perhaps searching will help find a related post.’}

    {/if}
    </p>
    {if $wp->isSearch && !empty($_REQUEST[‘a’]) == false}
    {searchForm}
    {/if}
    </p>

    </div><!– .entry-content –>
    </article><!– #post-0 –>

    File : JS.php

    * /matthiasmullie/minify/issues/91
    */
    $content = preg_replace(‘/else;/s’, ”, $content);

    /*
    * We also don’t really want to terminate statements followed by closing
    * curly braces (which we’ve ignored completely up until now) or end-of-
    * script: ASI will kick in here & we’re all about minifying.
    * Semicolons at beginning of the file don’t make any sense either.
    */
    $content = preg_replace(‘/;(\}|$)/s’, ‘\\1’, $content);

    file: /search-form.latte

    {*********************************}
    {******** IS SEARCH PAGE *********}
    {*********************************}
    {if $wp->isSearch && isset($_REQUEST[‘a’])}
    {var $pageType = ‘search’}
    {var $searchQuery = wp_parse_args($_GET)}

    There are more like this. Any idea welcomed. Thank you all!

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi @inthessalonikicom,

    From the code posted, it doesn’t look like anything malicious.

    Can you post more examples? You mentioned that there were malicious 307 redirects, can post some examples of these?

    Dave

    Thread Starter George Chatzifotis

    (@inthessalonikicom)

    There were links like the following goo.gl/VVvvAP

    The wordfence team has checked the website and found it clean.

    (previously there was a malicious init.php file and some .png code infected files that were deleted along with all the references to them.)

    The malicious links now report 404. I will post any updates on this after 15 days, whether and if the links will have been removed by google etc.

    Have a great day

    Hi again!

    I’m glad that the malicious file and links are now removed. Please let me know via this thread or a new one if you have any updates!

    Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Dangerous malware or false alarm?’ is closed to new replies.