Visitor IP Address: 146.59.243.31
Firewall Rule: Exe File Uploads
Firewall Pattern: \.(dll|rb|py|exe|php[3-6]?|pl|perl|ph[34]|phl|phtml|phtm|sql|ini|jsp|asp|git|svn|tar)$
Request Path: /wp-content/plugins/ioptimization/IOptimize.php
Parameter Name: userfile
Parameter Value: zwxnwyuqwg.phpI know that ioptimization/IOptimize.php is not a plugin, but a malware script. How it has got on my Shield-protected site is beyond me.
I am aware that I should make sure this is removed. However, looking at my site via FTP, there appears to be no such file or directory. I have, of course, looked for hidden files as well.
Why am I seeing this on a daily basis?
Cheers,
Mike
]]>[ Deleted ]
Anyone can share the mysql code to delete only this data?
]]>They suggest adding something to the ini.php file saying max_execution_time = 120 but I’m not sure how or where to do that
Also they say there is daemon script – I don’t know if this is to do with the bogus posts (there have been no fresh bogus posts for a while)
They also say
“Also, there are daemon scripts running:
daemon | sweb14.hi.local: /usr/bin/perl as perl in /tmp”
I cannot find a tmp file in the root directory in file manager, other than that I don’t know what i’m looking for or how to deal with it.
So my simple questions are:
1. Is there an idiot proof way of dealing with this?
2. Would the easiest thing be to just delete all files from the hostng and start again?
3. Would that actually deal with the problem or could there be something hiding which I cant delete?
Thanks for looking!
PS the hosts have put the site back online for me to try to deal with but they have an automatic script which detects the “more than 120 seconds” problem and will at some stage take it offline again.
]]>The script was A blog about WordPress design, development , Software and inspiration
Largest Online Shopping and Fashion Network (I replaced the . with the word dot above )
It was found that this paragraph was in the egw hover effects plugin. I went to a downloaded copy of this plugin from January and the script was in my original download. Then I downloaded a new copy today and again that hidden script comes in the plugin.
It seems to me that shouldn’t be allowed. Are these plugins removed when this found ?
]]>I have my wordpress website hacked with malicious-script (according to hosting company) with alot of php file in wp-content area. These malicious things makes my website inaccessible and come up with the following url address.
https://myurl.com/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/index.html/
I am using WP3.0 and so far after 3 years i got it all ok, up until now.
Could anyone help me??
regards
Rudi – Indonesia
Wordfence has just flagged the includes/functions/functions.php file as malicious code. Is this a false positive and should it be ignored?
I am using the pro version.
Please advise.
https://www.ads-software.com/plugins/easy-media-gallery/
]]>[Hacked code removed – please don’t post that here]
Whenever I visit site from my computer I do not see above code in source of page.But google webmaster’s structured data testing tool shows that code in page html.These will affect my SEO Rankings.
I think some plugin or theme inserted malicious code in core.Please Help.
]]>I’ve found some maliciuos script in wp-load.php
[hack code removed]
Try to delete it and save the file. But, it comes again after refresh my site techosocial.com
Any any idea how to totally remove it?
]]>I discover today on a WP install a malicious script who use WP website as relay to send PayPal Phishing and spam. The attacker coming from Romania small local ISPs.
To avoid or be warned about this kind of stuff, simply log your php outgoing mail and check it, you will see easily if the is a mass mailling.
And add a specific sender’s domain from your server if you are using virtualhost.
By this 2 trick, you can’t block theme immediately, but if you add a robot who check log, you can easily be warned by email of any mass outgoing mail.
I have not found for the moment the back-door entry, but all the malicious scripts was installed in the wp-content dir as hidden files (.file) .
FYI the script is not detected by any security on-line services I tested.
I hope this helps,
Mike
“Your account xxxx hosted on server xxxx
is hosting the follwoing malicious files/scripts :
==============================================
{HEX}base64.inject.unclassed.6 : /home/xxxx/public_html/wp-content/plugins/wp-miniaudioplayer/mapTinyMCE/tinymcemaplayer.js.php
==============================================
This files are being abused by crackers/hackers to install malicious scripts on your account. “
Currently my site is disabled by the server company because of this trouble.
I did installed wp-miniaudioplayer version 2.
If they say the script was abused and changed to be a malicious script by someone,
I wanted to find out which part(s) of the script(s) was changed.
I compared 2 groups of wp-miniaudioplayer scripts.
1. My wp-miniaudioplayer version 2 scripts, which were at the server and being claimed as malicious script(s)
2. The files kept in www.ads-software.com, which is version 2 – Revision 618927 at https://plugins.svn.www.ads-software.com/wp-miniaudioplayer/tags/0.2
I used Winmerge program to check all files side by side.
*Comparison results: 100% identical
By the way, I also compared version 2 and the latest version 3.
mapTinyMCE/tinymcemaplayer.js.php – identical
mapTinyMCE/maplayertinymce.php – changed a lot
Based on above, should I conclude “wp-miniaudioplayer version 2” was {HEX}base64.inject.unclassed.6 malicious script?
Or, this is terrible false alert?
My server company alerted and pointed out a specific script “tinymcemaplayer.js.php” as {HEX}base64.inject.unclassed.6 malicious script,
and there is no change in version 2 and 3.
If possible, please anyone confirm us that wp-miniaudioplayer version 3 is not malicious script.
Thank you
https://www.ads-software.com/extend/plugins/wp-miniaudioplayer/
]]>