aSrGN

I have contacted the hosting provider. They say they have found malicious codes inside the site, some hiding inside the pictures. And they say that online scanning services can not find those traces.

I have asked a couple of questions and waiting for the answers again.

I have also discovered the weird named PHP files are inside:
…/httpdocs/wp-content/themes/bueno/cache

Is there a way to rescue the site without wiping out it all, only deleting the infected files or picture or whatever?

What kind of attack is that? I mean, what is its behavior? What does it do to the website visitor or the site itself exactly?

And, if they wipe out the website and when I load the backup, if the backup is also infected, what will be the difference? Won’t it be infected again?

I am so confused, I will appreciate answers that will clear my min a bit!

Here is the link about this issue and solution;

https://www.agentwp.com/how-to-fix-the-security-issue-in-timthumb

I have just written to our hosting provider (It is not HostGator) about this topic. Waiting for their answer now.

I will keep this topic updated. Thank you!

I was wondering how did it happen? I am using the same plugins more than one year. Same theme more than one year. I always keep everything up to date. Is it this Timthumb issue that is mentioned mostly everywhere?

I happened to came across with the file thumb.php and changed the code there to;

define( ‘ALLOW_EXTERNAL’, false );

and

deleted everything inside allow sites command;

$allowedSites = array();

By the way, Patrick, I agree with you about WooThemes. And when I compare the original theme folder/files to folder/files on FTP there is no difference.

It is funny and weird!

When I connect to the site via FTP, I have checked the /wp-content/themes/bueno and those files are nowhere to be found!

But when I log into WP backend and when I open Appearance>Editor on WP admin panel, I still see them!

What does it mean? I am so confused and stressed!

When I opened one of them, at the end of the page it says:

eval(gzinflate(str_rot13(base64_decode($rhs))));
?>

Isn’t Eval a sort of malware code?

And at the top of one, it says:

<?php

// [email protected]
// no malware on this code, you can check it by yourself ??

@error_reporting(0);
@set_time_limit(0);

Hi Patrick,

I think they are inside the Bueno theme folder. Because when I open Appearance>Editor on WP admin panel, I see them. There are totally 5 php files with weird names. If possible, I can give a screenshot.

I am really confused!

Hi Firebird!

Thanks for the answer. I have already exchanged Emails between myself and WATS to get answers for my questions about the plugin. And if I may say, the support was very friendly and kind. And overall the plugin seems nearly perfect.

I just wanted to hear other thoughts/ideas etc… I like brainstorming before deciding on something. (Sighs) I will decide about the project’s direction in the upcoming days.

Hearing again from WATS was very nice and it shows the dedication to your work, so keep up the good work! And again, thanks a lot for the reply!!!

Is there someone also experiencing the same problem? Or does anyone have any idea?

Thanks in advance.