Best chinese new year games online casino.Claim Your Free 999 Pesos Bonus Today

wakeupandbreathe
(@wakeupandbreathe)

12 years, 9 months ago

I cannot access any of my pages /widgets/ anything!
when logged in I go to any of the above or anything on the sidebar
and it takes me to : https://bannortimqimulta.ru/industry/index.php

So i cannot access my site how can I get round this problem?

Viewing 8 replies - 46 through 53 (of 53 total)

← 1 2 3 4

Chris
(@chrisaquino)

12 years, 9 months ago

Credit due to @chalresmkelley for saving me possibly hundreds of dollars. I was almost to the breaking point of paying a malware company to fix the problem.

Thanks @charles.

Charles Kelley
(@charlesmkelley)

12 years, 9 months ago

Haha. Thanks.

mike3even
(@mike3even)

12 years, 9 months ago

Thanks @charlesmkelley & @boyxinfo for putting it all together.

Also if you are like me and have 100s of sites to sanitize I would recommend using GREP to search for the following text patterns and piping the results into a log file.

“base64_decode”
“gzinflate(base64_decode”
“eval(gzinflate(base64_decode”
“eval(base64_decode”
“# Web Shell by oRb”

Once you have a log file you can easily sort out what is legit and what is malicious and even automate the removal of files and .htaccess clean up.

Charles Kelley
(@charlesmkelley)

12 years, 9 months ago

Thanks for the tip.

I did GREP it initially but had no luck finding it as it looks like the initial point of entry was the “<?php preg_replace” and not any version of base64_decode, which all checked out to be legit as pretty much any premium theme or plugin uses base64 encoding. It can get crazy sorting through all of that, especially with a higher number of WordPress installs.

Pretty much found the MSE thing by accident when I was backing up all files to go ahead and wipe my server or would’ve searched through it using GREP if I had found the code earlier.

However, still can’t stress enough to change your MySQL user passwords and update your wp-config.php files with the new passwords to completely safeguard your site since somebody out there, presumably in Russia, now has them.

The Hack Repair Guy
(@tvcnet)

12 years, 9 months ago

Hi,
I would like to hear more about this:
“<?php preg_replace”

You this was part of a snippet of malware code within one of your pages?

Any possibility you can post that on pastebin or something?

Charles Kelley
(@charlesmkelley)

12 years, 9 months ago

https://php.about.com/od/advancedphp/ss/php_preg_4.htm

The actual code was:
[Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

and was located in /wp-content/uploads as the file “_wp_cache.php”

Charles Kelley
(@charlesmkelley)

12 years, 9 months ago

A great article about the issue we’re all experiencing as well:
https://joxeankoret.com/blog/2011/12/04/automated-or-manual-attack/

andyimages
(@andyimages)

12 years, 1 month ago

At least some of these eval hacks are coming through uploads where the PHP has a jpeg extension and the code does not check the contents, typically in a form plugin…..