j0hnnyb0y

use this. https://www.malfarmed.com/blog/step-by-step-wordpress-malware-removal/

This guide will help you remove it. If all else fails you can pay them to have it removed. Fully guaranteed.

Just to help out… this is the link to the removal guide instead of the page with the malware snippets. Don’t want to go through that confusion again :X

https://www.malfarmed.com/blog/step-by-step-wordpress-malware-removal/

kmessinger have you seen any infections like this out in the wild?

This last week I came across 19 individual infections and 2 server wide infections. In regards to the server infections, one of those malicious plugins actually created a cron job that was copying the malware to every index.php, index.html, default.html, and main.html file in the webroot.

Just wondering how many people have been dealing with this one in particular…

What happened to tburdeinei’s post?

tburdeinei wrote:

I just verified j0hnnyb0ys statement by wget and reading the code. It is the exploit code, but not active- wrapped in code blocks so you can see an actual example of what you are looking for. your (and my) antivirus/malware software isn’t smart enough to tell that its not going to be parsed and run by the browser.

yup…. there is a snippet of that on there too. since its inception, i have been following the site. I am security consultant, and I met these guys at a conference.

None of the snippets even execute. Therefore there is no threat.

esmi, all sucuri does is parse the page… if that was truly a malware infection it would not even be able to read that, because that code snippet is written in php and wrapped in code tags. Sucuri can only detect client side malware and compare domain hashes to Google Safe Browsing API.

The site is clean.

The site does not contain malware.. The content in the post contains snippets which are wrapped in code blocks.

It’s not even reported.

This site has a good description as to what is going on. There is a link to a step-by-step removal guide at the end.

https://www.malfarmed.com/blog/the-new-nasty-that-plagues-wordpress/

My whole server was infected with this crap, and I used this guide to help me out.

Check your plugins directory for ToolsPack and zsfeeuvxpnu

Those seem to be the culprit. Replace your core files, clean your wp-content files, change your credentials and backup backup backup!

Here is information regarding that specific malware… At the bottom there is a removal guide that helped me out.

[Link removed]

If all else fails, the company that wrote the article removes malware.

@roro what’s your domain?

This was just brought to my attention…

If you are at your whits end trying to get your site back on track, these guys will do it for like 100 bucks or something like that.

malfarmed.com

bizarotrips, which version of wordpress are you using? which plugins do you have installed?

I work as a malware analyst and most WordPress hacks that I have seen are due to vulnerabilities within third-party plugins.

One particular instance the user had installed a plugin (latest version), but it hadn’t been updated by the developer in months even after the vulnerability had been posted all over the net. ??

Go over what you have installed, and search the net to determing if there are any exploits published for the plugins that you use.

Also check out Better WP. It works pretty good, when it comes to utilizing best practices in regards to WP security.